Dec 29 2022

GuLoader Malware Uses Advanced Anti-Analysis Techniques to Evade Detection

Category: Antivirus,Malware,Threat detectionDISC @ 11:30 am

An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques.

While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to identify if the malware is operating in an adversarial environment or not. While this is done by examining the whole process memory for any VM-related strings.

Evolution of GuLoader Malware

On infected machines, GuLoader (aka CloudEyE) distributes remote access trojans like AgentTeslaFormBookNanocoreNETWIRERemcos, and the Parallax RAT using the VBS downloader. 

GuLoader has been active since at least 2019 and has undergone several changes in its functionality and delivery methods. Over time, the malware has become more sophisticated, using various methods to evade detection and avoid being removed from infected systems. 

It has also been distributed through other channels, such as exploit kits and hacked websites. While it has evolved over time and has been used in various campaigns to deliver a range of malware, including ransomware, banking Trojans, and other types of malware.

A strong anti-analysis technique was also deployed by GuLoader in order to avoid detection in order to remain undetected. 

GuLoader exhibits a three-stage process, the VBScript script will first inject the shellcode embedded within it into the memory, then the next stage of the process will execute anti-analysis checks that will protect the code from being analyzed.

Furthermore, the shellcode also incorporates the same anti-analysis methods in order to avoid detection by third parties. It is through this shellcode that an attacker is able to download a final payload of their choice and execute it with the same anti-analysis methods as the original shellcode on the host that is compromised.

Detecting breakpoints used for code analysis is done with anti-debugging and anti-disassembling checks in the malware.

There is also a redundant code injection mechanism that can be used to avoid the use of a NTDLL.dll hook that is commonly used by antivirus programs and EDRs.

In order to detect and flag processes on Windows that may be suspicious, anti-malware engines use NTDLL.dll API hooking. 

Anti-Analysis Techniques

Here below we have mentioned the anti-analysis techniques used:-

  • Anti-Debugging
  • Anti-Virtual Machine
  • Process Hollowing

It was pointed out by experts that GuLoader remains a treacherous threat that is constantly evolving as it continues to develop. Furthermore, experts also provided indicators of compromise for the latest version of the downloader, as well as other key information.

GuLoader Malware Advanced Anti-Analysis

Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software

Malware Analysis

Infosec books | InfoSec tools | InfoSec services

Tags: Antivirus Bypass Techniques, Evade Detection, Malware


Dec 21 2022

VirusTotal INTELLIGENCE CHEAT SHEET

Category: Antivirus,Cheat Sheet,MalwareDISC @ 9:21 am

VirusTotal cheat sheet makes it easy to search for specific results

Opening the Blackbox of VirusTotal, analyzing online phishing scan engines

The Antivirus Hacker’s Handbook

Mastering Malware Analysis

Infosec books | InfoSec tools | InfoSec services

Tags: VirusTotal, VirusTotal INTELLIGENCE CHEAT SHEET


Dec 13 2022

Multiple Zero-Day Vulnerabilities in Antivirus and Endpoint Let Attackers Install Data Wipers

Category: Antivirus,Information Security,Zero dayDISC @ 9:50 am

Next-Generation Wiper Tool

Aikido is the wiper tool that has been developed by the Or Yair of SafeBreach Labs, and the purpose of this wiper is to defeat the opponent by using their own power against them.

As a consequence, this wiper can be run without being given privileges. In addition, it is also capable of wiping almost every file on a computer, including the system files, in order to make it completely unbootable and unusable.

EDRs are responsible for deleting malicious files in two main ways, depending on the following contexts:-

  • Time of threat identification
  • Time of threat deletion
Window Opportunity (Safebreach)

As soon as a malicious file is detected and the user attempts to delete it, the Aikido wiper takes advantage of a moment of opportunity. 

This wiper makes use of a feature in Windows allowing users to create junction point links (symlinks) regardless of the privileges of the users’ accounts, which is abused by this wiper.

A user who does not have the required permissions to delete system files (.sys) will not be able to delete those files according to Yair. By creating a decoy directory, he was able to trick the security product to delete the file instead of preventing it from being deleted. 

Likewise, he placed a string inside the group that resembled the path intended for deletion, for example, as follows:-

  • C:\temp\Windows\System32\drivers vs C:\Windows\System32\drivers

Qualities of the Aikido Wiper

Here below we have mentioned all the general qualities of the Aikido Wiper:-

  • Fully Undetectable
  • Makes the System Unbootable
  • Wipes Important Data
  • Runs as an Unprivileged User
  • Deletes the Quarantine Directory

Product analysis and response from the vendor 

It was found that six out of 11 security products tested by Or Yair were vulnerable to this exploit. In short, over 50% of the products in this category that is tested are vulnerable.

