Fabian Bader · @fabian_bader
839 followers · 293 posts · Server infosec.exchange

@GossiTheDog
Any custom detections you can share atm? Or will your detection already cover this?

#defenderexplode

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
23037 followers · 864 posts · Server cyberplace.social

Saw a (large file size to evade MS Defender) used to deliver trojan - Defender for Endpoint miss.

At first it looked like a really lame malware, but it's interesting - it uses a legit copy of PHP and the malware is all written in PHP. Your AV doesn't trigger on legit php.exe

Here's a prior write up:
zscaler.com/blogs/security-res

#defenderexplode #ducktail

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
16363 followers · 1251 posts · Server cyberplace.social
Kevin Beaumont · @GossiTheDog
14002 followers · 811 posts · Server cyberplace.social

A bit of - MSTIC are tracking DEV-0408 using and (well, they should be, they might not realise it but they’re tracking same actors).

#threatintel #zippyreads #defenderexplode

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
22688 followers · 662 posts · Server cyberplace.social

There are no strings on me dot GIF

#defenderexplode

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
22668 followers · 656 posts · Server cyberplace.social

@buffaloverflow Rich strikes again :O and PoC, if anybody wants to have a play.

- Adds the read only flag on file in ZIP to bypass MOTW without November OS patches.
- Inflates file size on unzip, to evade logging in telemetry/detection.

gist.github.com/rxwx/8299693ac

#defenderexplode #zippyreads

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
22548 followers · 620 posts · Server cyberplace.social

@dasgrog Defender for Endpoint should pick things up in EDR (that said.. I haven't tested with this one - and we've had complete Defender for Endpoint misses on before, where not a single alert triggered).

#defenderexplode

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
22547 followers · 616 posts · Server cyberplace.social

UK energy supply trojan

Energy themed trojan using MOTW bypass and Defender AV telemetry bypass

Riffing off UK energy supply issues

IoCs
C2 docusign-octopus-energy.com
Filename OctopusEnergyS.pdf..lnk
Hash 7ff60dd9d6b5de8f5235d4d3975d8fcfbc96ceaec9aafb9ab9bd40f192490ff9
Size 300mb

Filename %AppData%\Local\Temp\.hta

Writes self using certutil decode.

Trojan DLL, 323mb:

\AppData\Local\Temp\x.dll

#threatintel #octopus #zippyreads #defenderexplode

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
22479 followers · 598 posts · Server cyberplace.social

Regarding - making a small ZIP file that explodes in size to >100mb and breaks Defender AV detection/telemetry - does anybody know what attackers are using to build? I see them using large .lnk files for infostealers still, been going on for months.

Either that or could somebody build a PoC that does the same thing? I'm wondering if they're using something like ZipBomb (bamsoftware.com/hacks/zipbomb/)

cc @buffaloverflow

#defenderexplode

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
21230 followers · 318 posts · Server cyberplace.social

As found by @buffaloverflow, and have been used in the wild since early October. Might write a blog on the Defender issue later as this stuff is just sailing through MS suite still. infosec.exchange/@buffaloverfl

#zippyreads #defenderexplode

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
19494 followers · 253 posts · Server cyberplace.social

Here’s what looks like in MS Defender telemetry, they’re missing file hashes and detection.

#defenderexplode

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
19493 followers · 251 posts · Server cyberplace.social
Kevin Beaumont · @GossiTheDog
14607 followers · 157 posts · Server cyberplace.social

If you run this one in Defender for Endpoint, AV misses and EDR logs it with zero file hash value (including in their own telemetry) - that one is , I have told MS about it, it's being used by infostealer groups.

#defenderexplode

Last updated 2 years ago

Kevin Beaumont · @GossiTheDog
14604 followers · 156 posts · Server cyberplace.social

Great sample caught by @k3dg3

Exploits (read only file for bypass of Mark-of-the-Web) and , a large file zero day in Microsoft Defender AV which breaks their telemetry and detection.

Targets Italy. Calls michaelpagerecruitment-ukoffers.]com

virustotal.com/gui/file/13846a

#malware #threatintel #zippyreads #defenderexplode

Last updated 2 years ago