Avast WEBforum

Other => Viruses and worms => Topic started by: Mr. Consumer on June 23, 2022, 05:51:42 PM

Title: Avast can't protect against Magniber Ransomware
Post by: Mr. Consumer on June 23, 2022, 05:51:42 PM
Avast needs to update its heuristics and behavior blocker to protect against new variants of Magniber Ransomware.
Currently, whenever a new one comes out, Avast fails initially to stop encryption till they create a signature for that specific variant later.
For example, this one:
https://www.virustotal.com/gui/file/792c3a80186fb043b6c8f563a5df794077121a0c24fdf2c95db5cfcea96cd7d4/detection
Files were encrypted before signature was created. At the moment, ESET and Kaspersky has managed to create a heuristic which is able to detect all variants so far.
Title: Re: Avast can't protect against Magniber Ransomware
Post by: DavidR on June 23, 2022, 06:26:36 PM
Not sure why you posted the VT link, as according to that it is being detected by Avast (though not specifically a ramsomware signature) ?
Title: Re: Avast can't protect against Magniber Ransomware
Post by: Mr. Consumer on June 23, 2022, 08:54:34 PM
Not sure why you posted the VT link, as according to that it is being detected by Avast (though not specifically a ramsomware signature) ?
It's a 2 days old sample. It was not detected by Avast 2 days ago, and files got encrypted when it was tested. It's a ransomware of the Magniber familiy. Some AVs are classifying this one differently, because I guess it can be. Products can have multiple detection/heuristics for one malware.
https://opentip.kaspersky.com/792c3a80186fb043b6c8f563a5df794077121a0c24fdf2c95db5cfcea96cd7d4/
Title: Re: Avast can't protect against Magniber Ransomware
Post by: DavidR on June 23, 2022, 09:22:17 PM
Well retrospectively they aren't going to be able to do much.

So contacting Avast as you have done before would be the best course of action - Reporting a possible Malicious sample File - https://www.avast.com/report-malicious-file.php (https://www.avast.com/report-malicious-file.php).

Posting in the forums doesn't get much action, outside of Avast Users.
Title: Re: Avast can't protect against Magniber Ransomware
Post by: Mr. Consumer on June 23, 2022, 09:43:58 PM
Well retrospectively they aren't going to be able to do much.

So contacting Avast as you have done before would be the best course of action - Reporting a possible Malicious sample File - https://www.avast.com/report-malicious-file.php (https://www.avast.com/report-malicious-file.php).

Posting in the forums doesn't get much action, outside of Avast Users.
I see. Wish they paid more attention here. But, alright. 
Title: Re: Avast can't protect against Magniber Ransomware
Post by: DavidR on June 23, 2022, 10:06:02 PM
They do get here, but most of that activity is in response to program issues, etc. and r@vast is pretty active in that regard.  But I wouldn't rely on someone from the Virus Labs Team happening to see your post in a reasonable time frame, so it is preferable to go direct.
Title: Re: Avast can't protect against Magniber Ransomware
Post by: polonus on June 25, 2022, 01:07:53 AM
The so-called PrintNightmare vulnerability plays an important role in this ransomeware threat.

So often automatic execution called "a feature for end-users" with the Windows OS,
that then later can be abused by malcreants. Your av solution should alert here.

With such executables the user should always be given a second chance
either to execute, when above board, or halt, when it seems a suspicious/malicious process.

Read an analysis:
https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware

polonus
Title: Re: Avast can't protect against Magniber Ransomware
Post by: DavidR on June 25, 2022, 02:03:16 AM
An interesting read if you have the time to spare.

But wouldn't MS have plugged that hole by now ?
Title: Re: Avast can't protect against Magniber Ransomware
Post by: Mr. Consumer on June 25, 2022, 11:03:10 AM
The so-called PrintNightmare vulnerability plays an important role in this ransomeware threat.

So often automatic execution called "a feature for end-users" with the Windows OS,
that then later can be abused by malcreants. Your av solution should alert here.

With such executables the user should always be given a second chance
either to execute, when above board, or halt, when it seems a suspicious/malicious process.

Read an analysis:
https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware

polonus
The new variants work differently, I think. These are delivered now as MSI files, which are also signed.
Kaspersky's heuristics are able to new variants by static analysis and based on a recent test it seems now they have added further behavioral heuristics to detect it post execution. PDM Exploit was their behavioral detection term before, and recently they have also added PDM Generic behavioral signature for this one. So they are actively trying to combat new variants in multiple ways. Kaspersky and ESET's heuristic already works pre-execution, but excluding these two and a Chinese AV named WiseVector, all other top products are struggling against this for the past couple of months. So it seems this Magniber malware are different from the previous ones reported in the cybereason article.