Jump to content

PowerShell infection by Win64/Agent.IV trojan

Lockbits

By Lockbits
in Malware Finding and Cleaning

 Share

Recommended Posts

Lockbits

Lockbits 10

Posted
Posted

Hello guys,

We've a new customer that moved from Hauri to ESET Secure Business. They're installing EES in 180 computers and there're at least 4 PCs that are infected by Win64/Agent.IV malware that persist upon restart. The problem is that on demand scan shows computers as clean however upon restart ESET warns again about the same malware and so on. I think it's a file less infection.

PowerShell process is always in RAM and in firewall log we can see there're a lot of SMB/EternalBlue detections coming from private and public IPs. There're also some Win32/Emotet and PowerShell/Agent detections in some computers.

What we tried so far:

-Two or more on demand analysis of computers without success.

-Installation of all Microsoft patchs including the one mentioned in the article httpsx://support.eset.com/kb6481/.

-Anti-Ransomware politics applied using HIPS though ERA.

I think we need @JamesR expertise.

All ELC files can be downloaded from here: httpsx://we.tl/S5mP6afOQY

Thank you all.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,838

Posted
  • Administrators
Posted

I'm gonna check the logs. In the mean time you can try switching to pre-release updates so that the latest cleaner module with improved scanning and cleaning of WMI malware is downloaded.

Link to comment
Share on other sites
itman

itman 1,594

Posted
Posted (edited)
21 minutes ago, Lockbits said:

What we tried so far:

-Installation of all Microsoft patchs including the one mentioned in the article httpsx://support.eset.com/kb6481/.

Applying OS patches will only prevent any further exploiting activity. It will not help if you're currently infected.

Besides malware using a WMI consumer event for persistence which I am sure you are aware of, a few other possible areas used are:

1. Registry associated Run keys and Win directories used for app startup at boot time.

2. Scheduled tasks that run at boot time. These also can be timer triggered to startup after boot time.

3. Installation of a malware service that starts at boot time. Service could be associated with a malicious driver.

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,838

Posted
  • Administrators
Posted

Please move the following files elsewhere, e.g. to c:\!eset and reboot the machines:

Evelyn: c:\windows\system32\tasks\a0d88a9b-c6fc-5f0a-199ecc066929f55b
Marcelo: c:\windows\system32\tasks\8d4f1036-2a47-533a-5234b217253d09ac
Mnunez: c:\windows\system32\tasks\7db67a1a-1f84-5fad-933343f1082c255a
Sonia: c:\windows\system32\tasks\eadb615c-36a6-5fb5-5273d4f164f0ff69

Then encrypt the files with the password "infected", upload the archive to a safe location and drop me a message with a download link. Only after I acknowledge receipt, delete the files.

Link to comment
Share on other sites
Lockbits

Lockbits 10

Posted
  • Author
Posted
9 minutes ago, Marcos said:

Please move the following files elsewhere, e.g. to c:\!eset and reboot the machines:

Evelyn: c:\windows\system32\tasks\a0d88a9b-c6fc-5f0a-199ecc066929f55b
Marcelo: c:\windows\system32\tasks\8d4f1036-2a47-533a-5234b217253d09ac
Mnunez: c:\windows\system32\tasks\7db67a1a-1f84-5fad-933343f1082c255a
Sonia: c:\windows\system32\tasks\eadb615c-36a6-5fb5-5273d4f164f0ff69

Then encrypt the files with the password "infected", upload the archive to a safe location and drop me a message with a download link. Only after I acknowledge receipt, delete the files.

Hi Marcos,

Thank you. The customer will send me the files except for the computer Mnunez that was formatted. I'll PM you when I got the samples.

If these files are malicious, Virus Lab add them as PowerShell/...? 

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 50

Posted
  • ESET Staff
Posted

@Lockbits,

Just started reviewing your logs.  Here is a brief description of what I am seeing.  While this is using powershell to execute an Encoded script, WMI is not used for persistence.  Looks like its just scheduled tasks used for persistence (as @Marcos said).  It is reading a registry value for data.  Haven't dived in deep enough to analyze what that data is.  Marcos will definitely be able to help get some detection of this added in product.  ELC should have everything we need for samples.  If we need something extra, Marcos or I will reach out.

I do plan on eventually taking my WMILister and incorporating some checks for powershell misuse in scheduled tasks, but dont wait for that.  Could be a long while before I get around to that.

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 50

Posted
  • ESET Staff
Posted

Clean up the tasks and kill powershell and reboot for good measure.  That will have those computers cleaned up

1. Delete tasks

2. from admin CMD: taskkill /im powershell.exe /f && shutdown -r -f -t 0

 

If it comes back, let us know.  From my brief analysis of your logs, I didn't see any network spreading capabilities, but I could have overlooked something.

Link to comment
Share on other sites
Lockbits

Lockbits 10

Posted
  • Author
Posted

Hello guys,

Finally the malicious scripts were added as PowerShell/Agent.AS trojan. ESET deleted the scripts associated with the scheduled task so computers are now clean.

Thank you all for the help.

Link to comment
Share on other sites
  • 3 weeks later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...