Ransomware infection again

[QuickSilverST250 0]

We keep getting this infection over and over again for days now.

[itman 1,711]

If you're referring to the files with .faust extension appended, it's from a Phobos ransomware variant. Details on this variant here: https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust . Of note;

Quote

This report delved into the FAUST variant of the Phobos ransomware, providing insights into the process of downloading the payload file from an MS Excel document embedded with VBA script. Our analysis uncovered a threat actor employing a fileless attack to deploy shellcode, injecting the final FAUST payload into the victim's system. The FAUST variant exhibits the ability to maintain persistence in an environment and creates multiple threads for efficient execution. To safeguard devices from potential malware threats, users must exercise caution and refrain from opening document files from untrusted sources.

As far as the IOC's listed in the article, Eset detects all of them.

So was the sample you tested with an Excel document? If so, have you deployed Eset recommended HIPS rules against ransomware; notably;

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware

Edited Sunday at 06:45 PM by itman

[Marcos 5,153]

Unfortunately we could not find the creation of the ransomware executable C:\Users\JIXXXch\Desktop\new malware samples extracted\10-06-2024\005bffc8c94940c91159902d9b52971bcb26fa30602b05aa86e8721be49f405e.exe nor scanning of that file in the provided etl log. That makes our developers suspect the file had been created before trace logging was started. We would need to see the whole process from creation of the file to scanning in the log.

The ransomware file had been detected since June 7 and the log was created on June 12.

Is the sw and ESET configuration same as before on June 3rd when you collected ELC logs?

[QuickSilverST250 0]

Hi, thank you for replying. The logs are in the folder of the 15th. The video shows i started the log collection before executing the malware script. Here is the link incase you are looking at the wrong files:

https://drive.google.com/drive/folders/1v1SOiCK5E4GOBWwg_SB-CW-kBOtkUld3?usp=sharing

 

There is only 1 rule created in HIPS by me:

 

[itman 1,711]

To add to the confusion in ransomware attack vectors . If the following is correct, Phobos uses RDP;

Quote

Phobos is an in-house version of the Dharma RaaS, which could also be seen as Crysis with RDP for delivery instead of spam email. The Phobos ransom note is precisely the same as Dharma, only with the Phobos name replacing Dharma. Many AVs that can detect Phobos misreport it as Dharma because the code for the two is so similar. Others will report it as Crysis.

https://www.comparitech.com/net-admin/phobos-ransomware/

This is in contradiction to Fortinet's above Faust variant analysis which was a malicious Excel document; assumption here it was delivered via e-mail. 

[itman 1,711]

39 minutes ago, QuickSilverST250 said:

https://drive.google.com/drive/folders/1v1SOiCK5E4GOBWwg_SB-CW-kBOtkUld3?usp=sharing

Eset faust ransomware infection.mp4 is an ISO file with zero detection's at VirusTotal.

[itman 1,711]

How to protect against ISO based malware: https://isc.sans.edu/diary/Preventing+ISO+Malware+/29062 .

The SANS article notes the "dropper" was a .bat file contained within the ISO;

Quote

The user double clicked on the Properties.bat file that started the infection process.

[Marcos 5,153]

Could you please re-do the test with just the ransomware sample that encrypted the files? Is it an executable or a PowerShell script? If you can, please enable also advanced real-time protection logging in the advanced setup -> Tools -> Diagnostics besides tracing via ecmd.exe while reproducing the encryption and disable it prior to collecting logs with ELC. We'd need to see also the moment of creation of the ransomware file on the disk in the logs.

Also please uninstall Malwarebytes to rule out that it interferes with ESET's protection. At least Mbamchameleon.sys is a file system minifilter which might clash with ESET's real-time protection.

MbamElam, c:\windows\system32\drivers\mbamelam.sys, Boot, Stopped, , Malwarebytes Early Launch Anti-Malware Driver, Malwarebytes
MBAMChameleon, c:\windows\system32\drivers\mbamchameleon.sys, Automatic, Running, , Malwarebytes Chameleon, Malwarebytes
MBAMSwissArmy, c:\windows\system32\drivers\mbamswissarmy.sys, Manual, Running, , Malwarebytes SwissArmy, Malwarebytes

 

[itman 1,711]

3 hours ago, Marcos said:

Unfortunately we could not find the creation of the ransomware executable C:\Users\JIXXXch\Desktop\new malware samples extracted\10-06-2024\005bffc8c94940c91159902d9b52971bcb26fa30602b05aa86e8721be49f405e.exe

I believe the sample of this is here: https://bazaar.abuse.ch/sample/005bffc8c94940c91159902d9b52971bcb26fa30602b05aa86e8721be49f405e/ .

Also, Eset detects it;

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
6/17/2024 11:19:00 AM;Real-time file system protection;file;C:\Users\xxxxxxx\Downloads\005bffc8c94940c91159902d9b52971bcb26fa30602b05aa86e8721be49f405e.exe;a variant of Win64/TrojanDownloader.Agent.AUO trojan;cleaned by deleting;xxxxxxxx;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zG.exe (69DEB494A366940463D41383EB019F54F593B680).;8DB94ABC30A3F6DDC3CE330DADCE5DA27DDEED5F;6/17/2024 11:18:37 AM

 

Edited Monday at 03:24 PM by itman

[QuickSilverST250 0]

Tested it again and seems it's being stopped now. I will follow the extra settings for the next test. Will provide feedback soonest. Will try and do a test shortly

[itman 1,711]

7 hours ago, Marcos said:

The ransomware file had been detected since June 7 and the log was created on June 12.

Is the sw and ESET configuration same as before on June 3rd when you collected ELC logs?

The ransomware detection "$64K question" is if this sample was run prior to Eset's detection of it on 6/7?

