MDS

MDS’ Evasion Feature of Anti-sandboxes That Uses Pop-up Windows

Posted By ,

AhnLab Security Emergency response Center (ASEC) is monitoring various anti-sandbox tactics to evade sandboxes. This post will cover the rather persistent anti-sandbox technique that exploits the button form of the malicious IcedID Word files and the evasion feature of AhnLab’s MDS which is meant for detecting malicious behavior. An anti-sandbox technique that exploits the button form is contained within the malicious IcedID Word file (convert.dot); however, a 2-step process is required to be done by a user before the malicious…

DarkSide Ransomware With Self-Propagating Feature in AD Environments

Posted By ,

In order to evade analysis and sandbox detection, DarkSide ransomware only operates when the loader and data file are both present. The loader with the name “msupdate64.exe” reads the “config.ini” data file within the same path that contains the encoded ransomware and runs the ransomware on the memory area of a normal process. The ransomware is structured to only operate when a specific argument matches. It will then register itself to the task scheduler and run itself periodically. The following…