drobie22 / RSS-Reborn-Installer

This installer is designed to streamline the process of downloading and installing RSS Reborn visual enhancements to an existing Real Solar System installation.
9 stars 0 forks source link

Microsoft Defender AV detects trojan #5

Open KerballOne opened 4 months ago

KerballOne commented 4 months ago

Trojan:Script/Wacatac.B!ml

https://www.virustotal.com/gui/file/7846c440493e675a55d6e56f69d147e39cf06580bc8827643d2b315232580e16

drobie22 commented 4 months ago

Interesting. See if you can whitelist it in windows defender. Alternatively try the zip

KerballOne commented 4 months ago

This virustotal scan was of the zip file, which scans the files within.

I'm also running a scan of v1.0.2 which has even more hits as a malware. I am running in a sandbox to find out why.

Are you doing any remote code (other than pulling down latest versions from Github), such as pulling in commands that you control from a server?

drobie22 commented 4 months ago

Nope. All code is between GitHub and the installer. All code is open to see on the main GitHub page if you're curious.

KerballOne commented 4 months ago

Well, the source code can be fine, but no way to prove that the binary executable was compiled only from that source. I am still analyzing... so far this looks interesting.

Processes started: 7764 - "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\RSSRebornInstaller.zip"

drobie22 commented 4 months ago

Well, the source code can be fine, but no way to prove that the binary executable was compiled only from that source.

Fair enough. Inno setup is pretty easy to set up on your machine if you want to build the script yourself.

7764 - "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\RSSRebornInstaller.zip"

  • 7824 - C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\csqnnw0y.hwg" "C:\Users\user\Desktop\RSSRebornInstaller.zip"

7za is just the program that extracts an archive. That exe is on your local machine, and it's just opening the zip. You can whitelist the zip to allow it

KerballOne commented 4 months ago

The 7za process isn't concerning, it's the hardcoded archive password used. I know that the "infected" password is typically only used for malware sample archive transport. Why use it here?

drobie22 commented 4 months ago
  • 7824 - C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\csqnnw0y.hwg" "C:\Users\user\Desktop\RSSRebornInstaller.zip"

If you mean here, that's not part of the script. This is just the command to extract the compressed exe, which your machine decides which arguments to use. I don't believe I have the ability to specify -pinfected when my exe gets decompressed

KerballOne commented 4 months ago

Okay, looks like an artifact of the sandbox then.
Looking like a false positive, but I'm still interested to see why.

drobie22 commented 4 months ago

Me too. Fox has talked about how one of his configs got flagged too. Some machine learning false positive from Microsoft.

I think I have to work on buying a certificate :/

KerballOne commented 4 months ago

Yeah, a valid cert will go a long way. A lot of this is behavioral, and often triggered by repeated api calls to github to get all the different configs. There might be a better way to do it, but I don't know.

drobie22 commented 4 months ago

So I've made a great effort to reduce GitHub calls. GitHub has its own limits on calls, like 60 an hour.

I only call each repo once, and I don't think it counts running the download links.

KerballOne commented 4 months ago

This is the v1.0.2 exe file AV hits. image

The latest, 1.1.0, has only one... so if you've made some changes maybe that is working. image

KerballOne commented 4 months ago

Windows Defender only seemed to have a problem with the zip file. Maybe that extra level of encapsulation reached a threshold. For your next version, may I suggest running all release download files through VT, just to make sure.

drobie22 commented 4 months ago

Appreciate the research. I'll see what I can do

pleroy commented 4 months ago

Version 1.1.1 is still flagged by 3 analyzers on virustotal.

drobie22 commented 4 months ago

Version 1.1.1 is still flagged by 3 analyzers on virustotal.

Still trying to research this, not sure on an ETA.