Microsoft Defender AV detects trojan

[KerballOne]

Trojan:Script/Wacatac.B!ml

https://www.virustotal.com/gui/file/7846c440493e675a55d6e56f69d147e39cf06580bc8827643d2b315232580e16

[drobie22]

Interesting. See if you can whitelist it in windows defender. Alternatively try the zip

[KerballOne]

This virustotal scan was of the zip file, which scans the files within.

I'm also running a scan of v1.0.2 which has even more hits as a malware. I am running in a sandbox to find out why.

Are you doing any remote code (other than pulling down latest versions from Github), such as pulling in commands that you control from a server?

[drobie22]

Nope. All code is between GitHub and the installer. All code is open to see on the main GitHub page if you're curious.

[KerballOne]

Well, the source code can be fine, but no way to prove that the binary executable was compiled only from that source. I am still analyzing... so far this looks interesting.

Processes started: 7764 - "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\RSSRebornInstaller.zip"

• 7824 - C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\csqnnw0y.hwg" "C:\Users\user\Desktop\RSSRebornInstaller.zip"

[drobie22]

Well, the source code can be fine, but no way to prove that the binary executable was compiled only from that source.

Fair enough. Inno setup is pretty easy to set up on your machine if you want to build the script yourself.

7764 - "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\RSSRebornInstaller.zip"

• 7824 - C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\csqnnw0y.hwg" "C:\Users\user\Desktop\RSSRebornInstaller.zip"

7za is just the program that extracts an archive. That exe is on your local machine, and it's just opening the zip. You can whitelist the zip to allow it

[KerballOne]

The 7za process isn't concerning, it's the hardcoded archive password used. I know that the "infected" password is typically only used for malware sample archive transport. Why use it here?

[drobie22]

• 7824 - C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\csqnnw0y.hwg" "C:\Users\user\Desktop\RSSRebornInstaller.zip"

If you mean here, that's not part of the script. This is just the command to extract the compressed exe, which your machine decides which arguments to use. I don't believe I have the ability to specify -pinfected when my exe gets decompressed

[KerballOne]

Okay, looks like an artifact of the sandbox then.
Looking like a false positive, but I'm still interested to see why.

[drobie22]

Me too. Fox has talked about how one of his configs got flagged too. Some machine learning false positive from Microsoft.

I think I have to work on buying a certificate :/

[KerballOne]

Yeah, a valid cert will go a long way. A lot of this is behavioral, and often triggered by repeated api calls to github to get all the different configs. There might be a better way to do it, but I don't know.

[drobie22]

So I've made a great effort to reduce GitHub calls. GitHub has its own limits on calls, like 60 an hour.

I only call each repo once, and I don't think it counts running the download links.

[KerballOne]

This is the v1.0.2 exe file AV hits.

The latest, 1.1.0, has only one... so if you've made some changes maybe that is working.

[KerballOne]

Windows Defender only seemed to have a problem with the zip file. Maybe that extra level of encapsulation reached a threshold. For your next version, may I suggest running all release download files through VT, just to make sure.

[drobie22]

Appreciate the research. I'll see what I can do

[pleroy]

Version 1.1.1 is still flagged by 3 analyzers on virustotal.

[drobie22]

Version 1.1.1 is still flagged by 3 analyzers on virustotal.

Still trying to research this, not sure on an ETA.