Adobe Worm Faker Uses LOLbins And Dynamic Techniques To Deliver Customized Payloads

guest · Jun 21, 2019

Adobe Worm Faker Uses LOLbins And Dynamic Techniques To Deliver Customized Payloads
June 20, 2019
https://www.cybereason.com/blog/ado...mic-techniques-to-deliver-customized-payloads

We have found an interesting, active malware that uses LOLBins called Adobe Worm Faker. This worm is able to dynamically change its behavior depending on the machine it is operating on to deliver the optimal exploit and payload per target machine. This malware has the potential to be particularly devastating, as it is able to evade AV and EDR products and requires human intervention to defend against.

In a recent case, the Cybereason Platform detected that the Adobe Worm Faker malware checked the targeted system for the presence of specific USB-related security products. When files associated with these products were found, the malware killed their processes and deleted their files so it could continue to run unimpeded and unnoticed.

The variant we discovered used multiple vectors of attack that would make it particularly persistent and difficult to remediate in an organization that lacks the appropriate knowledge or tools.
Click to expand...

CONCLUSIONS
Earlier this year, we anticipated that attacks using LOLbins will increase. Because of the great potential for malicious exploitation inherent in the use of native processes, it is very likely that more attackers will continue using this method to deliver payloads onto targeted machines.

We were able to detect malicious use of the AcroUp utility (which is similar to the wscript utility tool) and reconnaissance activities that used WMI Tasks. We also detected and evaluated the infection technique used to spread this worm variant of Adobe Worm Faker via removable devices.

In our discovery, we examined the use of legitimate built-in Windows OS processes to perform malicious activities undetected, and we also delved into how the worm is able to deliver more payloads to the compromised machine.
The analysis of the tools and techniques used in this malware show how truly effective LOLbins are at evading antivirus products.
Click to expand...

itman · Jun 21, 2019

Of note is 41 VT vendors currently detect this. Windows Defender does not. No surprise there since its LOL based.

Nightwalker · Jun 21, 2019

itman said: ↑

Of note is 41 VT vendors currently detect this. Windows Defender does not. No surprise there since its LOL based.
Click to expand...

Except it does 8/52
:

What it isnt detecting is the the fake launcher, but Windows Defender would had stopped the infection, so what is your point?

Not to mention that the fake launcher is subject to "block at first sight" ...

So nice job Windows Defender, I guess.

Edit: I was wrong here, Windows Defender didnt detect the fake launcher , but it detected the malicious script, so it should have stopped the infection anyway.

itman · Jun 21, 2019

Nightwalker said: ↑

Except it does 8/52
Click to expand...

The hash I checked from the Cybereason article is highlighed below:

Indicators of Compromise

IOC

Type

Description

SHA1

B44E6E197C085DDDA1779DA42E094BA816F8E2E4

Hash

Adobe Acrobat.zip

SHA1

C7371297FEA738DD2A334399CD1239B4ADB435F3

Hash

Notebook.pdf

SHA1

7D5D0A65F3D443D33B8C6B3D1C6F4CF4D4A08E81

Hash

AcroUp\AcroDC.exe
Click to expand...

Nightwalker · Jun 21, 2019

itman said: ↑

The hash I checked from the Cybereason article is highlighed below:
Click to expand...

I checked using the hashs from the article, like I said, the malicious script was stopped by WD 8/52:

C7371297FEA738DD2A334399CD1239B4ADB435F3

Windows Defender + only 7 other security vendors detected the malicious script, the 41/52 detection is the launcher.

Log in or Sign up

Adobe Worm Faker Uses LOLbins And Dynamic Techniques To Deliver Customized Payloads

guest Guest

itman Registered Member

Nightwalker Registered Member

itman Registered Member

Nightwalker Registered Member

Log in or Sign up

Adobe Worm Faker Uses LOLbins And Dynamic Techniques To Deliver Customized Payloads

guest Guest

itman Registered Member

Nightwalker Registered Member

itman Registered Member

Nightwalker Registered Member

Useful Searches