Solved Persistent malware in Edge
-
@BBigford said in Persistent malware in Edge:
Here's an interesting part of running from command line @scottalanmiller ... In previous versions of Edge, it was still run as "spartan.exe" since it was originally Spartan. Then with (I think) 1607, it changed. It's not found in Program Files, it's in SystemApps... drilling down you find MicrosoftEdge, and program type is exe. Doing a run command, you can't run anything like MicrosoftEdge, or adding .exe... You have to run microsoft-edge and add the protocol : // (no space... it created an emoji. :D) at the end, then it will launch. Very weird. Then I noticed you can't run the same command microsoft-edge:// and have the program open from CMD, or even try to launch Edge from any of its directories.... just weird.
this is probably because it's a UWP app now instead of a traditional x86 app.
-
@scottalanmiller said in Persistent malware in Edge:
@BBigford said in Persistent malware in Edge:
What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?
It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.
@scottalanmiller said in Persistent malware in Edge:
@BBigford said in Persistent malware in Edge:
What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?
It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.
You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion? This could have just as easily been in homepage field within the browser setttings itself (can't recall if he said he checked that, but it would be one of the first places I would have checked). The shortcut would have been on a short list place for me to look as well.
Another thing I would have checked was to make sure the shortcut for Edge was really going to edge and not going to another file that was acting like a MITM.
But the idea that the URL itself would somehow lead to the conclusion that it was in the shortcut and not buried somewhere deeper in the system, I just don't understand that.
-
@Dashrender said in Persistent malware in Edge:
You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion?
Because that specific URL is indicative of that specific attack. It's not that it is "a URL", it was that it was "that URL."
-
@scottalanmiller said in Persistent malware in Edge:
@Dashrender said in Persistent malware in Edge:
You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion?
Because that specific URL is indicative of that specific attack. It's not that it is "a URL", it was that it was "that URL."
oh, I guess that means you've seen that attack before. OK that does make sense then.
Thanks. -
@Dashrender said in Persistent malware in Edge:
@scottalanmiller said in Persistent malware in Edge:
@Dashrender said in Persistent malware in Edge:
You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion?
Because that specific URL is indicative of that specific attack. It's not that it is "a URL", it was that it was "that URL."
oh, I guess that means you've seen that attack before. OK that does make sense then.
Thanks.Yes, it's a known attack. I wouldn't say popular, but known. That URL essentially only exists for the purposes of this one attack vector.
-
@Dashrender said in Persistent malware in Edge:
@scottalanmiller said in Persistent malware in Edge:
@BBigford said in Persistent malware in Edge:
What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?
It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.
@scottalanmiller said in Persistent malware in Edge:
@BBigford said in Persistent malware in Edge:
What was it about the URL itself that you knew it had to do with the link, rather than within the application itself, regardless of where you run it from?
It was a hint in one of your posts (maybe the OP), you included the word "spigot" which is not part of any general search link. So I knew that it was not going directly to Yahoo or any other search site but to something weird and specific that we can be quite reasonably sure, was a specific money making link of some sort.
You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion? This could have just as easily been in homepage field within the browser setttings itself (can't recall if he said he checked that, but it would be one of the first places I would have checked). The shortcut would have been on a short list place for me to look as well.
Another thing I would have checked was to make sure the shortcut for Edge was really going to edge and not going to another file that was acting like a MITM.
But the idea that the URL itself would somehow lead to the conclusion that it was in the shortcut and not buried somewhere deeper in the system, I just don't understand that.
I can't open the properties of a taskbar icon like you can a desktop shortcut. I'm sure there is some metadata somewhere in System32 or (more likely) SystemApps, but I just deleted the shortcut, quoted them for a reimage, and moved on.
-
@scottalanmiller said in Persistent malware in Edge:
@Dashrender said in Persistent malware in Edge:
You've completely lost me here. You're saying that you were able to deduce that the URL was injected via the launching shortcut because it went to the same URL everytime? What brings you to that conclusion?
Because that specific URL is indicative of that specific attack. It's not that it is "a URL", it was that it was "that URL."
I was wondering if you had deduced the kind of attack from seeing Spigot in the URL before. I haven't saw that specific one in some time. Didn't even occur to me until you mentioned the shortcut that "oh yeah... infected shortcut."
-
@Dashrender said:
@BBigford said in Persistent malware in Edge:
Here's an interesting part of running from command line @scottalanmiller ... In previous versions of Edge, it was still run as "spartan.exe" since it was originally Spartan. Then with (I think) 1607, it changed. It's not found in Program Files, it's in SystemApps... drilling down you find MicrosoftEdge, and program type is exe. Doing a run command, you can't run anything like MicrosoftEdge, or adding .exe... You have to run microsoft-edge and add the protocol : // (no space... it created an emoji. :D) at the end, then it will launch. Very weird. Then I noticed you can't run the same command microsoft-edge:// and have the program open from CMD, or even try to launch Edge from any of its directories.... just weird.
this is probably because it's a UWP app now instead of a traditional x86 app.
Yup. That's exactly what it is. I found later something along the lines of "this is an Internet application, not a program in the traditional sense. So you have to put the protocol in the command." -MSDN. I wonder how you're supposed to realistically launch it from
CMDPowerShell, cause the commands I found were ridiculous. Unless Windows is just getting more pointy clicky than ever.Overall, not being able to easily launch a program/app from CMD or PS is dumb.
Edit: CMD deprecation soon for PowerShell.
-
UWP apps are like Android apps or iPhone apps. you uninstall the whole thing, then reinstall it.
-
@Dashrender said in Persistent malware in Edge:
UWP apps are like Android apps or iPhone apps. you uninstall the whole thing, then reinstall it.
What about organizations that allow Edge, but not the Windows Store? You wouldn't be able to reinstall Edge in that case.
-
@BBigford said in Persistent malware in Edge:
@Dashrender said in Persistent malware in Edge:
UWP apps are like Android apps or iPhone apps. you uninstall the whole thing, then reinstall it.
What about organizations that allow Edge, but not the Windows Store? You wouldn't be able to reinstall Edge in that case.
Perfect
-
@scottalanmiller said in Persistent malware in Edge:
@BBigford said in Persistent malware in Edge:
@Dashrender said in Persistent malware in Edge:
UWP apps are like Android apps or iPhone apps. you uninstall the whole thing, then reinstall it.
What about organizations that allow Edge, but not the Windows Store? You wouldn't be able to reinstall Edge in that case.
Perfect
lmao, perfect trickery. Tell someone to uninstall, don't allow reinstall.
-
Not sure a non admin can uninstall UWP apps. Store access should be available to admins.
