Windows 10: Attack uses malicious InPage document and outdated VLC media player

Discus and support Attack uses malicious InPage document and outdated VLC media player in Windows 10 News to solve the problem; Our analysis of a targeted attack that used a language-specific word processor shows why it’s important to understand and protect against small-scale... Discussion in 'Windows 10 News' started by Brink, Nov 8, 2018.

  1. Brink Win User

    Attack uses malicious InPage document and outdated VLC media player


    Figure 7. HTTP GET Request embedded in the JPEG File

    The historical Whois record indicated that the C&C server was registered on March 20, 2018.

    Code: Domain Name: useraccount.co Registry Domain ID: D2169366F46A14BCD9EB42AF48BEA813C-NSR Registrar WHOIS Server: Registrar URL: whois.publicdomainregistry.com Updated Date: 2018-03-20T14:04:40Z Creation Date: 2018-03-20T14:04:40Z Registry Expiry Date: 2019-03-20T14:04:40Z Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod[/quote] Figure 8. Whois record for the attacker C&C server.

    The shellcode in the JPEG file uses multiple layers of polymorphic XOR routines to decrypt the final payload. After successfully decrypting the payload, it drops and executes the final DLL malware aflup64.dll in the folder %ProgramData%\Dell64.


    Attack uses malicious InPage document and outdated VLC media player fig9-first-29-bytes-jpeg.png


    Figure 9. The first 29 Bytes of the JPEG file after the header make up the first decryption layer


    Attack uses malicious InPage document and outdated VLC media player fig10-valid-jpeg-header-followed-by-malicious-code.png


    Figure 10. Valid JPEG file header followed by encrypted malicious code

    Stage 2: System reconnaissance and executing attacker commands

    The final stage malware maintains persistence using different methods. For example, the malicious function IntRun() can load and execute the malware DLL. It also uses the registry key CurrentVersion\Run to maintain persistence.

    The malware’s capabilities include:

    • System reconnaissance
      • List computer names, Windows version, Machine ID, running processes, and loaded modules
      • List system files and directories
      • List network configuration
    • Execute attacker commands
    • Evade certain sandboxes or antivirus products
    Collected information or responses to commands are sent back to the attacker domain via an HTTP post request. The request has a custom header that always starts with 37 hardcoded alphanumeric characters.

    ---------------------n9mc4jh3ft7327hfg78kb41b861ft18bhfb91
    Content-Disposition: form-data; name="id";
    Content-Type: text/plain
    <Base64 Data Blob>

    Figure 11. Sample of malware POST request

    The malware also has a list of hardcoded file names of security products and sandbox solutions. If these files are present in a machine the malware attempts to infect, it exists:

    • avgnt.exe
    • avp.exe
    • egui.exe
    • Sbie.dll
    • VxKernelSvcNT.log
    Detecting targeted attacks with Office 365 ATP and Windows Defender ATP

    Historically, malware payloads like the stage 2 malware in this attack are used to steal credentials and other sensitive information, install more payloads, or move laterally in the network. However, because the malware opens a backdoor channel for remote attackers to execute arbitrary commands of their choice, there’s a wide range of possibilities.

    Enterprises can protect themselves from targeted attacks using Office 365 Advanced Threat Protection, which blocks threats based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging sandboxing and time-of-click protection. Recent enhancements in anti-phishing capabilities in Office 365 address impersonation, spoof, phishing content, and internal phishing emails sent from compromised accounts. If you are not already secured against advanced cyberthreat campaigns via email, begin a free Office 365 E5 trial today.

    In addition, enterprises can use Windows Defender Advanced Threat Protection, which provides a unified endpoint security platform for intelligent protection, detection, investigation, and response. Exploit protection, attack surface reduction rules, hardware-based isolation, controlled folder access, and network protection reduce the attack surface. Windows Defender Antivirus detects and blocks the malicious documents and files used in this campaign. Windows Defender ATP’s endpoint detection and response, automated investigation and remediation, and advanced hunting capabilities empower security operations personnel to detect and stop attacks in enterprise networks. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial.

    These two services integrate with the rest of Microsoft’s security technologies as part of the Microsoft Threat Protection, an integrated solution providing security for the modern workplace across identities, endpoints, user data, cloud apps, and infrastructure. Cybersecurity is the central challenge of our digital age, and Microsoft doesn’t stop innovating to provide industry-best integrated security. For more information, read the blog post Delivering security innovation that puts Microsoft’s experience to work for you.



    Ahmed Shosha and Abhijeet Hatekar
    Microsoft Threat Intelligence Center

    [/quote]
    Source: Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets - Microsoft Secure

    :)
     
    Brink, Nov 8, 2018
    #1

  2. VLC Media Player

    Hi,

    My name is Angel. I am an Independent Advisor. Thank you for posting in Microsoft Community.

    To safely Uninstall VLC Media Player from Windows 10 follow next steps:

    • Click on the Start button, and then select “Settings”



    • Click on “System”



    • Select “Apps& Features” in the left-hand sidebar



    • Scroll down to locate VLC Media Player

    • Click “Uninstall” and then confirm the uninstallation in the pop-up window by clicking“Uninstall”

    Search for the components of VLC Media Player

    • Click Start and then enter Regedit in the search box, Windows 10 users can type Regedit in the search bar and then enter the Registry Editor



    • Hold down Ctrl+ F keys to launch the Find box. Put in CLV Media Player

    • Choose the registries related to VLC Media Player and then delete them all.

