Since anti-virus software scans a device or, in the case of EDR solutions, continuously scans a device for suspect or malicious files with the intent of quarantining or deleting them, this exploit deceives the vulnerable solutions into deleting non-malicious files by using customized paths via what is known as a junction point.
A junction point is a type of re-parse point that contains a link to a directory that serves as an alias for that directory. So, during the brief period in which an EDR or anti-virus detects a malicious file and attempts to delete it, the threat actor can use a junction point to redirect the solution to a path (directory) of their choice.
So to completely wipe a directory, the threat actor can use a software such as the Aikido wiper to trigger privileged delete by planting a malicious file at the trick directory and not granting it any permission, thereby making the EDRs or anti-virus to postpone deletion until the next restart. The actor can then delete the directory containing the planted malicious file and use the junction point to target the directory they wish to delete and then restart the system to effect the wipe out the target directory.
The affected solutions are:
Windows 7 was released back in 2009 and reached its end date in January 2015. Its end date was extended to January 2020 and for those customers that needed particular important applications past this end date, the ESU programme was initiated which gives them critical security updates for a maximum of three years after the end of the extended end date.
Windows 8.1, however, was released in November 2013 and reached its end date in January 2018. Its extended end date will elapse on January 10, 2023.
Wiperware is a Trojan similar to ransomware, therefore mode of delivery is typically via established social engineering or phishing techniques. Once infected, there may even be a ransom note in a README.txt file. The aim is to fool the victim into thinking it is ransomware and pay the ransom. Nevertheless, any file affected by wiperware can never be recovered.
In other instances, the aim is to bring down critical infrastructure, thus there is no pretence to being ransomware. Once persistence is achieved, the malware will infect critical files one-by-one in order to inhibit particular infrastructure from functioning as intended.
These are delivered via phishing emails disguised as DHL shipping mails, invoices, ACH remittance forms, and so on. When the intended victim downloads the OneNote attachment, a malicious attachment in the form of a "notebook" is included. Threat actors place a "Double Click To View" banner over the notebook in order to load the attachment. When you click, the system will warn you about the dangers of opening attachments that could harm your system or data. Users usually ignore these, and if they click 'OK,' a RAT is downloaded from a C2 and installed. The Quasar RAT, AsyncRAT, and XWorm RAT are among the RATs being downloaded.
While some of the malicious apps have been removed, others are still active on the store. Below are the affected apps:
After installing and opening the app, it will contact a remote server which will reply with instructions on what to do. These instructions typically include phishing pages that will be displayed to unsuspecting users in an attempt to collect their sensitive information.
Malvertising can appear on any advertisement on any website, including those you visit on a regular basis. Malvertising typically installs a small piece of code that connects your computer to criminal command and control (C&C) servers. The server searches your computer for its location and what software is installed on it before deciding which malware to send you. In this campaign, malvertising is the most common method of distribution, which involves inserting malicious advertisements into popular search engines when unsuspecting users conduct searches. By clicking on such a link, a device will be infected with the MalVirt loader, which uses a KoiVM virtualizing protector to avoid detection and analysis by anti-malware software. The loader will then install the FormBook malware and a signed Microsoft Process Explorer driver, allowing it to perform actions with elevated privileges. FormBook can also hide its C2 (command and control) traffic behind bogus HTTP requests to various dummy domains.