Jump to content

Infected? Undetected Script wscript.exe loading from startup folder


Recommended Posts

13 hours ago, NewbyUser said:

MS is also detecting it now as TrojanDownloader:Win32/Nemucod!ml

Interesting how things work at VT. After the Microsoft detection, now 13/58 detecting at VT.

In any case, this was a long time for a 0-day to be floating around in-the-wild after initial VT submission. Also of note is the stackoverflow posting is over a week old. It can be assumed the bugger has been in-the-wild for some time.

It also shows that carefully crafted scripts can still bypass most AV detection.

Edited by itman
Link to comment
Share on other sites

So how can Eset and other AVs stop "living off the land" attacks like this?

One way is to flag any MS signed LOL process at file creation time where file name doesn't match internal PE header name*; a clear indication of renaming activities.

* List of abused MS living off the land processes is here: https://lolbas-project.github.io/#

Edited by itman
Link to comment
Share on other sites

Also of note is @Tzatzhas posted the decrypted script code of this malware at the stackoverflow web site linked at the beginning of this thread. The problem is the code is so heavy obfuscated, it is impossible to determine exactly what it is doing. My best guess is my initial one; it's node.js based malware.

What node.js is described here: https://www.tutorialspoint.com/nodejs/nodejs_introduction.htm

A recent prevalent malware using node.js based malware is here: https://fossbytes.com/windows-pcs-affected-node-js-based-malware/

Quote

The file packs a JavaScript code which downloads the second component of the malware — an XSL file. This file runs a PowerShell command to download additional malicious modules and the last stage involves dropping the JavaScript payload with some Node.js modules.

Of note was PowerShell was used in this current Javascript attack and I assume it was doing the same activities shown above.

Edited by itman
Link to comment
Share on other sites

16 hours ago, Nightowl said:

Happened with me a while before , I sent the file again and Checkpoint came back , I did it now again , it seems not , but should be detecting it as they are using Kaspersky AV engine

It's back to detecting it at VT.

My guess is they don't 100% trust Kaspersky's signatures. Yes - it was a generic detection, HEUR:Trojan.Script.SAgent.gen.

Checkpoint later did an initial cloud sandbox analysis and removed it when nothing was detected. After that, they did a full lab sandbox analysis w/human review and decided it was malicious after all.

Edited by itman
Link to comment
Share on other sites

Posted (edited)

I believe they may have attempted to gain persistence but failed. I do have core isolation & secure boot enabled. A year ago someone managed to bypass both and install a fresh unloaded bootloader which I found with GMER, just prior to rebooting, it detected a rootkit in the MBR. Upon reboot I, for the first time, was asked to insert a password to login to windows, even though I had enabled automatic logon. It was clearly trying to steal my password, after simply powering the computer off, and rebooting, no password was requested, gmer was clean, and the threat not persistent. I then found cisco's MBR FILTER and used this to prevent these types of attacks. I also modified its installer and renamed the dll to make sure malware could only detect it by hash.

Though they HAD bypassed core-isolation & secureboot, and modified the MBR initially, they did not gain persistence, and still wanted my password for elevation. Far as I can tell. The only reason I ran GMER was because I had just enabled "DCOM" on my computer, and wondered if something may have been hiding there waiting to be initiated. My WMI repository was found to be inconsistent as well.

The WS file had a unique hash never before detected by VT suggesting this may have been a targeted attack.  My windows/sysmon logs do not go back far enough for adequate forensics. I block powershell and wmi via firewall so even if it ran it would not connect to the internet.

I did recently have a legitimate brave browser extension "Video Speed Controller hijacked/hollowed and replaced with what appeared to be adware, which redirected all search query's on google to domains blocked by my hosts file.  The problem went away after uninstalling and reinstalling the extension. I suspected 1. rogue elements within google itself at fault, 2. brave was exploited while browsing a malicious javascript,  or 3. the code the extension injects into html5 to control video speeds may be vulnerable to exploitation.

Another possibility repacked software or esets classification, 'potentially unsafe applications.'  Its been over two years since kapersky offline, eset, adaware, malwarebytes, zemana, or rogue killer has detected ANY adware, spyware, or virus active and installed persistently onto my computer.

If I am not mistaken, it appears this java malware uses wmic to query the computer about virtualization and security related software. And powershell to download the payload.

Can an inconsistent WMI repository suggest tampering by malware? The command "winmgmt /verifyrepository" checks for consistency, and my WMI is currently consistent.

I installed custom event viewer WMI SubscriberMonitor notifications to log newly created WMI consumers and processes, and an attending custom script (attached) to automatically disable wmi and alert upon detection of WMI EventConsumer, EventFilter, FilterToConsumerBinding implants. It also checks the WMI repository for consistency.  Though in terms of its detection capability, looks somewhat primitive compared to your amazing little WMI script here.

I also use exploit mitigations to block wmic.exe & WmiPrvSE.exe from invoking child processes or from accessing remote images, so methods such as "Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList wscript.exe" are thwarted.

Do you have any software for scanning for malicious certificates?

WMI_Monitor.zip

Edited by Tzatz
Link to comment
Share on other sites

6 hours ago, Tzatz said:

Do you have any software for scanning for malicious certificates?

You can use SysInternals Sigcheck utility for this: https://www.howtogeek.com/238765/how-to-check-for-dangerous-root-certificates-on-your-windows-pc/

6 hours ago, Tzatz said:

I installed custom event viewer WMI SubscriberMonitor notifications to log newly created WMI consumers and processes, and an attending custom script (attached) to automatically disable wmi and alert upon detection of WMI EventConsumer, EventFilter, FilterToConsumerBinding implants.

I had previously read Matt Graeber's articles on this subject. I didn't know someone had posted a script on Github to automate the event logging. Neat!

6 hours ago, Tzatz said:

I then found cisco's MBR FILTER and used this to prevent these types of attacks. I also modified its installer and renamed the dll to make sure malware could only detect it by hash.

I requested Eset employ this sometime ago. Of course, that "fell on deaf ears."

Also you would think Eset would have a utility by now to remove MBR malware or repair it since they don't protect against it getting infected.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...