Author Topic: Ransomware bypasses SecureAPlus  (Read 61416 times)

Offline Shreyas Murali

  • Newbie
  • *
  • Posts: 5
  • Kudos +0/-0
Ransomware bypasses SecureAPlus
« on: January 22, 2021, 11:18:28 AM »
https://www.virustotal.com/gui/file/0a4befe34506ff917bd100dca5d07f4b3a033f3db73facdcd52083ee598050a6/detection
https://www.virustotal.com/gui/file/ea11409054942608f0547aabd0840a4575d117dcafca4e27666cc9857667fbb0/detection

These 2 samples manage to get past SecureA in default mode. APEX engine says unsupported format and even if i click don't trust my files get encrypted.
« Last Edit: January 22, 2021, 11:21:44 AM by Shreyas Murali »

Offline Isky

  • SecureAPlus Helpdesk Engineer
  • Newbie
  • *
  • Posts: 7
  • Kudos +1/-0
  • ^_^
Re: Ransomware bypasses SecureAPlus
« Reply #1 on: January 25, 2021, 11:27:25 AM »
Hi Shreyas Murali,

Is it possible to send the test file to us? You may compress the files and send them via https://transfer.pcloud.com/ to secureaplus@secureage.com.
^_^

Offline Shreyas Murali

  • Newbie
  • *
  • Posts: 5
  • Kudos +0/-0
Re: Ransomware bypasses SecureAPlus
« Reply #2 on: January 26, 2021, 08:08:58 PM »
Hi Shreyas Murali,

Is it possible to send the test file to us? You may compress the files and send them via https://transfer.pcloud.com/ to secureaplus@secureage.com.

Thankyou for your swift response! I have submitted the 2 samples via the service you mentioned. File name should be "Downloads.7z" with password "infected". In any case i am attaching the same here too. At this moment more engines detect the samples but in any case i don't believe we should see a different response. Please let me know the findings !
« Last Edit: January 26, 2021, 08:41:07 PM by Shreyas Murali »

Offline hendy

  • SecureAPlus Developer
  • Sr. Member
  • *****
  • Posts: 351
  • Kudos +16/-0
Re: Ransomware bypasses SecureAPlus
« Reply #3 on: January 27, 2021, 12:34:09 PM »
Thank you very much for sending us the sample files.

Just would like to clarify with you.
Are these the same files as what you have posted in Wilders Security forum?


e6b870ff40dd7f8e26c9e71577d06f4a4d002654740fc414477499ebbcb8cb1a is a shortcut file (.lnk), and this file is not covered by APEX, but Application whitelisting is still able to block it.


ea11409054942608f0547aabd0840a4575d117dcafca4e27666cc9857667fbb0 is an exe file. This file is also get blocked by SecureAPlus.


From your picture in Wilders Security, the file that managed to run is hidden-tear.exe.
Is this a different file? Is it possible to send us the sample of this file?
« Last Edit: January 27, 2021, 01:53:00 PM by hendy »

Offline Shreyas Murali

  • Newbie
  • *
  • Posts: 5
  • Kudos +0/-0
Re: Ransomware bypasses SecureAPlus
« Reply #4 on: January 27, 2021, 08:08:10 PM »
Hi hendy,

Thankyou for the response. Its really strange that those samples are being blocked for you now. I am going to try it out again maybe its because i submitted it to UAV? In any case here is the hidden tear sample that i tested previously i would guess this is detected too !


Offline Shreyas Murali

  • Newbie
  • *
  • Posts: 5
  • Kudos +0/-0
Re: Ransomware bypasses SecureAPlus
« Reply #5 on: January 27, 2021, 08:52:08 PM »
Here are 2 fresh malware samples that i just tested against secureA on defaults (automatic mode) they manage to infect the system. First sample is hxxp://try-dent.net/6gdwwv.exe

Mailed "shared.7z" with password: infected
« Last Edit: January 27, 2021, 08:54:06 PM by Shreyas Murali »

Offline hendy

  • SecureAPlus Developer
  • Sr. Member
  • *****
  • Posts: 351
  • Kudos +16/-0
Re: Ransomware bypasses SecureAPlus
« Reply #6 on: January 29, 2021, 05:04:29 AM »
Thank you very much for sending us the sample file, and let us know the mode that you are using.
We will think of how to improve the default mode, which is automatic mode.

If you have any other sample files that you found can pass in interactive mode, we are also interested in this, so please send the sample files to us.
Again, we thank you very much for your corporation. We appreciate this very much.

Cheers.