Malware detection, Ransomware Notice found

[coolsport00]

I've done a YARA scan on some of my Windows devices (btw...all A/V minus the 1 I mentioned above have scanned out "ok") and, like others above have shared, I'm seeing Chrome Cache files come back as "onion links" (data_3, and some "rules" files are a few..and seem legit); but it appears the Malware engine is detecting valid executables also (C:\Windows\System32\curl.exe and C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe ...and I've seen a few others) as an Onion Link (OL)? Well, let me be a bit more specific, the YARA scan tool I'm using is detecting those files as OLs (YARA binaries from: https://github.com/VirusTotal/yara/releases/tag/v4.5.1). If Veeam scans blocks in a somewhat similar fashion the YARA tool scans files/directories, then my assumption is these are the files Veeam "sees" as OLs and thus why Veeam created OL events on my VMs this morning.

Dima - Should I open a case to report some of my latest findings?

Thanks!

[GaborCs]

Hi Everybody,

we've got the same "ONION links found" Malware alert here

manually YARA scan doesn't got any hit on the VM

meanwhile we rewrote the OnionLinks.yara rule, and now we are running it on the "infected" backups

this "new" rule is good for old v2 and new v3 onion urls, and fixed a little mistake in the earlier version, where a "\" missed in front of the ".onion"

here is the modified YARA rule:

Code: Select all

rule OnionLinks
{
    meta:
        description = "Onion link"

    strings:
	$onion_linkv2 = /\b([a-z2-7]{16}\.onion)\b/i
        $onion_linkv3 = /\b([a-z2-7]{56}\.onion)\b/i

    condition:
	any of ($onion_linkv2,$onion_linkv3)
}

[coolsport00]

Thanks for sharing the update @GaborCs

I've actually had to temporarily disable Inline scanning for now as I was getting too many false 'hits' since updating Veeam to v12.1.2. :/

[mcz]

Pagefile is excluded correctly however if it's parts are physically allocated within the block where normal file resides (the file that must be included in the backup) we will store entire block including the file and such small portion of the pagefile in the backup. Based on our investigation such file parts are causing the mentioned false positive reports during inline scan.

Thanks for the information Dima. Now I understand why it is not an easy fix or at least not the easiest one. You need to somehow stop the scanning of data within blocks belonging to the excluded pagefile...

[mcz]

I thought it would be good to state the Malware Engine does have benefit (I've always said that).

Correct, in my case it has found a dnscat.ps1-file which I used for testing a while ago. Was surprised a bit that it had even found a "silent" powershell-script...

[Dima P.]

Hello guys,

Thank you for sharing the updates!

Now, history has told me they're false pos's cuz...up to this point, they have been. You may be interested to know the 1st VM I did an A/V scan on actually did seemingly have a 'trojan' file on it (Trojan:Win32/Leonem)

Glad to help and thank you for sharing!

I'm seeing Chrome Cache files come back as "onion links" (data_3, and some "rules" files are a few..and seem legit); but it appears the Malware engine is detecting valid executables also (C:\Windows\System32\curl.exe and C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe ...and I've seen a few others) as an Onion Link (OL)? Dima - Should I open a case to report some of my latest findings?

Thank you! We are aware of this problem too and we will include the fine tuning for this issue together with the fix for pagefile leftovers. You can raise a ticket to get a private fix once it's ready.

[mcz]

Dima, when do we know that it's ready? Will you post it here?

[Dima P.]

Sure, I'll update this thread. The code is ready, now we are building and then verifying the build in QA labs.

[coolsport00]

Hi @dima - yeah...think I will create a case to get that fix. Like I mentioned above I have disabled Malware scanning for now, but would rather have it on. Appreciate the info.

[coolsport00]

@Dima -
My case is Case #07301631

Thank you.

[Dima P.]

Noted, thank you Shane!

