RealWorld

AV Evasion: Bonus Round- Sophos Intercept X

 

This is a bonus round Ive been putting off for far too long.

 

If you read Part 1 of my series on AV evasion (LINK) you will know that I managed to appropriate a full blown copy of Sophos including Intercept X.

 

This Intercept X piece is the Sophos flagship product for protecting against unwanted file encryption. To me and you though, that’s just another way of saying ‘ransomware’.

 

I had planned on scripting something up in python when I had the lightbulb moment that maybe I should use the regular old windows Cipher program. After all, running a native windows process would be a hell of a lot less suspicious then a random .py script that mysteriously showed up in a shared drive.

 

I fire up my Sophos machine and create a new partition.

 

ValuableData (E:)

 

And inside this drive I drop 100 files. They are all in various sizes and formats. Everything from .txt, .pdf, .doc, .avi, .msi, .bat, .exe, .html, .chm, .jpg, .mp3

 

 

I check on my Sophos and run a quick update on it.

 

 

 

Before I ran the update the Core was running 2.0.4 and now its upgraded to 2.0.5

 

The thought crossed my mind that my previous EternalBlue exploit might now be useless.

But alas, it still remains unpatched. I was able to connect right away. I wonder how long I can keep getting away with this? I know that some day soon I will test this again and it won’t work.

The good news for now though is that I can get straight into tackling Intercept X- and not have to spend days/weeks trying to just break-in to the machine.

So here’s a screencap of Sophos with the unencrypted documents.

 

 

From Kali I browse to the E drive and check the files. All looks good.

 

 

I run the cipher command.

 

 

And it worked. It actually worked perfectly. It’s so rare that something like this works on the first attempt. I was expecting to spend days/weeks on making this work.

Notice below encryption is finished.

 

 

 

When I go back and check on the Sophos machine you can see that the files have now turned green. In the last screencap they had black text.

 

 

 

And if I try to open any of those documents I’m getting hit with an access denied.

 

 

 

 

This is obviously not full blown ransomware by any stretch of the imagination. Its more of a proof of concept.

But let’s be realistic too- I have just remotely exploited that machine to get system level access and then went on to encrypt the users entire drive full of documents.

I think thats a plus 1 for me. Your turn Sophos 🙂

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *