Discussion in 'malware problems & news' started by itman, Sep 7, 2017.
The attack is similar to a few Kovter variants, which also are fileless and forks regsvr32 (and svchost, which can be more problematic). Personally I find Kovter to be more elegant as it creates obfuscated reg entries in HKEY_USERS and not HKEY_CURRENT_USER. I'm really surprised that BC makes this out to be the Worst Thing Ever- Yes, it will indeed get past traditional security solutions, but there exist other security modalities (not mentioning any names) that laugh at crap like this as they simultaneous kill them.
Fun Fact for any that don't know- Any startup application extent will not be aware of malicious persistence done by obfuscated reg startup entries in HKEY_USERS. So essentially you will have a Startup program that you will never ever be aware of. Isn't that just the Bomb?
More detail on this attack here: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/codefork-malware/ . Of course, it uses PowerShell and will not run if PowerShell is not installed on the target.
I'm familar with the malware. The kovter I mentioned also uses powershell. I feel the best solution is to utilize a security product that will protect whether or not Powershell exists on the machine or not. I mean you really shouldn't be forced to disable things (like PS, wscrpt, js, etc) one by one because of a failing of the traditional security solution.
This one does a few "unusual" activities. Assuming you're not HIPS/anti-exec/firewall monitoring regsvr32.exe, powershell.exe and wscript.exe activities which would stop it initially:
Refer to the MRG Powershell test thread on AV product effectiveness against obfuscated scripts including those employing Win 10's AMSI feature. Also note that wscript.exe is being remotely executed.
This one I really like; injecting PowerShell and using it as the malware payload.
Finally to run Casey Smith's "SquibeeDoo" regsvr32.exe bypass, admin privileges are required. So it can be assumed some privilege escalation has occurred.
Another one that was easily blocked:
The question is are you currently using Barkly since you always mention it?
You didn't need Barkly to stop that one. Just brains.
No, I wish it was the case! At the moment, corporate HIPS/BB solutions are a lot more exciting than home user tools. I also post these articles, to remember people that it doesn't take rocket science to stop these "advanced" file-less and PowerShell related attacks. BTW, enSilo has update their website, I really like their approach, you can also check out a few videos:
LOL, good point. But if you look at all of the successful attacks, it seems that some do not have the brains.