CodeFork Group Uses Fileless Malware to Deploy Monero Miners

Discussion in 'malware problems & news' started by itman, Sep 7, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
    https://www.bleepingcomputer.com/ne...ses-fileless-malware-to-deploy-monero-miners/
     
  2. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    The attack is similar to a few Kovter variants, which also are fileless and forks regsvr32 (and svchost, which can be more problematic). Personally I find Kovter to be more elegant as it creates obfuscated reg entries in HKEY_USERS and not HKEY_CURRENT_USER. I'm really surprised that BC makes this out to be the Worst Thing Ever- Yes, it will indeed get past traditional security solutions, but there exist other security modalities (not mentioning any names) that laugh at crap like this as they simultaneous kill them.

    Fun Fact for any that don't know- Any startup application extent will not be aware of malicious persistence done by obfuscated reg startup entries in HKEY_USERS. So essentially you will have a Startup program that you will never ever be aware of. Isn't that just the Bomb?
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
  4. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    I'm familar with the malware. The kovter I mentioned also uses powershell. I feel the best solution is to utilize a security product that will protect whether or not Powershell exists on the machine or not. I mean you really shouldn't be forced to disable things (like PS, wscrpt, js, etc) one by one because of a failing of the traditional security solution.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
    This one does a few "unusual" activities. Assuming you're not HIPS/anti-exec/firewall monitoring regsvr32.exe, powershell.exe and wscript.exe activities which would stop it initially:

    1.
    Refer to the MRG Powershell test thread on AV product effectiveness against obfuscated scripts including those employing Win 10's AMSI feature. Also note that wscript.exe is being remotely executed.

    2.
    Self-explainatory.

    3.
    This one I really like; injecting PowerShell and using it as the malware payload.

    Finally to run Casey Smith's "SquibeeDoo" regsvr32.exe bypass, admin privileges are required. So it can be assumed some privilege escalation has occurred.
     
    Last edited: Sep 8, 2017
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,894
    Location:
    The Netherlands
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You didn't need Barkly to stop that one. Just brains.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,894
    Location:
    The Netherlands
    No, I wish it was the case! At the moment, corporate HIPS/BB solutions are a lot more exciting than home user tools. I also post these articles, to remember people that it doesn't take rocket science to stop these "advanced" file-less and PowerShell related attacks. BTW, enSilo has update their website, I really like their approach, you can also check out a few videos:

    https://www.ensilo.com/product/

    LOL, good point. But if you look at all of the successful attacks, it seems that some do not have the brains.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.