Amir

Emsisoft BehaviorBlocker can be bypassed this way!

Recommended Posts

Hi

This is done by my friend on Malwaretips

 

''one weakness I've found in Behavior Blockers is that the most common way to escape the behavior blocker is by using a trusted (but not super well known) process to do your dirty work.

If you use something too popular like Powershell or cmd.exe, behavior blockers are smart, especially thanks to AMSI. However, if you use something just mildly popular like a Node.JS runtime, a copy of Cygwin/MinGW, or in this case, 7-Zip, it seems to be blanket whitelisted by behavior blockers.

This piece of fake "malware", which I'm calling TrojanZipperPOC, does this:

  1. Find a copy of 7-zip. It prefers "C:\Program Files\7-Zip\7z.exe", as long as you have installed a native copy of 7-zip (e.g. 64-bit on 64-bit Windows). Otherwise it uses a 7z.exe in your current folder, which I've bundled as simply a copy of my 7-zip folder on my development machine. Both copies of 7-zip are official shipping versions which means they're both signed as well as considered high-reputation by cloud lookup.
  2. Looks for "My Documents\test" (to restrict it from being ACTUAL ransomware), loops through every file in there.
  3. Runs "7z.exe a -tzip -pransom -sdel FOO.encrypted FOO" for each file you have. This puts it in a zip file with password "ransom" and instructs 7zip to delete the original file.

And all files got ENCRYPTED! (Emsisoft Anti-Malware 2020.2)

Conclusions:


This is a really really trivial way of commandeering a known process to do your dirty work. It's not hard to trace the fact that 7z.exe was launched directly by an untrusted process, so I consider this to be a solvable vulnerability.

It wouldn't be impossible to distance the untrusted process further from 7z.exe. For example, scheduled tasks or startup items, or using a process to launch a process, etc etc etc. So consider this a dumb "5 minute" approach (that's literally how long it took for me to write this) to replicate a in-the-wild ransomware strategy.''
 
Only kaspersky could block the attack
Improve the behavior blocker.

Share this post


Link to post
Share on other sites

Did your friend post a link to the malicious executable/script that did this? Or at least a link to VirusTotal scan results of the file?

Share this post


Link to post
Share on other sites

I've forwarded your links to our malware analysts, assuming they haven't seen them already.

  • Like 1

Share this post


Link to post
Share on other sites
2 hours ago, GT500 said:

I've forwarded your links to our malware analysts, assuming they haven't seen them already.

Thank you

Let's see what's their opinion about this malware and the technique it uses

Share this post


Link to post
Share on other sites
On 2/15/2020 at 4:04 AM, Amir said:

Let's see what's their opinion about this malware and the technique it uses

We don't think it's a good idea to add detection for this. The amount of false positives would be staggering, and the number of in-the-wild threats that use it are zero, so there's currently no justification for detecting it at all. We'd be forced to remove detection almost as soon as it was added.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.