Kaspersky Threats — Worm.Win32.Vobfus.efgg

Classe: Worm

Worms espalhados em redes de computadores através de recursos de rede. Diferentemente do Net-Worms, um usuário deve iniciar um Worm para que ele seja ativado. Esse tipo de worm pesquisa redes de computadores remotas e copia a si mesmo para diretórios que são acessíveis para leitura / gravação (se encontrar algum). Além disso, esses worms usam funções integradas do sistema operacional para procurar diretórios de rede acessíveis e / ou pesquisam aleatoriamente computadores na Internet, conectam-se a eles e tentam obter acesso total aos discos desses computadores. Essa categoria também abrange os worms que, por um motivo ou outro, não se encaixam em nenhuma das outras categorias definidas acima (por exemplo, worms para dispositivos móveis).

Plataforma: Win32

O Win32 é uma API em sistemas operacionais baseados no Windows NT (Windows XP, Windows 7, etc.) que oferece suporte à execução de aplicativos de 32 bits. Uma das plataformas de programação mais difundidas do mundo.

Família: Worm.Win32.Vobfus

No family description

Examples

7A400EC5D8C2DF35BFD96243F1FBD972
32987C8E41D09B34C57B02EF44EE0FAA
077A302766A3B6AD8B9BD5938E746D7B
EB4E4FFB2C09CA9EA363D518A2B5F6E8
4EA41A3DAD786C7EC737F6E79CEE3E01

Tactics and Techniques: Mitre*

TA0005

Defense Evasion

The adversary is trying to avoid being detected.

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

T1036

Masquerading

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site) Masquerading may also include the use of Proxy or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections.

T1036.008

Masquerade File Type

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`.

T1564.001

Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).