Sophos Labs

Discussions Protect against malware Adrozek?

Thread Info

State Verified Answer
Locked Locked
Replies 3 replies
Answers 1 answer
Subscribers 8 subscribers
Views 2903 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Protect against malware Adrozek?

David Grandolfo over 1 year ago

Good afternoon,

I would like to confirm if the machine-learning feature of Sophos can protect us againts the new major browser malware Adrozek.

Further information about can be find here:

https://arstechnica.com/information-technology/2020/12/ongoing-malware-attacks-are-hitting-users-of-4-major-browsers/

Detailed one : https://www.microsoft.com/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers

My understanding is that a standard signature protection can't beat the countermesure Adrozek are taking.

Also I'm not sure blocking Audiolava.exe, QuickAudio.exe, and converter.exe can a real protection here.

That said, in this one I need your help to tell me if Sophos already have something against it or if I need to look at something else to block it.

Regards,

This thread was automatically locked due to age.

Top Replies

RichardP over 1 year ago in reply to David Grandolfo +1 verified

Hi David,

As Glenn stated - we are using both forms to detect the malicious element. So, for some scenarios the static detection will prevent the action and in others (based on how the malware is executing…

Parents

0 David Grandolfo over 1 year ago
Hi GlenSen,

Thanks for taking the time to reply to me, Malware Adrozek is a polymorphic malware that relates to more than 160 different domains and more than 17'000 uniques URLs. Tracking this malware by IP or Hashes, will not be doable (I think, I'm not an malware expert).

Please tell me if I'm wrong, but I think a good way to track it is with the new ML (Machine learning) feature that Sophos is offering. By looking at the way the malware acts and preventing these type of actions:

browser extensions installed by the malware

Browser DLL edited

Add REG keys to prevent browsers to be updated

Multiple other REG keys edited

Best regards,
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 David Grandolfo over 1 year ago
Hi GlenSen,

Thanks for taking the time to reply to me, Malware Adrozek is a polymorphic malware that relates to more than 160 different domains and more than 17'000 uniques URLs. Tracking this malware by IP or Hashes, will not be doable (I think, I'm not an malware expert).

Please tell me if I'm wrong, but I think a good way to track it is with the new ML (Machine learning) feature that Sophos is offering. By looking at the way the malware acts and preventing these type of actions:

browser extensions installed by the malware

Browser DLL edited

Add REG keys to prevent browsers to be updated

Multiple other REG keys edited

Best regards,
Cancel
Vote Up 0 Vote Down

Cancel

Children

+1 RichardP over 1 year ago in reply to David Grandolfo

Hi David,

As Glenn stated - we are using both forms to detect the malicious element. So, for some scenarios the static detection will prevent the action and in others (based on how the malware is executing) the ML portion of the product will catch it.

In general, we use a Defense in Depth approach to our product to provide optimal protection.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +1 Vote Down

Cancel