I have recently came across an non-intriguing intriguing sample belonging to a family of applications commonly known as a PUA/PUP (Potentially Unwanted Application/Program). The ‘intriguing’ part is that it is the first one I have ever came across that actively tries to detect an EDR solution installed on the system, and in this particular case – CarbonBlack.
The sample md5 is 1233411098A5EE69EB925C559B815510.
What caught my attention was a string ‘IsRunningCarbon’ that I came across when i was eyeballing some of the logs generated by my batch analysis script.
It was placed among many other interesting strings f.ex.:
- IsTestingBox
- IsVirtualMachine
- HasVirtualDrive
- IsRunningOnVMWare
- IsRunningOnHyperV
- IsRunningOnVBox
- IsRunningOnXEN
- IsRunningVPN
- IsRunningIPSECLP2
- IsRunningOpenVPN
- IsRunningPPTP
- IsRunningTools
- IsRunningFiddler
- IsRunningFiddlerCert
- IsRunningDeepFreeze
- IsRunningPacketCapture
- IsRunningAVs
- IsRunningESET
- IsRunningVipre
- IsRunningCarbon
- IsFlashInstalled
so it looked like a part of a generic ‘sandbox/monitor/security product detection’ pack of routines.
When loaded into ILSPY, the code of the function referenced by the name turned out to be a simple ‘directory present’ check (if the ‘CarbonBlack’ directory exists in a predetermined location), but the message the existence of this routine in the code sends to the EDR vendors is that they start to be recognized.
Perhaps it’s not a big deal, but certainly notable. Maybe it is time to introduce randomization in the way EDR-specific directories are named? Or hide them completely (rootkit)?
Of course, the detection of EDR was always possible, but since now it is being actively done I bet it’s just a matter of time when we will see first evasions…