[QuickSilverST250 0]

Can't remember. I ran the test on a normal eset advanced vm, the sample that infected it was 00723db8c6513a9b8a79b8b8cc7d9da9f23a8a5454149ed12768937ca15d1a47.exe. It infected this vm about 30 min ago as i wanted to find the sample responsible. Once i found it to be the one mentioned, i started the setup on the vm running inspect, when i extracted only 00723db8c6513a9b8a79b8b8cc7d9da9f23a8a5454149ed12768937ca15d1a47.exe and tried to run, it was no blocked with he name phobos., seem being blocked now. The sample was from the date from 04/06. So this sample i run kept infected for over 13 days hence why i said infection again.

Edited Monday at 08:39 PM by QuickSilverST250

[itman 1,711]

5 minutes ago, QuickSilverST250 said:

The sample was from the date from 04/06

Which means that as far as Eset was concerned, this was a 0-day ransomware. We can also assume that Eset Ransomware Shield is vapor-ware.

[QuickSilverST250 0]

Not sure, i will run the additional steps next time when running a new test. Will wait a bit for new samples and test

[Marcos 5,153]

A detection for Filecoder.Phobos (00723db8c6513a9b8a79b8b8cc7d9da9f23a8a5454149ed12768937ca15d1a47) was added in June 2019.

 

[QuickSilverST250 0]

Very odd as that sample infected the machine once i ran it as i remember in my recordings i saw that sample kept running in memory and made the connection. Once i ran it infected but shortly after stopped and didn't infect the outlook folder as previous videos

[QuickSilverST250 0]

Once the sample loaded the encryption started in the video

[Marcos 5,153]

Please use just the sample 00723db8c6513a9b8a79b8b8cc7d9da9f23a8a5454149ed12768937ca15d1a47. Start trace logging as well as advanced real-time protection logging, then copy / transfer the file onto your desktop and run it. After the encryption has started, disable logging and provide both etl logs + fresh ELC logs.

However, first make sure that Malwarebytes is not installed and its drivers are not running.

[itman 1,711]

1 hour ago, QuickSilverST250 said:

Can't remember. I ran the test on a normal eset advanced vm, the sample that infected it was 00723db8c6513a9b8a79b8b8cc7d9da9f23a8a5454149ed12768937ca15d1a47.exe.

Wooh ..... This is not the same file referenced previously: https://forum.eset.com/topic/41364-ransomware-infection-again/?_fromLogin=1#elControls_185716_menu .

Also per your video screen shot, the VT detection count is 70/78. As such, Eset must have had a sig. for it.

[QuickSilverST250 0]

This is very odd. YOu have the video so you can see. I can't do the test again with this sample as it's being detected now as mentioned above.

[itman 1,711]

A possible explanation.

Again referring to the video screen shot. It shows 00723db8c6513a9b8a79b8b8cc7d9da9f23a8a5454149ed12768937ca15d1a47.exe and 005bffc8c94940c91159902d9b52971bcb26fa30602b05aa86e8721be49f405e.exe running at the same time. Let's assume 005bffc8c94940c91159902d9b52971bcb26fa30602b05aa86e8721be49f405e.exe was not detected by Eset at this time. It loaded 00723db8c6513a9b8a79b8b8cc7d9da9f23a8a5454149ed12768937ca15d1a47.exe in a suspended state and did process hollowing on it or something along this line that would defeat Eset sig. detection of it.

[QuickSilverST250 0]

Just before eset detected the sample, i have 2 vms that ran at the same time. The vm on the left eset advance and on the right eset advanced with inspect. I suspected the sample 007... at mentioned and then copied it to the first vm, ran it and almost immediately the files in eek folder got encrypted. I then started to setup the vm on the right for log collection, that maybe took about 3 min for me to do, once i copied the sample over and wanted to run it, it failed and got the eset notification of the malware being detected and stopped. I did also suspect maybe 005 but when i did the test on the vm on the left this confirmed it was the sample suspected, but it only encrypted the eek folder but did not spread as it did before so it seems in that brief period by doing the test again etc it was detected.

Edited Monday at 11:08 PM by QuickSilverST250

[TISec-Roland 0]

On 6/17/2024 at 2:13 AM, itman said:

If you're referring to the files with .faust extension appended, it's from a Phobos ransomware variant. Details on this variant here: https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust . Of note;

As far as the IOC's listed in the article, Eset detects all of them.

So was the sample you tested with an Excel document? If so, have you deployed Eset recommended HIPS rules against ransomware; notably;

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware

Sorry for piggybacking on this thread. Will the HIPS only work if the rules are applied? Are there no default rules that HIPS uses after its enabled?

[Marcos 5,153]

Could you confirm that you've repeated the test with Malwarebytes completely uninstalled and its drivers removed? What we'd need:

1, Remove MBAM and make sure that none of its drivers is installed
2, Reduce the number of samples to the bare minimum (ideally test just the one that was run)
3, Start trace logging via ecmd.exe as suggested
4, Enable advanced real-time protection logging in the advanced setup -> tools -> diagnostics
5, Now copy the sample(s) you want to test to the machine (logs must include the creation of the samples on the disk)
6, Run the samples. Try to finish the test as quickly as possible (within 1-3 minutes) to make sure the generated logs are relatively small and don't contain enormous amount of data.
7, Stop logging (both via ecmd.exe and adv. real-time protection logging)
8, Collect logs with ESET Log Collector and supply them for perusal along with EsetCmd.etl.

[QuickSilverST250 0]

As i mentioned there is no point in doing the test as eset is now detecting the sample and not getting infected anymore.

I will do as suggested with our next test once we have infection i will provide feedback but for now there is no point with said sample. I will download new samples and test and if encryption problems i will let you know.