[Joris360]

Code: Select all

rule OnionLinks
{
    meta:
        description = "Onion link"

    strings:
	$onion_linkv2 = /\b([a-z2-7]{16}\.onion)\b/i
        $onion_linkv3 = /\b([a-z2-7]{56}\.onion)\b/i

    condition:
	any of ($onion_linkv2,$onion_linkv3)
}

Hi GaborCs,

I've tried your Yara rule, with the yara rule scanning from Scan backup in Veeam, and now I don't receive a pagefile.sys detection (while the other rules did on that same server).
But it's detecting some other files from Edge browser. These are:

C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.13\Filtering Rules
C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Indexed Rules\35\10.34.0.13\Ruleset Data
C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.52\Filtering Rules
C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Indexed Rules\36\10.34.0.52\Ruleset Data

When looking in the first file, I can find some onions links in it. This make sense as it looks like a filtering/blocking file.

@Dima P.
Perhaps the scanning Veeam does is also detecting these and therefor giving the "Onion link" detection.
I've uploaded the logs to the Veeam case we opened (ID: 07297542)

[stewsie]

I am using the above YARA rule and still receive pagefile.sys notifications.

I also see the Edge messages similar to yours

[coolsport00]

I get the same Ruleset & Filtering paths, but for Chrome.

[Dima P.]

Hello guys,

Thank you for all the help with investigation! The fix for pagefile exclusion and non-text onion link false positives is now ready. You can get via support channel by raising a support case.

[mcz]

created a case. Will update this thread once I've got some news from my side... Thanks Dima!

[GaborCs]

also created a case

@Joris360 - yep, those files are some filters/rules, and there are some real ".onion" links in it,

like this:

Äň nzbindex.com ř3ţ˙ đ ˜Ö Ë nytimes3xbfgragh.onion 04ţ˙$ ¸ $ĺ \Ö ÄĘ X› Hú nytimes.com h4ţ˙ ˜Ę nytco.com Ś4ţ˙ $] Ä6

[mcz]

ok, received the fix and installed the files. did another YARA-scan (onion-files) for one of the affected vm's and this time I got an error telling me "YARA scan has encountered a match", no additional details. Under Inventory -> Malware Detection I don't see any vm's listed there... Any ideas? I'm confused a bit...

[coolsport00]

I already have a case...and will get the fix. But first, I want to see response from @mcz 's comment on what could be the issue there.

[mcz]

ok, short update: I was stupid enough to forget that there's the button to lookup for the found malware and there it again listed the pagefile.sys... The question is if I also have to update the .so-file on the hardened repository. right now we use it as repository only...

[coolsport00]

ok, received the fix and installed the files. did another YARA-scan (onion-files) for one of the affected vm's and this time I got an error telling me "YARA scan has encountered a match", no additional details. Under Inventory -> Malware Detection I don't see any vm's listed there... Any ideas? I'm confused a bit...

I think some instructions on how the new tool/update works would be of benefit as well?

[mcz]

Well, the tool works as before. Regarding the fix: You just have to replace a file on all of the proxies, that's all.

[Dima P.]

Hello guys,

To make sure we are on the same page: the fix tunes the inline scan engine allowing it to skip the pagefile leftovers and non text files for onion link analysis. It does not change the way how backup job or YARA engine works. Thank you!

[mcz]

Ah, thanks Dima for the clarification. So to make it simple: After applying the fix it is expected that the inline scan engine won't report any malware during or after backup jobs, but (manual) YARA scans would still show false positives in e.g. pagefile.sys because as yara is an independent scan engine. Correct?

[Dima P.]

Yes, this is correct.

[mcz]

ok, so I can confirm that I don't get any malware reports after the backup jobs, which means that the fix works. Thanks a lot to all who have been involved!

[Dima P.]

Glad to hear, thank you for the feedback Michael!

[coolsport00]

Going to (hopefully) apply the fix in my environment today! We'll see how it goes...

[coolsport00]

ok, so I can confirm that I don't get any malware reports after the backup jobs, which means that the fix works. Thanks a lot to all who have been involved!

Same. Been running a few days...looking good thus far.

[Dima P.]

Awesome! Thank you for sharing your reports!