Here below we have mentioned the vulnerable ones:-

  • Defender
  • Defender for Endpoint
  • SentinelOne EDR
  • TrendMicro Apex One
  • Avast Antivirus
  • AVG Antivirus

Here below we have mentioned the products that are not vulnerable:-

  • Palo Alto XDR
  • Cylance
  • CrowdStrike
  • McAfee
  • BitDefender

Between the months of July and August of this year, all the vulnerabilities have been reported to all the vendors that have been affected. There was no arbitrary file deletion achieved by the researcher in the case of Microsoft Defender and Microsoft Defender for Endpoint products.

In order to cope with the vulnerabilities, three of the vendors have issued the following CVEs:-

This exploit was also addressed by three of the software vendors by releasing updated versions of their software to address it:-

  • Microsoft Malware Protection Engine: 1.1.19700.2
  • TrendMicro Apex One: Hotfix 23573 & Patch_b11136
  • Avast & AVG Antivirus: 22.10

This type of vulnerability should be proactively tested by all EDR and antivirus vendors to ensure that their products are protected from similar attacks in the future.

For organizations using EDR and AV products, the researcher strongly recommends that they consult with their vendors for updates and patches immediately.

Multiple Zero-Day Vulnerabilities

Tags: Data Wipers


Mar 26 2022

FCC adds Kaspersky to Covered List due to unacceptable risks to national security

Category: Antivirus,Information Security,Information WarfareDISC @ 9:53 pm

The Federal Communications Commission (FCC) added Kaspersky to its Covered List because it poses unacceptable risks to U.S. national security.

The Federal Communications Commission (FCC) added multiple Kaspersky products and services to its Covered List saying that they pose unacceptable risks to U.S. national security.

“The Federal Communications Commission’s Public Safety and Homeland Security Bureau today added equipment and services from three entities – AO Kaspersky Lab, China Telecom (Americas) Corp, and China Mobile International USA Inc. – to its list of communications equipment and services that have been deemed a threat to national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019.” reads the FCC’s press release.

The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.

The US commission also added Chinese state-owned mobile service providers China Mobile International USA and China Telecom Americas to the list. Below is the list of Covered Equipment or Services added on March 25, 2022:

  • Information security products, solutions, and services supplied, directly or indirectly, by AO Kaspersky Lab or any of its predecessors, successors, parents, subsidiaries, or affiliates.
  • International telecommunications services provided by China Mobile International USA Inc. subject to section 214 of the Communications Act of 1934.
  • Telecommunications services provided by China Telecom (Americas) Corp. subject to section 214 of the Communications Act of 1934.

FCC banned Kaspersky security solutions and services supplied by Kaspersky or any linked companies.

“The FCC’s decision to add these three entities to our Covered List is welcome news. The FCC plays a critical role in securing our nation’s communications networks, and keeping our Covered List up to date is an important tool we have at our disposal to do just that. In particular, I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list. Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm America’s interests.” said FCC Commissioner Brendan Carr. “I applaud Chairwoman Rosenworcel for working closely with our partners in the Executive Branch on these updates. As we continue our work to secure America’s communications networks, I am confident that we will have more entities to add to our Covered List.”

In Mid March, the German Federal Office for Information Security agency, aka BSI, recommended consumers uninstall Kaspersky anti-virus software. The Agency warns the cybersecurity firm could be implicated in hacking attacks during the ongoing Russian invasion of Ukraine.

According to §7 BSI law, the BSI warns against the use of Kaspersky Antivirus and recommends replacing it asap with defense solutions from other vendors.

Tags: FCC, kaspersky, National security


Jan 19 2022

VirusTotal Hacking: Finding stolen credentials hosted on VirusTotal

Category: AntivirusDISC @ 12:42 pm

The source of the compromised credentials

The credentials are contained in files that common info-stealers and keyloggers use to exfiltrate them from infected machines.

These files can end up hosted on VirusTotal due to hackers using VirusTotal to promote selling victims’ data or due to attackers uploading them by mistake, Tomer Bar, Director of Security Research at SafeBreach, told Help Net Security.

They may also be uploaded by third parties (e.g., a security researcher or the company where the C2 server is hosted) who are unaware they contain sensitive information. Finally, some environments are configured to automatically upload files to VirusTotal to verify whether they are “clean”.

