eGambit Endpoint Security versus Crash Override

Introduction​

This article will focus on offensive weapons disclosed (June 2017) and linked to Industrial Controls Systems (ICS) security issues. These tools would be linked to previous cyberattacks against critical infrastructure in Ukraine (2016).

What to know about these malwares ?

  • Family name : CrashOverride / Industroyer
  • Type : enhanced cyber offensive platform targeting critical infrastructure sectors
  • According to our security experts at TEHTRIS, the malwares from this offensive family are an enhanced platform with advanced features

We will explore some eGambit features that could be used to fight against this kind of stealth weapons and how our cyber robots and our Artificial Intelligence engines might be stronger than malwares.

Automatic Fight against unknown threats

The full eGambit arsenal is able to automatically work against unknown threats.

Here are some quick examples of scenarios about how to fight against a new threat (Ransomware, APT…)

1. An eGambit Endpoint Security agent detects an unknown program (unknown worldwide)

2. This program is analyzed and sent back to the nearest available connected appliance for further analysis

3. The eGambit Forensics portal with its API is used by multiple robots to fully analyze potential weapons

  • Analyzed with Internal Antivirus engines > Unknown threat ? Signatures cannot always work with new stuff
  • Requests into worldwide databases (VirusTotal, etc) > Unknown threat until someone would submit it
  • eGambit Internal Sandboxes > DETECTION + Interesting IOC > eGambit Endpoint Security agent will know it in minutes
  • eGambit Artificial Intelligence > DETECTION > Detection rate = 98.1% against Windows malwares (official certification)

eGambit can automatically detect & fight new threats like CrashOverride.

  • Survival time : under a couple minutes for the malware worldwide

Network Behavior Analysis

Network Behavior Analysis
Network Behavior Analysis 2

CrashOverride Malwares against eGambit A.I.

Let’s share the results of the eGambit A.I. engine

  • Latest version of the engine
  • Currently deployed worldwide for our customers only

The files used for the “CrashOverride” attack were all flagged as “MALWARE”

  • Everything is done by robots and artificial engine
  • No human action required
  • No signature updates

In conlusion, the detection rate of CrashOverride is reaching 100% for eGambit A.I.

CrashOverride Malwares against eGambit A.I.

IOC : malwares analyzed​

  • MD5  497de9d388d23bf8ae7230d80652af69
  • SHA1  b335163e6eb854df5e08e85026b2c3518891eda
  • SHA256  893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f
  • MD5  7a7ace486dbb046f588331a08e869d58
  • SHA1  b92149f046f00bb69de329b8457d32c24726ee00
  • SHA256  ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910
  • MD5  ab17f2b17c57b731cb930243589ab0cf
  • SHA1  5a5fafbc3fec8d36fd57b075ebf34119ba3bff04
  • SHA256  018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81
  • MD5  a193184e61e34e2bc36289deaafdec37
  • SHA1  94488f214b165512d2fc0438a581f5c9e3bd4d4c
  • SHA256  7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad
  • MD5  f9005f8e9d9b854491eb2fbbd06a16e0
  • SHA1  79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a
  • SHA256  21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561
  • MD5  ff69615e3a8d7ddcdc4b7bf94d6c7ffb
  • SHA1  2cb8230281b86fa944d3043ae906016c8b5984d9
  • SHA256  ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77
  • MD5  11a67ff9ad6006bd44f08bcc125fb61e
  • SHA1  8e39eca1e48240c01ee570631ae8f0c9a9637187
  • SHA256  3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571
  • MD5  fc4fe1b933183c4c613d34ffdb5fe758
  • SHA1  cccce62996d578b984984426a024d9b250237533
  • SHA256  6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47
  • MD5  f67b65b9346ee75a26f491b70bf6091b
  • SHA1  f6c21f8189ced6ae150f9ef2e82a3a57843b587d
  • SHA256  37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4