Malware not detected - Trojan.Multi.GenAutorunWMI.a

Hi,

Please submit a file sample to our labs team for analysis. 

You may follow this KB for instructions on submission: Submitting samples of suspicious files to Sophos 

Thanks,
Karlos

There is no file related since it is a System Memory malware. At least, we were not able to find out the source file.

All I have is the print screen from the Kaspersky report I already sent to the support channel. I also sent evidences of the CPU consumption and issues. Hope I have any reply from support team.

Thanks,

Please provide me with your Support Case number so I can follow-up with your case. 

Thanks,
Karlos

Here it is [#7817363]

Thanks for that. I see that the case has been assigned and the engineer has reached out to you. Since the case owner is off for the day, please allow him until tomorrow to reply.

Best,
Karlos

Thanks for that. I see that the case has been assigned and the engineer has reached out to you. Since the case owner is off for the day, please allow him until tomorrow to reply.

Best,
Karlos

Any news on this? This is urgent since almost all machines are infected.

We need to know if Sophos will be able to handle or if we need to move to another provider urgently!!!

Thanks

Hi,

I have just followed up with your case. The case owner is away today so it has been reassigned and the new case owner has already forwarded your case for review to our labs team for analysis.

We appreciate your patience as we investigate this further.

Thanks,
Karlos

They requested some info I sent yesterday, but didn`t hear from them so far.

They suggested trying removing some things manually, but I need Sophos to cure all the machines and prevent them to be infected again with the malware. There`s no reason to keep Sophos if it does not remove and prevent it. I need a transparent response if this is going to happen or not. I need to confirm if I can count on Sophos or move to another provider.

Thanks!

Keep us posted on this case. Curious to know on the Malware and Sophos response

Hello skyisbluescreen,

Unfortunately the issue was not solved yet. They have been requesting some information and I`m providing everything I can. They have been replying and seems to be working on it, which seems to be something good, but they are still not able to find out the issue and it seems they are not aware of Fileless Malware type of infection and this is surely something to worry about.

Sophos endpoint is still unable to detect the malware and we are having to remove it manually one by one. The issue on doing this is:

1- thats a huge effort to locate and remove the malware on each machine. I was able to detect which IPs the scripts are trying to connect so I was able to block it on firewall and track them on Logs so I can detect what machines are infected. I`m currently using Kaspersky Virus Removal Tool (free software), since it can detect and remove it.

2- not sure yet, but I`m afraid the machines can get infected again after being cured, since Sophos is not detecting it.

Any update on this??

Today I had a user come to me and say PC is running weird. PDF previews not showing...running slow.....etc.

So..one thing I always do is run Free Malwarbytes. Low and Behold, Malwarebytes found 42 god damn entires about PUP.Optional.Mindspark.Generic, and a few about PUP.Optional.ASK.

WHY...OH WHY....does SOPHOS NOT find and clean this. WTF are we paying for?? This makes me sick to my stomach.

What a HUGE waste of Time and Money. HUGE DISAPPOINTMENT. Thousands of dollars spent for NOTHING, there is NO protection here....only frustrations.

I download Comodo ITSM.....found ALL that SOPHOS COULD NOT. PC clean and happy.

Final answer. SOPHOS IS JUNK.

We had to solve the issue in our own. We had to use other tools such as Kaspersky and Malwarebytes, since they were able to easily cure the machines. Sophos was not able to block it and not even to identify the issue when scanning.

The final answer of Sophos Support team was: "As this issue is out of scope at this point in time, I will be archiving this case".

System Memory or Fileless malware types are not new but anyway Sophos thinks it is "out of scope". So we just quit trying to help them to improve their own product and solved the issued by ourselves.

Aha......well isn't that sad to hear. But I expected that 100% from these liars/scammers.

So really the ONLY answer here is.....SOPHOS will NOT Protect you, DON'T expect it to.....its only meant to look like it does.....

You will get emails daily about services missing or not running....PC will be unprotected for days because they haven't been rebooted to complete the installation...over and over and over again. On and on the nightmare goes.

The amount of MANUAL intervention thats required, the number and frequency of reboots....the inability to protect us from the very threats we bought this product for is unbelievable.

This product deserves "TWO THUMBS DOWN" and a Class Action filed against them.

Ya even their support system is also a crap!

Hello DKAO,

I look after the Malware Escalations team in Sophos Support, I was just made aware of your ongoing issue. Firstly I want to clarify that we do know what this infection is and we can help you with it. I would have preferred your original Support case to have been escalated to my team instead of being closed, I will look into why this didn't happen.

The type of attack you have seen is often called "WannaMine" this is a reference to Crypto Mining payload and the vulnerability in Microsoft SMB which is abused by the EternalBlue exploit, made famous by the WannaCry ransomware attacks.

The use of EternalBlue in these attacks allows the infection of multiple machines on the network, this is the worm component of the attack and it can be blocked by patching the affected machines. Also the new Active Adversary Mitigations in Intercept X, specifically "Prevent APC violation" blocks EternalBlue (plus other things).

Stopping the initial infection is best here, as it gets more complicated after that. The infection will attempt to add entries into the Microsoft WMI Database on the target machine. It uses this to achieve persistence (survive a reboot). Once it can add an entry to WMI it will often add JavaScript or Powershell commands that will be executed by WMI (WmiPrvSE.exe). If the AV product knows what to look for it can block these entries being added to the WMI database in the first place, as well as catching anything that is attempted to be executed because of an entry in WMI. However automatically removing item from the database once they are in is difficult for AV companies (not just Sophos). 

There are two main factors why your issue wasn't resolved when you raised your initial case back in December. Firstly this method of attack was very new at that point, AV companies were only beginning to see this trick use widely and understanding how it worked and the best ways to stop it was still being developed. Our protection against this technique is much more resistant now. Although we still stress that regular patching of machines if the first step in improving protection. 

For reference the WMI part of this attack is the clever bit, one they have done that the next step of installing a Crypto Miner on the machine, often to mine the currently Monero is actually fairly standard and could be detected by a number of different layers of security, most commonly a PUA detection on the miner itself.

Could you let us know what the current state of these machines are and if you are still experiencing any issues with this infection?

We also published this article on the attack: nakedsecurity.sophos.com/.../