top | item 36238459

(no title)

SCLeo | 2 years ago

> Anti-sandbox tricks

> Something not commonly seen in JVM malware that is present here is a class titled VMEscape. It checks if its in a sandboxed windows environment by checking if the current user is WDAGUtilityAccount, which is part of the Windows Defender Application Guard. If this condition is met, an attempt to escape the sandbox system is made.

> The process is roughly as follows:

> - Start a repeating thread to run the following actions:

> - Create a temporary directory using Files.createTempDirectory(...)

> - Iterate over FileDescriptor entries in the system clipboard (Supposedly this will be accessing the contents of the host)

> - Create a shortcut that looks like the original file (using icons from SHELL32) but instead invokes the malware

> - Assings this shortcut to the clipboard, overwriting the original file reference

> Thus, if a user copies a file and goes to paste it elsewhere they will instead paste a shortcut that looks like their intended file, but actually runs the malware.

This is just evil.

discuss

geek_at|2 years ago

kind of reminds me of the very subtle malware found in a modified version of a bitcoin wallet that would lay low but when you copy-paste a BTC address in the recepient field, the malware replaces the clipboard with their own address in hopes you don't check it twice

But only if the user has a high balance on their own wallet.

At least one person fell for this when they made a small test-transfer which went through but when they entered the higher BTC amount the recipient was replaced. Pretts smart and evil stuff

waitforit|2 years ago

At the last Advent of Code there was a person whose solution didn't pass because a part of their input was replaced by a dogecoin address

https://old.reddit.com/r/adventofcode/comments/zb98pn/2022_d...

stravant|2 years ago

It gets even better, those malware even dynamically generate replacement wallets, finding ones that have similar starting and ending characters to the target one so that the victim can't easily recognize that the wallet has been replaced.

pluijzer|2 years ago

Wow, that is nasty. I would actually fall for that, I never thought of double checking copy/pasted data, only in cases I copied something similar before and I want to make sure I really did press copy.

blibble|2 years ago

if you read the breakdown of the disassembly the minecraft malware does this too!