While achieving regular maintenance on some workstation, using Chocolatey automation, I got the following error message:
![[VX watch] Is latest gVIM Win64 binary compromised?](https://img.over-blog-kiwi.com/0/99/59/26/20191105/ob_f1558d_gvim-chocolatey-detectdw-051119.PNG#width=846&height=324)
Well, there is indeed a detection in the Windows Defender history log!
And here is a bit of threat intel about it: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.INFOSTEAL.TIDAOCN (at least, according to its alias link between TrendMicro and Microsoft...)
![[VX watch] Is latest gVIM Win64 binary compromised?](https://img.over-blog-kiwi.com/0/99/59/26/20191106/ob_193f51_gvim-chocolatey-detect-windefend-05111.PNG#width=496&height=466)
Wait a minute, what??
Here is the file that was downloaded by Chocolatey automation system:
![[VX watch] Is latest gVIM Win64 binary compromised?](https://img.over-blog-kiwi.com/0/99/59/26/20191106/ob_d26ffb_gvim-installer-vt1-051119.PNG#width=1125&height=703)
I therefore doublechecked a little quick on the official GVIM website: gvim.org and went to the official GitHub repo, to get the very last version available...
![[VX watch] Is latest gVIM Win64 binary compromised?](https://img.over-blog-kiwi.com/0/99/59/26/20191105/ob_cea6f0_gvim-github-latest-051119.PNG#width=792&height=682)
So I quickly put that download link on VT: https://github.com/vim/vim-win32-installer/releases/download/v8.1.2256/gvim_8.1.2256_x64_signed.exe
And... wow:
![[VX watch] Is latest gVIM Win64 binary compromised?](https://img.over-blog-kiwi.com/0/99/59/26/20191105/ob_305240_gvim-latest-vt1-051119.PNG#width=1227&height=592)
I usually don't trust very much the "ML" and "IA stuff" like AV-detections, but this time, this is a bit consistent and I would prefer it not to be... But anyhow, the detection rate is by far lower from the file that Chocolatey was downloading on my box!
What happened?
1 AV engines doing a false positive, on the installer file of VIM 8.1 x64 latest build?? And/or Chocolatey's repository being compromised?
Sent message to Chocolatey team, let's see what's gonna be their reply...
IOC:
MD5: 7787dc90eb15dc5a04cdebcd46d65633
MD5: a575278bff5af556d480037a5b0c2e1b
[Update 1]
The infected files, downloaded by Chocolatey, are being locally stored here:
C:\ProgramData\chocolatey\lib-bad\vim-tux.install
The file being detected is this one actually: C:\ProgramData\chocolatey\lib-bad\vim-tux.install\tools\complete-x64_x64.exe->(7zSfx)->install.exe
[Update 2]
Here is the report generated by JOE's sandbox, for the "install.exe" file... https://www.joesandbox.com/analysis/188732/0/html A bit disappointing :(
