Windows 10: Malware with faked timestamps on the rise to bypass Windows protections

GHacks · Jul 17, 2023

Microsoft banned more 100 signed malicious Windows drivers just last week after it was informed that malicious actors had joined the company's Windows Hardware Developer Program to create signed drivers with malware.

Security researchers at Cisco Talos Intelligence have now pointed out another threat related to drivers on Windows.

Microsoft implemented additional security in several versions of its Windows operating system to prevent the loading of malicious or problematic drivers on Windows devices. Windows Vista required kernel-mode drivers to be signed digitally with a certificate from a verified certificate authority.

Kernel-mode drivers are loaded at an early stage, which gives them a lot of control over the system in question. The signature enforcement was a major gamechanger for Windows security.

Windows 10 version 1607 introduced an updated driver signing policy. The main change required that developers had to submit kernel-mode drivers to get them signed by Microsoft's Developer Portal. This change was designed to limit malicious actors further and to make sure that drivers met requirements and security standards.

Microsoft created three exceptions to the new policy, including that the new policy does not apply to a PC that was upgraded from an earlier version of Windows to Windows 10 version 1607, and that it does not apply on PCs with Secure Boot set to off.

The third exception allows drivers to be signed with "end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA"; this third exception creates a loophole, according to Cisco.

Malicious actors have started to exploit this loophole to deploy malicious drivers without submission to Microsoft. Talos Intelligence claims that this loophole has been used to create "thousands of malicious, signed drivers" using tools that forge the signature timestamp.

Cisco recommends to block the certificates that it mentioned in the blog post. The certificates mentioned in the blog post are the following ones:

???????????? (Beijing Shihai Trading Co Ltd)

Beijing JoinHope Image Technology Ltd.

Shenzhen Luyoudashi Technology Co., Ltd.

Jiangsu innovation safety assessment Co., Ltd.

Baoji zhihengtaiye co.,ltd

Zhuhai liancheng Technology Co., Ltd.

Fuqing Yuntan Network Tech Co.,Ltd.

Beijing Chunbai Technology Development Co., Ltd

????????????

?? ?

NHN USA Inc.

Open Source Developer, William Zoltan

Luca Marcone

HT Srl

The security researchers analyzed 300 malicious samples and discovered that about half used a language code. The majority of samples with language code were set to Chinese (Simplified).

Cisco notes that Microsoft has blocked the certificates mentioned in the blog post as a response.

Thank you for being a Ghacks reader. The post Malware with faked timestamps on the rise to bypass Windows protections appeared first on gHacks Technology News.

read more...

Borg 386 · Jul 17, 2023

Beware this fake Windows BSOD from tech support scammers' malware

Microsoft has sounded the alarm over a fake installer for its Security Essentials, which attempts to trick victims into contacting bogus help centers.

Tech-support scammers have stepped up their technical game, prompting a "severe" warning from Microsoft over new Windows malware that mimics Microsoft's free Security Essentials antivirus, and then displays a fake blue screen of death, or BSoD, with an error message and a suggestion to call a 1800 number that is not a Microsoft support center.
Click to expand...

"Real error messages from Microsoft do not include support contact details," Microsoft said on its Malware Protection Center blog, warning of the new threat. It also never asks for payment for delivering tech support.
Click to expand...

Microsoft: Beware this fake Windows BSOD from tech support scammers' malware | ZDNet

WarrenHoar · Jul 17, 2023

Malware Protection Live

Just an FYI to everyone. Malware Protection Live just piggybacked an update to Windows 10 that I just received. It was accepted as an install and I just tried to delete it from the program list. it was removed from the list, but not sure of the ramification
residue yet. However, I wish to state that it was downloaded when my Windows 10 updated just now.

Watch out and protect yourselves.

Brink · Jul 17, 2023

Windows 10: protection against recent Depriz malware attacks

A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams are working on protection, detection, and response to these threats.

Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.

Although the extent of damage caused by this latest attack by TERBIUM is still unknown, Windows 10 customers are protected. Windows 10 has built-in proactive security components, such as Device Guard, that mitigate this threat; Windows Defender customers are protected through multiple signature-based detections; and Windows Defender Advanced Threat Protection (ATP) customers are provided extensive visibility and detection capabilities across the attack kill chain, enabling security operation teams to respond quickly. Microsoft’s analysis has shown that the components and techniques used by TERBIUM in this campaign trigger multiple detections and threat intelligence alerts in Windows Defender Advanced Threat Protection.

Attack composition

Microsoft Threat Intelligence has observed that the malware used by TERBIUM, dubbed “Depriz” by Microsoft, reuses several components and techniques seen in the 2012 attacks, and has been highly customized for each targeted organization.

We do not see any indicators that a zero-day exploit is being used by TERBIUM.

Step 1: Writing to disk

The initial infection vector TERBIUM uses is unknown. As credentials have been hard-coded in the malware TERBIUM uses, it is suspected that TERBIUM has harvested credentials or infiltrated the target organization previously. Once TERBIUM has a foothold in the organization, its infection chain starts by writing an executable file to disk that contains all the components required to carry out the data-wiping operation. These components are encoded in the executables resources as fake bitmap images.

Figure 1. The components of the Trojan are fake bitmap images

We decoded the components as the following files:

PKCS12 – a destructive disk wiper component

PKCS7 – a communication module

X509 – 64-bit variant of the Trojan/implant

Step 2: Propagation and persistence through the target network

We have seen TERBIUM use hardcoded credentials embedded in the malware to propagate within a local network. The availability of these credentials to the activity group suggests that the attacks are highly targeted at specific enterprises.

