Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
5 novembre 2019 2 05 /11 /novembre /2019 23:49

While achieving regular maintenance on some workstation, using Chocolatey automation, I got the following error message:

[VX watch] Is latest gVIM Win64 binary compromised?

Well, there is indeed a detection in the Windows Defender history log!

And here is a bit of threat intel about it: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.INFOSTEAL.TIDAOCN   (at least, according to its alias link between TrendMicro and Microsoft...)

 

[VX watch] Is latest gVIM Win64 binary compromised?

Wait a minute, what??

Here is the file that was downloaded by Chocolatey automation system:

https://www.virustotal.com/gui/file/f8b7016c33097799900b15475b71f36dfd4acb1e946e8e2ec713b4d8e6f5cfe7/detection

 

 

[VX watch] Is latest gVIM Win64 binary compromised?

I therefore doublechecked a little quick on the official GVIM website: gvim.org and went to the official GitHub repo, to get the very last version available...

[VX watch] Is latest gVIM Win64 binary compromised?

So I quickly put that download link on VT: https://github.com/vim/vim-win32-installer/releases/download/v8.1.2256/gvim_8.1.2256_x64_signed.exe

And... wow:

https://www.virustotal.com/gui/file/03da37f20e3a73d8a4c7e9ace4b24d67f80af117d170d7b15a52eeba8d7e6606/detection

[VX watch] Is latest gVIM Win64 binary compromised?

I usually don't trust very much the "ML" and "IA stuff" like AV-detections, but this time, this is a bit consistent and I would prefer it not to be... But anyhow, the detection rate is by far lower from the file that Chocolatey was downloading on my box!

 

What happened?

1 AV engines doing a false positive, on the installer file of VIM 8.1 x64 latest build?? And/or Chocolatey's repository being compromised?

Sent message to Chocolatey team, let's see what's gonna be their reply...

 

IOC:

MD5: 7787dc90eb15dc5a04cdebcd46d65633

MD5: a575278bff5af556d480037a5b0c2e1b    

 

[Update 1]

The infected files, downloaded by Chocolatey, are being locally stored here:

C:\ProgramData\chocolatey\lib-bad\vim-tux.install

The file being detected is this one actually:  C:\ProgramData\chocolatey\lib-bad\vim-tux.install\tools\complete-x64_x64.exe->(7zSfx)->install.exe 

[Update 2]

Here is the report generated by JOE's sandbox, for the "install.exe" file...  https://www.joesandbox.com/analysis/188732/0/html  A bit disappointing :(

Partager cet article

Repost0

commentaires