2) VTI: Detect usage of path exclusions to Windows Defender
Category: Defense Evasion
First, let’s explain what the exclusion path refers to in antivirus software, specifically for Windows Defender. Exclusion paths typically refer to directories or files that are excluded from the scanning or analysis process. Security software and malware analysis tools often allow users to specify certain paths that should be excluded from the scanning or analysis to avoid false positives, reduce scanning time, or prevent interference with critical system files.
Based on our research conducted in the end of 2023, we added the new VTI designed to identify suspicious activities involving the modification of exclusion paths within Windows Defender. This improvement aims to baffle a common tactic used by malware, where it exploits the exclusion feature of Windows Defender by adding itself to the path. By doing so, the malware attempts to evade detection and removal by the antivirus software.
3) VTI: Extend VTI for disabling Windows Defender
Category: Defense evasion
Additionally, we extended our existing VTI to detect behavior that disables Windows Defender using a registry key. By disabling antivirus protection, malware can operate on a system without being detected by the security software. This allows the malware to execute its functions without triggering alarms or alerts.
5) VTI: Detect bypassing User Account Control
Category: Defense evasion
User Account Control (UAC) is a Windows security tool which aims at protecting the operating systems from any unauthorized changes. It protects the system from malware and unintentional changes by requiring user confirmation or administrator credentials for certain actions that could potentially affect system settings. Sophisticated malware may attempt to disable or manipulate security software, including UAC settings, to operate without detection and interference. To stay ahead of this bypassing method, we added a new VTI to trigger when the UAC prompt is disabled.
6) VTI: Detect entire webpage loaded via iFrame
Category: Heuristics
An iFrame, short for “inline frame,” is an HTML element used to embed another document or webpage within the current HTML document. It facilitates the display of content from external sources, such as different webpages or media files, directly within the current page. The content within the iFrame is essentially a separate HTML document loaded and displayed within the enclosing document.
In many cases, phishing pages are presented as plain HTML files containing only an iFrame that loads the phishing page, lacking any additional controls. Alternatively, a webpage on a new domain that is not blacklisted might be used to load the phishing page via the iFrame.
This new VTI enhances our capability to track and trigger alerts upon detecting maliciously structured pages designed for increased evasion.
8) VTI: Detect attempts to enable SSH access
Category: System Modification
Mitre Mapping: T1219
This VTI is strictly related to the functioning of Bundlore Adware, which is a type of adware that is known to affect macOS systems. The adware infiltrates the user’s computer through deceptive installation methods, such as bundling itself with other software or disguising itself as a legitimate application. Once installed, Bundlore displays intrusive advertisements, redirects web traffic, and may gather user data for targeted advertising purposes.
Bundlore can be challenging to remove completely because it often installs additional components or modifies system settings to evade detection and removal by antivirus software. Users are advised to be cautious when downloading and installing software from untrusted sources to avoid installing Bundlore or other adware.
Some variants of Bundlore adware are also trying to get remote access to victims’ devices by enabling SSH. To counteract this adware’s malicious activities, we’ve added a new VTI to detect such system modifications. This addition expands our coverage of the MITRE ATT&CK® techniques, in this case, further described in https://attack.mitre.org/techniques/T1219/.
9) VTI: Detect attempts to enable WDigest support in the registry
Category: Data Collection
Mitre Mapping: T1112, T1003.001
WDigest is a security support provider (SSP) in Windows that is used to implement Digest Authentication. Digest Authentication is a protocol used for authenticating users in network communications, particularly in web applications. In the Windows registry, WDigest support can be configured through various settings to enable or disable its usage. This is important for security purposes, as WDigest authentication is vulnerable to certain types of attacks and those conducted by TrickBot malware.
In Malwarebytes‘ words, “TrickBot (or “TrickLoader”) is a recognized banking Trojan that targets both businesses and consumers for their data, such as banking information, account credentials, personally identifiable information (PII), and even bitcoins. As a highly modular malware, it can adapt to any environment or network it finds itself in.”
In a recent malware campaign orchestrated by Trickbot, the attackers exploited the enabled WDigest support in the Windows registry to infiltrate users’ systems. Afterwards, they activated a screenlocker module, prompting users to log out and log back in. This action re-enabled WDigest support, leading to the caching of user credentials in the Local Security Authority (LSA) memory. Exploiting this vulnerability, the attackers could then scan the cache and retrieve the compromised login details.
To keep this dangerous technique in check, we’ve added the support of this new VTI that will trigger in samples where the WDigest protocols’ values were modified.
Smart Link Detonation Updates