Jump to content

Malware Authors Seem Intent on Weaponizing Windows SettingContent-ms Files


steven36

Recommended Posts

Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June.

 

https://s7d7.turboimg.net/sp/e3c6969be6378b8d8ee73c0119cb9156/MSSettingsFile.png

 

The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs.

Ever since SpecterOps security researcher Matt Nelson published his research on the matter three weeks ago, malware authors have been playing around with proof-of-concept code in attempts of crafting an exploit that can deploy weaponized malware on a victim's system.

More SettingContent-ms exploits detected each day

With each passing day, more and more exploits are being uploaded on VirusTotal. FireEye security researcher Nick Carr has been avidly tracking these uploads for the past two weeks and has been documenting new findings in Twitter threads like this, this, this, this, or this.

But while previous uploads have been mostly inept tests [1, 2], in recent days, crooks have also put together the first exploit chain that uses a SettingsContent-ms file to actually download and install an actual malware sample.

For example, according to Carr, this SettingContent-ms file will download and run an EXE file that contains the Remcos remote access trojan (RAT).

While you could attribute some of these VirusTotal uploads to security researchers playing around with Nelson's PoC, the discovery of a weaponized exploit suggests some malware distributors are serious about their tests and telling about their intentions.

 

Jérôme Segura, a Malwarebytes security researcher who also penned a blog post about the weaponized SettingContent-ms exploit that Carr discovered told Bleeping Computer he also expects this to be integrated into live distribution campaigns.

 

"Its name 'quotation' is very much like a lure we see in malspam," Segura said referring to the VT upload's name of "Quotation_Request_Sheet.SettingContent-ms."

Is it OK to publish offensive hacking techniques?

But the rise in weaponized SettingContent-ms exploits uploaded on VirusTotal has also sparked discussions in the infosec community about the practice of blogging about offensive hacking tricks, like the Nelson article about the SettingContent-ms technique.

 

You can follow the discussion via this Twitter thread, and see opinions that support keeping such techniques secret, while others argue that "security through obscurity" only helps attackers.

One of the most interesting replies in this conversation came from Justin Warner, technical director at cyber-security firm ICEBRG.

 

"A really interesting side effect of releasing the tradecraft is funneling actors to predictable behaviors, that are generally documented and easily studied after release," Warner said. "[A public offensive hacking technique] lures threats to predictable detection points."

Source

Link to comment
Share on other sites


  • Replies 3
  • Views 503
  • Created
  • Last Reply
straycat19

Not a threat, none of the available malware samples will run on any of my systems and I have no AV software installed or active.  Just good old windows security settings.

Link to comment
Share on other sites


3 hours ago, straycat19 said:

Not a threat, none of the available malware samples will run on any of my systems and I have no AV software installed or active.  Just good old windows security settings.

Are you blacklisting  or are you whitelisting? If you're blacklisting you're going about it the wrong  way  ..People like you who kept talking about blacklisting AppData; specifically, %AppData%\*.exe and %AppData%\*\*.exe  with the the rasomware and now Cryptolocker infections, ruined  it for everyone. malware writers are starting to use other locations and/or subfolders in subfolders. . Blacklisting AppData  leaves you wide open for new threats and is hard to maintain   . Software devs started writing programs anti-rasomware  that locked down AppData for noobs so malware writers caught on.

 

Everything you say tips them off to change things around.  You're  AppData settings is not going help you out in all cases anymore, but once you're cpu goes up real high you will learn the hard way. Sometimes when it comes to things it's better to not say nothing at all . I know because I  use to help people activate software after i leaked some work around out to the public it was just a matter of time tell the dev got wind of it and changed things around and Malware writers are the same way they be watching you,  because money is at stake ether way. People stop writing virus for fun back in the early 2000s it a business to them . The most safest way now is to only to whitelist you're trusted programs  in group policy and if they exploit one of them you're still up shit creek if you have no realtime anti-malware  with the signature . they came up with smiple bypass to CryptoLocker GPO blocking in like 2015 also theres another one called Applocker Bypass via Registry Key Manipulation .:P

 

Link to comment
Share on other sites


On 7/3/2018 at 5:56 PM, steven36 said:

The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs.

 

Windows 10, can you be even worse??? Everyday I get more surprised jaja

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...