PowerShell infection by Win64/Agent.IV trojan

[Lockbits 10]

Hello guys,

We've a new customer that moved from Hauri to ESET Secure Business. They're installing EES in 180 computers and there're at least 4 PCs that are infected by Win64/Agent.IV malware that persist upon restart. The problem is that on demand scan shows computers as clean however upon restart ESET warns again about the same malware and so on. I think it's a file less infection.

PowerShell process is always in RAM and in firewall log we can see there're a lot of SMB/EternalBlue detections coming from private and public IPs. There're also some Win32/Emotet and PowerShell/Agent detections in some computers.

What we tried so far:

-Two or more on demand analysis of computers without success.

-Installation of all Microsoft patchs including the one mentioned in the article httpsx://support.eset.com/kb6481/.

-Anti-Ransomware politics applied using HIPS though ERA.

I think we need @JamesR expertise.

All ELC files can be downloaded from here: httpsx://we.tl/S5mP6afOQY

Thank you all.

[Marcos 5,074]

I'm gonna check the logs. In the mean time you can try switching to pre-release updates so that the latest cleaner module with improved scanning and cleaning of WMI malware is downloaded.

[itman 1,659]

21 minutes ago, Lockbits said:

What we tried so far:

-Installation of all Microsoft patchs including the one mentioned in the article httpsx://support.eset.com/kb6481/.

Applying OS patches will only prevent any further exploiting activity. It will not help if you're currently infected.

Besides malware using a WMI consumer event for persistence which I am sure you are aware of, a few other possible areas used are:

1. Registry associated Run keys and Win directories used for app startup at boot time.

2. Scheduled tasks that run at boot time. These also can be timer triggered to startup after boot time.

3. Installation of a malware service that starts at boot time. Service could be associated with a malicious driver.

Edited February 27, 2018 by itman

[Marcos 5,074]

Please move the following files elsewhere, e.g. to c:\!eset and reboot the machines:

Evelyn: c:\windows\system32\tasks\a0d88a9b-c6fc-5f0a-199ecc066929f55b
Marcelo: c:\windows\system32\tasks\8d4f1036-2a47-533a-5234b217253d09ac
Mnunez: c:\windows\system32\tasks\7db67a1a-1f84-5fad-933343f1082c255a
Sonia: c:\windows\system32\tasks\eadb615c-36a6-5fb5-5273d4f164f0ff69

Then encrypt the files with the password "infected", upload the archive to a safe location and drop me a message with a download link. Only after I acknowledge receipt, delete the files.

[Lockbits 10]

9 minutes ago, Marcos said:

Please move the following files elsewhere, e.g. to c:\!eset and reboot the machines:

Evelyn: c:\windows\system32\tasks\a0d88a9b-c6fc-5f0a-199ecc066929f55b
Marcelo: c:\windows\system32\tasks\8d4f1036-2a47-533a-5234b217253d09ac
Mnunez: c:\windows\system32\tasks\7db67a1a-1f84-5fad-933343f1082c255a
Sonia: c:\windows\system32\tasks\eadb615c-36a6-5fb5-5273d4f164f0ff69

Then encrypt the files with the password "infected", upload the archive to a safe location and drop me a message with a download link. Only after I acknowledge receipt, delete the files.

Hi Marcos,

Thank you. The customer will send me the files except for the computer Mnunez that was formatted. I'll PM you when I got the samples.

If these files are malicious, Virus Lab add them as PowerShell/...? 

[Marcos 5,074]

I can't tell now how they will be detected but I'd like to have a generic detection for similar malware.

[Lockbits 10]

Hi Marcos,

PM and samples sent.

Thank you.

[JamesR 52]

@Lockbits,

Just started reviewing your logs.  Here is a brief description of what I am seeing.  While this is using powershell to execute an Encoded script, WMI is not used for persistence.  Looks like its just scheduled tasks used for persistence (as @Marcos said).  It is reading a registry value for data.  Haven't dived in deep enough to analyze what that data is.  Marcos will definitely be able to help get some detection of this added in product.  ELC should have everything we need for samples.  If we need something extra, Marcos or I will reach out.

I do plan on eventually taking my WMILister and incorporating some checks for powershell misuse in scheduled tasks, but dont wait for that.  Could be a long while before I get around to that.

[Lockbits 10]

Hello guys,

Thank you both for the replies. So if we delete the tasks associated with the malicious PowerShell scripts computers will be clean?

[JamesR 52]

Clean up the tasks and kill powershell and reboot for good measure.  That will have those computers cleaned up

1. Delete tasks

2. from admin CMD: taskkill /im powershell.exe /f && shutdown -r -f -t 0

 

If it comes back, let us know.  From my brief analysis of your logs, I didn't see any network spreading capabilities, but I could have overlooked something.

[Lockbits 10]

Hello guys,

Finally the malicious scripts were added as PowerShell/Agent.AS trojan. ESET deleted the scripts associated with the scheduled task so computers are now clean.

Thank you all for the help.

[vishaldadlani 0]

I found whole discussion very informative.