![]() A named pipe is used for communication between a server and clients. Malware uses this as a method of communication and to transfer information collected from the system (exfiltrate data). This object imports functions that allow the manipulation of named pipes.Determining what version and types of programs are installed on a device can easily be found from a file listing the malware creator could then attempt to find further vulnerabilities in the installed software. Malware uses this list to look for sensitive data or to find further points of attack. This object imports functions that are used to list files.Malware uses this to locate processes to inject into, imitate, or terminate. This object imports functions that can list all of the running processes on a system.Malware uses this to capture and save keystrokes to find sensitive information such as usernames and passwords. This object imports functions that can capture and log keystrokes from the keyboard.Malware uses this to better tailor further attacks (to take advantage of OS exploits) and to report information back to a controller. This object imports functions that are used to gather information about the current operating system.For example, the suspicious data "thisisabot" can be concealed by encoding it as "dGhpc2lzYWJvdA=" using Base64. Malware often uses Base64 to avoid detection. Base64 is an encoding scheme used to represent data as ASCII text typically consisting of A-Z, a-z, 0-9, +, and /. This object contains evidence of using Base64 encoding.If no exception is caught, the malware knows a debugger probably caught the exception and that a debugger is being used. Example: Malware might be designed to set up a custom exception handler, raise an exception, and then check if the custom exception handler catches it. Malware does this to make standard dynamic code analysis difficult to follow. This object imports functions used to raise exceptions within a program.In case you're curious, here are the high level Threat Indicators. We cannot globally whitelist the program as that is not how our product works, but we have reclassified it as Dual Use/Remote Access for our users to see. We wouldn't want some non-IT pro installing this on the machine. While the mathmatics sees this, individual users will be able to whitelist it for specific groups to utilize. Why? Simply put, the nature of the program (remote access tool) means it can be used maliciously. ![]() I have run this against the latest version of Cylance and it did indeed block it. I am going to look into this and get a report as to why.
0 Comments
Leave a Reply. |