• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Wacatac malware found on installer.bin

Started by Sjaaktrekhaak, March 20, 2023, 02:58:39 AM

Previous topic - Next topic

Sjaaktrekhaak

Hello,

while a device is running PatchMyPC-ScriptRunner.exe to install AcroRdrDCx642300120064_en_US.exe Windows defender detected and removed installer.bin because of Trojan:Script/Wacatac.H!ml being found in the file.

does anyone else have this issue or is this a false positive?

Ben Whitmore (Patch My PC)

Hi There,

We havent heard any more reports about this. When Adobe Reader installs, the intaller extracts a bin file to program files and then extracts the installation files from the bin. It sounds like Defender is picking this up as a false positive.

You can verify the hash results of our scan for that files at
https://www.virustotal.com/gui/file/5f554986394757cc0eb314938addd7d926c817afee5c4ac6043eab878da3a8eb


amho

Hi,

We are also detecting this on 4 different machines so far in our organization.

Detection:
https://app.screencast.com/7keNiqeyvniS7

DavinderMcCaul

We have also had this same issue on 6 of our computers. Do Patch My PC have any advice for this?

DCLF

We have a significant amount of machines also detecting this

Ben Whitmore (Patch My PC)

#5
Hey there,

PMPC does not repackage Acrobat Reader, the binary is downloaded from Adobe. During our testing we check the binary for malware and record the hash. You can read our full security validation process at https://patchmypc.com/deep-dive-into-security-validation-of-third-party-software-updates-in-microsoft-sccm

All updates we add to our catalogue are scanned using Virus Total, and the results for the Acrobat Reader DC Cont 23.001.20064 installer can be found here - VirusTotal - File - 1e6d872b3023308f1dfaed643c7174542523edcc0d61429b9ecf06be884dc45e

Additionally, we extracted the EXE and ran the installer.bin through Virus Total. Those results can be found here - VirusTotal - File - 5e54975463b5f5a25d9c143e543ef967faf6c38cc4b95ceda36a1fe97efb79e9

You could also grab the .BIN file from C:\ProgramData\Adobe\Temp (location may vary depending on architecture deployed) and check it against Virus Total too.

Whilst we are not quick to dismiss as a false positive, we would encourage your security teams to validate the Adobe download link too at https://ardownload2.adobe.com/pub/adobe/acrobat/win/AcrobatDC/2300120064/AcroRdrDCx642300120064_en_US.exe

You can find the download link in our catalog by right clicking any product and choose "show package info" ( see image)

showinfo.png

ChickenSpears

#6
I accepted that it is a false positive and put in a surpression rule.
However, I am now getting the same notifications for installer.bin for AcroRdrDCx642300120093_en_US.exe
This time it also includes a warning for a 'Bladabindi' backdoor.
I'm fairly certain that this is also a false one, but I worry that we'll get dozens of warnings with each adobe acrobat reader update.

Edit: Virustotal shows no threats:
https://www.virustotal.com/gui/file/241d2acfe8b9ea5eeaca10f91f7f1259340a200bba8cc118649caab595d8daf0

Ben Whitmore (Patch My PC)

Thanks for reaching out. We do sympathise with your position but unfortunately there is nothing we can do here. I would advise reaching out to Adobe and they may be able to give more advice on why their installers are being flagged, incorrectly, by some Anti-Virus vendors.

AndAuf

I think, MS messed something up with the wacatac detection. We had faklse positives for docker containers when updating docker

Malware Name: Trojan:Script/Wacatac.H!ml
Number of infections: 1
Last detection time(UTC time): 3/23/2023 8:39:52 AM

These are the infections of this malware:
1. Computer name: XXX
Domain: XXX
Detection time(UTC time): 3/23/2023 8:39:52 AM
Malware file path: file:_C:\Windows\Temp\DockerDesktop\qkrpy3zo0cw
Remediation action: Remove
Action status: Succeeded

ChickenSpears

Quote from: Ben Whitmore (Patch My PC) on March 27, 2023, 03:54:10 AMThanks for reaching out. We do sympathise with your position but unfortunately there is nothing we can do here. I would advise reaching out to Adobe and they may be able to give more advice on why their installers are being flagged, incorrectly, by some Anti-Virus vendors.

No worries, I wasn't blaming you guys. I think the issue lies with Defender detection, like AndAuf mentioned above. I will try and find out what it is specifically about installer.bin that triggers the incident and will report back here if I do.