Finding the files with stolen credentials

Just like Google Search can be used to search for vulnerable websites/systems, IoT devices, and sensitive data (the method is known as Google hacking or dorking), VirusTotal’s APIs and tools (VT Graph, Retrohunt, etc.) can be used to find files containing stolen data.

To prove it, the researchers compiled a list of those files’ names, acquired a monthly VirusTotal license that allowed them to do searches, explore VirusTotal’s dataset, and perform malware hunts – and started searching for them.

It didn’t take long to find some. Depending on the malware, these files contain credentials for email and social media accounts, e-commerce sites, online payment services, gaming platforms, online government services, streaming platforms, online banking accounts, and private keys of cryptocurrency wallets.

They’ve also connected some of these files to specific sellers of stolen credentials on a variety of hacking forums and Telegram groups, and have shown that in some cases it may be easy for criminals to discover credentials for accessing malware’s C2 FTP server and use them to “collect” stolen credentials.

“Our goal was to identify the data a criminal could gather with a VirusTotal license,” Bar noted, and said that they have proven this method – dubbed “VirusTotal Hacking” – works at scale.

“A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cyber crime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity. After victims are hacked by the original hacker, most have little visibility into what sensitive information is uploaded and stored in VirusTotal and other forums.”

The researchers urged Google – the owner of VirusTotal via its subsidiary Chronicle – to periodically search and remove files with sensitive user data and ban API keys that upload those files, and to add an algorithm that disallows uploads of files that contain sensitive cleartext data or encrypted files with the decryption password attached (either as text or included in an image).

They also pointed out that malwares’ unsecured C2 communication protocols should be exploited by defenders – in concert with hosting companies – to sinkhole or terminate C2 servers.

As a final side note, stolen credentials are not the only sensitive information that can occasionally be found on VirusTotal:

VirusTotal stolen credentials

Self-Sovereign Identity: Decentralized digital identity and verifiable credentials

Tags: Self-Sovereign Identity: Decentralized digital identity and verifiable credentials, VirusTotal


Dec 02 2021

VirusTotal Collections allows enhancing the sharing of Indicators of Compromise (IoCs)

Category: Antivirus,MalwareDISC @ 9:42 am

VirusTotal announced VirusTotal Collections, a new service that allows security researchers to share sets of Indicators of Compromise (IoCs).

VirusTotal announced VirusTotal Collections, a new service that allows threat researchers to share Indicators of Compromise (IoCs).

A collection is a live report that includes IoCs associated with a specific threat and it is available for VirusTotal registered users. The reports will also include up-to-date VirusTotal analysis metadata.

“A collection is a live report which contains a title, a group of IoCs (file hashes, URLs, domains and IP addresses) and an optional description. Collections are open to our VirusTotal Community (registered users) and they will be enhanced with VirusTotal analysis metadata providing the latest information we have for the IoCs, along with some aggregated tags.” reads the announcement published by Virus Total.

Registered VirusTotal users will be able to add or remove IoCs to/from the reports.

Security experts often use sharing platforms like Pastebin to share IoCs with the community, now they have a dedicated platform to do it, which is also integrated with the information from Virus Total. Users can create IoC collections in the VirusTotal home page, under the SEARCH tab.

Cyber indicators of compromise: a domain ontology for security information and event management Paperback

Tags: VirusTotal


Jul 31 2021

OSINT Tutorial to Discover Antivirus of the Target

Category: Antivirus,OSINTDISC @ 1:35 pm

This OSINT tutorial demonstrates the “RECON-NG tool” on Kali Linux. It discovers the type of Anti-Virus software (AV) the victim is running on their internal network.

It’s impossible to circumvent every Anti-Virus, yet an experienced attacker knows it is possible to avoid a specific AV software for a sufficient period. If an attacker discovers which Anti-Virus the victim is running, the attacker develops their virus undetectable by that Anti-Virus.

The Recon-NG is a robust tool for performing automatic data collection and network footprinting. One can access a variety of websites to get passive data or aggressively investigate the victim for details. It offers several functionalities that enable the attacker to capture user data for social engineering, network traffic for network analysis, and more.

Consider it a data-gathering version of Metasploit. Anybody aware of Metasploit will feel at ease with this GUI, which looked and feel like Metasploit.

RECON-NG relies on sending repetitive requests to a DNS server to determine whether the DNS server has a cache containing the Anti-Virus supplier’s website. If that runs, it means that the victim at an organization is using that particular Anti-Virus program. As a result, viewing the website requires upgrading the antivirus signatures. When the DNS server does not have a cache of the AV company’s website, one can assume that nobody inside the company has asked for the Anti-Virus company’s website.