The propagation and persistence is carried out as follows:

First, it tries to start the RemoteRegistry service on the computer it is trying to copy itself to, then uses RegConnectRegistryW to connect to it.

Next, it attempts to disable UAC remote restrictions by setting the LocalAccountTokenFilterPolicy registry key value to “1”.

Once this is done, it connects to the target computer and copies itself as %System%\ntssrvr32.exe or %System%\ntssrvr64.exe before setting either a remote service called “ntssv” or a scheduled task.

Step 3: Wiping the machine

Next, the Trojan installs the wiper component. Note: TERBIUM establishes a foothold throughout the organization and does not proceed with the destructive wiping operation until a specific date/time: November 17, 2016 at 8:45 p.m.

The wiper component is installed as %System%\<random name>.exe. During our testing, it used the name “routeman.exe”, but static analysis shows it can use several other names that attempt to imitate file names of legitimate system tools.

The wiper component also contains encoded files in its resources as fake bitmap images.

The first encoded resource is a legitimate driver called RawDisk from the Eldos Corporation that allows a user mode component raw disk access. The driver is saved as %System%\drivers\drdisk.sys and installed by creating a service pointing to it using “sc create” and “sc start”. This behavior can be observed in the process tree available in the Windows Defender ATP portal. The below alert represents an example of the generic detections in Windows Defender ATP:

Figure 2. Windows Defender ATP alert: Depriz starting ephemeral service to load RawDisk driver “drdisk”

Figure 3. Windows Defender ATP event tree: Depriz Trojan dropping the wiper component (named “routeman” in this instance), which in turn drops the RawDisk driver “drdisk”

There are two interesting things worth noting about RawDisk:

It requires a valid license key from Eldos Corporation to run. However, the license key included in Depriz is the same as the one used in the 2012 attacks – and this license key was only valid for a short period in 2012. TERBIUM works around this by changing the system time on targeted computers to a valid period in 2012.

It is the same as the driver used in the 2012 attacks.

Figure 4. Depriz license key (the same as the one used in 2012 attacks) and its limited validity period

The wiper component uses an image file to overwrite files in locations listed in the following:

Master Boot Records (MBR)

HKLM\System\CurrentControlSet\Control\SystemBootDevice

HKLM\System\CurrentControlSet\Control\FirmwareBootDevice

C:\Windows\System32\Drivers

C:\Windows\System32\Config\systemprofile

Typical user folders like “Desktop”, “Downloads”, “Documents”, “Pictures”, “Videos” and “Music”

Microsoft is also aware of a second threat that uses a distinct wiping component. We detect this as Trojan:Win32/Cadlotcorg.A!dha in Defender and generic detections with Defender ATP. Microsoft is continuing to monitor for additional information on this threat.

Step 4: Rendering the machine unusable

Finally, the following command is used to reboot the system into the intended unusable state:

shutdown -r -f -t 2

When the computer attempts to restart after shutting down, it is unable to find the operating system because the MBR was overwritten in step 3. The machine will no longer boot properly.

Mitigation: Multiple layers of protection from Microsoft

Windows 10 protects, detects and responds to this threat. Windows 10 has built-in proactive security components, such as Device Guard, that mitigate this threat by restricting execution to trusted applications and kernel drivers.

In addition, Windows Defender detects and remediates all components on endpoints as Trojan:Win32/Depriz.A!dha, Trojan:Win32/Depriz.B!dha, Trojan:Win32/Depriz.C!dha, and Trojan:Win32/Depriz.D!dha.

Windows Defender Advanced Threat Protection (ATP), our post-breach security service, provides an additional layer of security to enterprise users. With threat intelligence indicators, generic detections, and machine learning models, Windows Defender ATP (trial link) provides extensive visibility and detection capabilities across the attack kill chain of threats like TERBIUM.

Appendix – Indicators of compromise

We discovered the following SHA1s in relation to TERBIUM:

SHA1 hashes for malicious files

5c52253b0a2741c4c2e3f1f9a2f82114a254c8d6

e7c7f41babdb279c099526ece03ede9076edca4e

a2669df6f7615d317f610f731b6a2129fbed4203

425f02028dcc4e89a07d2892fef9346dac6c140a

ad6744c7ea5fee854261efa403ca06b68761e290

SHA1 hashes for legitimate RawDisk drivers

1292c7dd60214d96a71e7705e519006b9de7968f

ce549714a11bd43b52be709581c6e144957136ec

Signature names for malicious files

Trojan:Win32/Depriz.A!dha

Trojan:Win32/Depriz.B!dha

Trojan:Win32/Depriz.C!dha

Trojan:Win32/Depriz.D!dha

Mathieu Letourneau
Windows Defender Advanced Threat Protection Threat Intelligence Team
Click to expand...

Source: Windows 10: protection, detection, and response against recent Depriz malware attacks Microsoft Malware Protection Center

Windows 10: Malware with faked timestamps on the rise to bypass Windows protections

Malware with faked timestamps on the rise to bypass Windows protections

Malware with faked timestamps on the rise to bypass Windows protections

Malware with faked timestamps on the rise to bypass Windows protections

Malware with faked timestamps on the rise to bypass Windows protections - Similar Threads - Malware faked timestamps

explorer.exe fake timestamp and surveil Chinese antivirus software

explorer.exe fake timestamp and surveil Chinese antivirus software

explorer.exe fake timestamp and surveil Chinese antivirus software

Malware protection

Malware protection

Fake malware notice(?)

FAKE AD LEADS TO MALWARE SITE

Fake Microsoft malware

Malware Protection