While achieving regular maintenance on some workstation, using Chocolatey automation, I got the following error message:
Well, there is indeed a detection in the Windows Defender history log!
And here is a bit of threat intel about it: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.INFOSTEAL.TIDAOCN (at least, according to its alias link between TrendMicro and Microsoft...)
Wait a minute, what??
Here is the file that was downloaded by Chocolatey automation system:
So I quickly put that download link on VT: https://github.com/vim/vim-win32-installer/releases/download/v8.1.2256/gvim_8.1.2256_x64_signed.exe
I usually don't trust very much the "ML" and "IA stuff" like AV-detections, but this time, this is a bit consistent and I would prefer it not to be... But anyhow, the detection rate is by far lower from the file that Chocolatey was downloading on my box!
1 AV engines doing a false positive, on the installer file of VIM 8.1 x64 latest build?? And/or Chocolatey's repository being compromised?
Sent message to Chocolatey team, let's see what's gonna be their reply...
The infected files, downloaded by Chocolatey, are being locally stored here:
The file being detected is this one actually: C:\ProgramData\chocolatey\lib-bad\vim-tux.install\tools\complete-x64_x64.exe->(7zSfx)->install.exe
Here is the report generated by JOE's sandbox, for the "install.exe" file... https://www.joesandbox.com/analysis/188732/0/html A bit disappointing :(