←back to thread

Cyber Scarecrow

(www.cyberscarecrow.com)
606 points toby_tw | 1 comments | 18 Jun 24 08:08 UTC | HN request time: 0.415s | source
Show context
marcodiego ◴[18 Jun 24 11:38 UTC] No.40716553[source]
I call BS. How it works says: "When hackers install malicious software on a compromised victim, they first check to make sure its safe for them to run."; Download asks e-mail and name; Does not seems multiplatform and would never install anything like that on my computer in a dream unless it were open source.
replies(2): >>40716571 #>>40716631 #
1. poincaredisk ◴[18 Jun 24 11:46 UTC] No.40716631[source]
I'm a malware researcher and reverse engineer for a living. This is absolutely true, but oversimplified. Focus on

>They don't want to get caught and avoid computers that have security analysis or anti-malware tools on them.

Malware doesn't want to run in a sandbox environment (or in general when observed), because doing malicious things in the AV sandbox is a straight way to get blocked, and leaks C2 servers and other IoCs immediately. That's why most malware families[1] at least try to check if the machine they're running on is a sandbox/researcher pc/virtual machine.

I assume this is what this tool does. We joke at work that the easiest thing to do to make your windows immune to malware is to create a fake service and call it VBoxSVC.

[1] except, usually, ransomware, because ransomware is very straightforward and doesn't care about stealth anyway.