    • Note that this steps can trigger problems, thus to prevent problems occurring, you’d better back up the registry so that you can restore it if problems occurred.

    Step 4: Show hidden files and remove the leftovers

    • Click Start> Control Panel> Folder Options, choose the View Tab.

    • Check the “Show hidden files and folders” in the Advanced Settings and then select “OK”.

    Search for the leftovers of VLC Media Player in the Search Bar by entering VLC Media Player, and then delete the leftovers.

    Source:

    https://www.totaluninstaller.com/program-uninst...

    Hope the information provided is useful. If the issue persists, reply here and we will be glad to help you.

    Angel.

    Disclaimer: There are links to non-Microsoft websites. The pages appear to be providing accurate, safe information. Watch out for ads on the sites that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research
    any product advertised on the sites before you decide to download and install it.
     
    AngelCarreno, Nov 8, 2018
    #2
  3. essenbe Win User
    VLC Media Player Question?


    @irminator Windows Media Player does work on Windows 10. Install or Uninstall Windows Media Player in Windows 10 Apps Features Tutorials
     
    essenbe, Nov 8, 2018
    #3
  4. irminator Win User

    Attack uses malicious InPage document and outdated VLC media player

    VLC Media Player Question?


    I am looking for the object code for windows using VLC media player on my website. ~just for audio ~ VLC was suggested by Microsoft. I found a code that was really long and wrong ~ lots of redundancy..it was poorly written. I know there is a shorter better version out there. I now have the object code for windows media play ~ that is now defunct ~ does not work on windows10~. So far, I have had minimal support and the wrong 800 number from microsoft for VLC. No 800 number on VLC website. No online chat. they did provide an email address. If Microsoft is not supporting windows 10 with an updated media player ~ it is really unfortunate. They have simply dropped the ball. Any help out there?
     
    irminator, Nov 8, 2018
    #4
Thema:

Attack uses malicious InPage document and outdated VLC media player

Loading...
  1. Attack uses malicious InPage document and outdated VLC media player - Similar Threads - Attack uses malicious

  2. VLC media player problem

    in Windows 10 Software and Apps
    VLC media player problem: When i was using vlc i clicked media and then open network stream and i pasted my link in this is my link https://www.youtube.com/watch?v=6e6bTjpTmkA and it said this Your input can't be opened: VLC is unable to open the MRL...
  3. Issues with VLC Media Player

    in Windows 10 BSOD Crashes and Debugging
    Issues with VLC Media Player: I use VLC Media Player for watching .mkv file formats but there is now an issue occurring and has occurred many times now. The player seems to be unresponsive after it glitches, the video and audio continue but my mouse clicks and keyboard commands seem to be unresponsive....
  4. VLC media player Privacy

    in Windows 10 Support
    VLC media player Privacy: Hello, I don't want to share any info with videolan, when using VLC media player latest version, what options do I have to uncheck to avoid send them any information about my system or something else... I only found one option only, is there more option to uncheck? Also...
  5. VLC Media player

    in Microsoft Windows 10 Store
    VLC Media player: why won't my VTS_01_1.VOB file play in VLC Media player https://answers.microsoft.com/en-us/windows/forum/all/vlc-media-player/d7a3507c-2beb-43dd-99ce-3e3a566e886d"
  6. using VLC Media Player

    in Windows 10 Software and Apps
    using VLC Media Player: I had an old laptop with an upgrade to Windows 10 installed, had VLC Media Player installed, worked fine, have updated laptop, came with Windows 10, have downloaded VLC Media Player and when I try to play video, the screen turns green, plays audio but no video, just won't...
  7. VLC Media Player

    in Windows 10 Drivers and Hardware
    VLC Media Player: Have been using VLC Media Player to play DVD's, but now it doesn't recognize that there is a DVD in the drive. Drive will play CD's but doesn't recognize DVD's. https://answers.microsoft.com/en-us/windows/forum/all/vlc-media-player/5e2d37b9-cb75-445b-bfa8-8f0a943ba752
  8. VLC Media Player

    in Windows 10 Software and Apps
    VLC Media Player: How do I safely Uninstall VLC Media Player from Win 10? https://answers.microsoft.com/en-us/windows/forum/apps_windows_10-win_news/vlc-media-player/f6e14894-efaa-4b54-af55-95393646f2d0
  9. VLC Media Player

    in Windows 10 Software and Apps
    VLC Media Player: Using this 3rd party player in windows10 ,seems like a good player for DVD's. The only problem I'm having is it will not play the previews on a dvd? Does anyone use this player and is it possible to play the previews. 32620
  10. VLC Media Player Question?

    in Windows 10 Software and Apps
    VLC Media Player Question?: Ok I know its a lot harder to change file type icons in windows 10 then in other versions of windows like the 8 or 8.1. So I was wondering if its possible to just change the file types for a specific program or through the program. For example I'm using the vlc media...