Author Topic: Avast can't protect against Magniber Ransomware  (Read 1799 times)

0 Members and 1 Guest are viewing this topic.

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Avast can't protect against Magniber Ransomware
« on: June 23, 2022, 05:51:42 PM »
Avast needs to update its heuristics and behavior blocker to protect against new variants of Magniber Ransomware.
Currently, whenever a new one comes out, Avast fails initially to stop encryption till they create a signature for that specific variant later.
For example, this one:
https://www.virustotal.com/gui/file/792c3a80186fb043b6c8f563a5df794077121a0c24fdf2c95db5cfcea96cd7d4/detection
Files were encrypted before signature was created. At the moment, ESET and Kaspersky has managed to create a heuristic which is able to detect all variants so far.
« Last Edit: June 23, 2022, 06:18:34 PM by Mr. Consumer »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast can't protect against Magniber Ransomware
« Reply #1 on: June 23, 2022, 06:26:36 PM »
Not sure why you posted the VT link, as according to that it is being detected by Avast (though not specifically a ramsomware signature) ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Avast can't protect against Magniber Ransomware
« Reply #2 on: June 23, 2022, 08:54:34 PM »
Not sure why you posted the VT link, as according to that it is being detected by Avast (though not specifically a ramsomware signature) ?
It's a 2 days old sample. It was not detected by Avast 2 days ago, and files got encrypted when it was tested. It's a ransomware of the Magniber familiy. Some AVs are classifying this one differently, because I guess it can be. Products can have multiple detection/heuristics for one malware.
https://opentip.kaspersky.com/792c3a80186fb043b6c8f563a5df794077121a0c24fdf2c95db5cfcea96cd7d4/

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast can't protect against Magniber Ransomware
« Reply #3 on: June 23, 2022, 09:22:17 PM »
Well retrospectively they aren't going to be able to do much.

So contacting Avast as you have done before would be the best course of action - Reporting a possible Malicious sample File - https://www.avast.com/report-malicious-file.php.

Posting in the forums doesn't get much action, outside of Avast Users.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Avast can't protect against Magniber Ransomware
« Reply #4 on: June 23, 2022, 09:43:58 PM »
Well retrospectively they aren't going to be able to do much.

So contacting Avast as you have done before would be the best course of action - Reporting a possible Malicious sample File - https://www.avast.com/report-malicious-file.php.

Posting in the forums doesn't get much action, outside of Avast Users.
I see. Wish they paid more attention here. But, alright. 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast can't protect against Magniber Ransomware
« Reply #5 on: June 23, 2022, 10:06:02 PM »
They do get here, but most of that activity is in response to program issues, etc. and r@vast is pretty active in that regard.  But I wouldn't rely on someone from the Virus Labs Team happening to see your post in a reasonable time frame, so it is preferable to go direct.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast can't protect against Magniber Ransomware
« Reply #6 on: June 25, 2022, 01:07:53 AM »
The so-called PrintNightmare vulnerability plays an important role in this ransomeware threat.

So often automatic execution called "a feature for end-users" with the Windows OS,
that then later can be abused by malcreants. Your av solution should alert here.

With such executables the user should always be given a second chance
either to execute, when above board, or halt, when it seems a suspicious/malicious process.

Read an analysis:
https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast can't protect against Magniber Ransomware
« Reply #7 on: June 25, 2022, 02:03:16 AM »
An interesting read if you have the time to spare.

But wouldn't MS have plugged that hole by now ?
« Last Edit: June 25, 2022, 02:05:26 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Avast can't protect against Magniber Ransomware
« Reply #8 on: June 25, 2022, 11:03:10 AM »
The so-called PrintNightmare vulnerability plays an important role in this ransomeware threat.

So often automatic execution called "a feature for end-users" with the Windows OS,
that then later can be abused by malcreants. Your av solution should alert here.

With such executables the user should always be given a second chance
either to execute, when above board, or halt, when it seems a suspicious/malicious process.

Read an analysis:
https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware

polonus
The new variants work differently, I think. These are delivered now as MSI files, which are also signed.
Kaspersky's heuristics are able to new variants by static analysis and based on a recent test it seems now they have added further behavioral heuristics to detect it post execution. PDM Exploit was their behavioral detection term before, and recently they have also added PDM Generic behavioral signature for this one. So they are actively trying to combat new variants in multiple ways. Kaspersky and ESET's heuristic already works pre-execution, but excluding these two and a Chinese AV named WiseVector, all other top products are struggling against this for the past couple of months. So it seems this Magniber malware are different from the previous ones reported in the cybereason article.