Let us get rolling!

Table of Contents

Tags: OSINT Tutorial


May 15 2019

Virus Removal Tool

Category: AntivirusDISC @ 10:30 pm

Virus Removal Tool

Free Virus Removal Tools to Secure Against Virus Infection, Including Conficker, Rootkits and More. Download the Free Sophos Virus Removal Tool Today.

Source: Sophos Virus Removal Tool


 Subscribe in a reader




Tags: Free antivirus, Virus Removal Tool


Apr 23 2019

The best antivirus software of 2019

Category: AntivirusDISC @ 12:32 pm

The best antivirus software of 2019

Source: The best antivirus software of 2019


 Subscribe in a reader





Apr 05 2019

How to avoid document-based malware attacks

Category: Antivirus,MalwareDISC @ 9:39 am

Some 59% of all malicious files detected in the first quarter of 2019 were documents, according to a Barracuda Networks report. Here’s how to protect yourself against this growing threat.

Source: How to avoid document-based malware attacks






Apr 03 2019

Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists

Category: Antivirus,Information SecurityDISC @ 3:50 pm

Researchers in Israel created malware to draw attention to serious security weaknesses in medical imaging equipment and networks.

Source: Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists

  • Malware Analysis





  • Feb 14 2019

    Emotet Uses Camouflaged Malicious Macros to Avoid Antivirus Detection

    Category: AntivirusDISC @ 6:37 pm

    A new Emotet Trojan variant has been observed in the wild with the added ability to hide from anti-malware software by embedding malicious macros used to drop the main payload inside XML files disguised as Word documents.

    Source: Emotet Uses Camouflaged Malicious Macros to Avoid Antivirus Detection






    Jan 29 2017

    Top 5 excellent Antivirus Protection of 2017

    Excellence is achievable but perfection is not. Find an excellent anti-virus product based on your requirements.

     

    Malware are evolving faster than ever, so it’s encourging to discover that the latest generation of antivirus (AV) are better equipped to handle this evolving pace of change. Information security best practice recommends that every PC should run at least antivirus (antimalware), antispyware, and a firewall, and you keep it up to date. So if you’re not running an anti-virus, or may feel your anti-virus could do a bit more, take a look at the list below  and find an anti virus solution which fulfill your current needs based on the modern day threats.

     

    All five antivirus solutions below includes On-Demand Malware Scan, On-Access Malware Scan, Website Rating, Malicious URL Blocking, Phishing Protection and Behavior-Based Detection.

     

    1) McAfee Antivirus plus

    [mks_col]

    [mks_one_half]Unlimited protection for Windows, Android, macOS, and iOS devices. New behavior-centric antivirus engine. Essential antivirus protection for PCs, Macs, smartphones, and tablets. [/mks_one_half]

    [mks_one_half] [/mks_one_half]

    [/mks_col]

     

     

    2) Webroot Secure Anywhere Antivirus

    [mks_col]

    [mks_one_half]For Cloud Security it will analyze files, phishing sites, malicious web pages, IP addresses, and mobile apps providing a real time view of current threats and enabling protection from zero day attacks.Can recover files encrypted by ransomware. Uses tiny amount of disk space. Very fast scan. Handles unknown malware. Includes firewall.[/mks_one_half]

    [mks_one_half][/mks_one_half]

    [/mks_col]

     

     

    3) Bitdefender Antivirus Plus

    [mks_col]

    [mks_one_half]Effective ransomware protection. Many bonus features including password manager, secure browser, and file shredder. Wi-Fi Security Advisor. Always secure on the go.

    [/mks_one_half]

    [mks_one_half][/mks_one_half]

    [/mks_col]

     

    4) Symantec Norton Antivirus Basic

    [mks_col]

    [mks_one_half]Protection is always up-to-date to defend against spyware, malware, and unsafe websites, while safeguarding your identity and online transactions. Powerful intrusion prevention. Norton Power Eraser blasts persistent malware. Password management.[/mks_one_half]

    [mks_one_half][/mks_one_half]

    [/mks_col]

     

    5) Kaspersky Antivirus

    [mks_col]

    [mks_one_half]Kaspersky Anti-Virus helps protect against viruses, spyware & more. Great for antiphishing and speedy full-system scan.[/mks_one_half]

    [mks_one_half][/mks_one_half]

    [/mks_col]

     

    Our recommendation is based on The best Antivirus protection of 2017

    Top Rated Antivirus Protection




    Tags: Antivirus software, bitdefender, kaspersky, McAfee, Symantec, webroot