Keeping your AV enabled and not extracting the ZIP

Public Service Announcement

This is something I wanted to write a post about as it seems to still be getting lots of hits and fooling lots of people. I will wright the TLDR here so you can get the message now and read further if you want to learn more.

If ANY program EVER tells you to disable your Anti-Malware solution PROCEED WITH EXTREAM CAUTION. If you are ever provided with a password protected archive again PROCEED WITH EXTREAM CAUTION.

Now that the TLDR is out of the way let me explain.

There have been many campaigns that have been involving something in common, using a password protected zip file hosted with a page that contains both the password AND instructions to disable your Anti-Malware solution. The ZIP file then contains infected files usually Redline or alike however if the person follows the instructions as provided they would have disabled their Anti-Malware solution which would now not detect the sample.

This is a common tactic used to distribute malware onto computers usually made out to be something the user would want to download such as a tool or a cracked version of software to get people to download it and follow the instructions to get themselves infected. They are also commonly posted on YouTube as "tutorials" again to make it more believable. If you ever see this, BEFORE you run the file upload it to tools such as VirusTotal and check to see what the results are or think about if it's really trustable. If you get it from a YouTube video look up the link in YouTube's search and see if you find identical videos posted from loads of different channels. If you do this is a sign it might be stealing accounts. If it does come back malicious just report the video and move on.

Another thing, if you are ever given a ZIP file with a password be very suspicious as generally this is used because it is detected by Anti-Malware solutions and encrypting the ZIP file with a password will stop it from being scanned and detected by whatever solution you run. It will also stop any results from showing up if you upload the ZIP to tools such as VirusTotal as the encrypted ZIP file cannot be identified nor extracted due to the unknown password which would be given to you but not whatever tool is trying to scan it.

Here is a real example I found while looking into this.


As you can see here (I removed the name of the sample), it wants you to download a password protected ZIP file from the link above with the password below. Then gives you instructions to both disable your VPN (so they can get your IP) and to disable any protection you may have installed so when you extract the ZIP nothing is going to alert you or stop you from running the Redline malware contained in the executable (which will end up stealing your accounts and reposting itself on them to try and infect more people).

Protect yourself, if you ever are given a password protected ZIP file and/or given instructions to impair or disable your protection software, walk away. It is most likely trying to give you malware.

Comments

Post a Comment

Popular posts from this blog

Danger in shortcuts

Image
Shortcuts, personally I never really use them. They link to a program slash file to run it or to make it easier to execute with arguments such as open minimized window. But I decided to give them a relook with the new Powershell program bundled in with all Windows installations and even released for Linux. Shortcuts if you did not know can pass arguments into the program or file it has been linked to. Usually you use this if for example you want to configure a program to launch silently using lets say a -silent flag. Well just add that into the shortcut and it will launch with that argument without having to open a shell. So what about Powershell? Well it has a interesting flag called " -Command ". The command flag allows you to pass a command or potentially even an entire script into the Powershell process that will be started. Interestingly this means an entire script can run in memory without being stored on disk at all, the most insane version of anti-malware avoidance. N
Read more

What does your VPN really do to your web traffic? (a deep dive into HTTPS)

Image
We have all seen the ads, right? If you have not, I would question how you are reading this article while turning your butter but anyway, let’s talk about VPNs (this is going to be spicy). I know we have also all heard about the "benefits" of using a VPN, such as "privacy", "security", and using that sketchy Wi-Fi that showed up while you were at the strip. So why don't we talk about what it does shall we?  First "privacy". Now yes, it might improve it to a point at least by masking your IP however there are so many other ways that you are tracked online that are not your IP that the benefit would be very little. For example, your browser dimensions, cookies, installed extensions, etc. These are all sent through the VPN and allow the service at the other end to identify you through the VPN anyway, and another point I made add. What do most people do with their VPN? I would say use services online, and what do most services have? A login! You’
Read more