Jump to content

Emsisoft BehaviorBlocker can be bypassed this way!


Recommended Posts


This is done by my friend on Malwaretips


''one weakness I've found in Behavior Blockers is that the most common way to escape the behavior blocker is by using a trusted (but not super well known) process to do your dirty work.

If you use something too popular like Powershell or cmd.exe, behavior blockers are smart, especially thanks to AMSI. However, if you use something just mildly popular like a Node.JS runtime, a copy of Cygwin/MinGW, or in this case, 7-Zip, it seems to be blanket whitelisted by behavior blockers.

This piece of fake "malware", which I'm calling TrojanZipperPOC, does this:

  1. Find a copy of 7-zip. It prefers "C:\Program Files\7-Zip\7z.exe", as long as you have installed a native copy of 7-zip (e.g. 64-bit on 64-bit Windows). Otherwise it uses a 7z.exe in your current folder, which I've bundled as simply a copy of my 7-zip folder on my development machine. Both copies of 7-zip are official shipping versions which means they're both signed as well as considered high-reputation by cloud lookup.
  2. Looks for "My Documents\test" (to restrict it from being ACTUAL ransomware), loops through every file in there.
  3. Runs "7z.exe a -tzip -pransom -sdel FOO.encrypted FOO" for each file you have. This puts it in a zip file with password "ransom" and instructs 7zip to delete the original file.

And all files got ENCRYPTED! (Emsisoft Anti-Malware 2020.2)


This is a really really trivial way of commandeering a known process to do your dirty work. It's not hard to trace the fact that 7z.exe was launched directly by an untrusted process, so I consider this to be a solvable vulnerability.

It wouldn't be impossible to distance the untrusted process further from 7z.exe. For example, scheduled tasks or startup items, or using a process to launch a process, etc etc etc. So consider this a dumb "5 minute" approach (that's literally how long it took for me to write this) to replicate a in-the-wild ransomware strategy.''
Only kaspersky could block the attack
Improve the behavior blocker.
Link to comment
Share on other sites

On 2/15/2020 at 4:04 AM, Amir said:

Let's see what's their opinion about this malware and the technique it uses

We don't think it's a good idea to add detection for this. The amount of false positives would be staggering, and the number of in-the-wild threats that use it are zero, so there's currently no justification for detecting it at all. We'd be forced to remove detection almost as soon as it was added.

  • Like 1
Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...