BlueTalon 0 Posted February 1, 2023 Posted February 1, 2023 I have hundreds of popups saying a threat (Trojan downloader) was found in a file that powershell tried to access. The "file" link in the popup only contains the text "script" so that isn't of any use. I have run a scan with no detections. Log record: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 01-Feb-23 9:53:16 PM;AMSI scanner;file;script;PowerShell/TrojanDownloader.Agent.GHN trojan;blocked;<ComputerName>\<UserName>;;4701E8D5946643D4AFE68AE5786FE84335C95BA9; I ran diagnostics for a few minutes and stopped it shortly after the detection. Logs attached. I had to delete the 5 .pcapng files as these were ~100MB each and pushed the zip over the upload limit. Can attached individually if need be. Thanks Diagnostics.zip
Administrators Marcos 5,450 Posted February 1, 2023 Administrators Posted February 1, 2023 Please provide logs collected with ESET Log Collector for a start.
BlueTalon 0 Posted February 1, 2023 Author Posted February 1, 2023 Thanks, Attached. Had to remove the .pcapng files again due to size limit. eis_logs.zip
Administrators Solution Marcos 5,450 Posted February 1, 2023 Administrators Solution Posted February 1, 2023 Please provide these files (do not delete them yet): C:\WINDOWS\System32\A3DA.tmp\A3EB.tmp.ps1 C:\WINDOWS\System32\DFBE.tmp\DFBF.tmp.ps1
BlueTalon 0 Posted February 1, 2023 Author Posted February 1, 2023 EIS is quarantining them when I try to zip. Do I pause protection?
Administrators Marcos 5,450 Posted February 1, 2023 Administrators Posted February 1, 2023 No. Please reboot the machine and let us know if the threat is still continually being detected.
BlueTalon 0 Posted February 2, 2023 Author Posted February 2, 2023 Seems to have stopped after a reboot 👍 I've found a 7zip archive of the A3DA folder that EIS warned about some time ago, but I otherwise deleted, if you want it for analysis (attached). I further zipped it to upload, but can't rezip the original files due to EIS quarantining with any interaction. Thanks A3DA.tmp.possibleVirus.7z.zip
Administrators Marcos 5,450 Posted February 2, 2023 Administrators Posted February 2, 2023 We were able to add a detection based on your logs and the sample above confirmed that we were right. The script is a loader detected as PowerShell/Agent.ASW trojan. The payload had already been detected for some time. Thank you. BlueTalon 1
itman 1,801 Posted February 2, 2023 Posted February 2, 2023 (edited) A few comments here. There a multiple postings in the forum about this attack method. The malware creators are exploiting a Windows bypass method to get around directly dropping a file into the System32 directory. Namely, create a directory there and drop your file into that directory. Next is the "folly" in using signatures to detect a malicious script. As shown multiple times at malwaretips.com, a minor script modification will defeat an existing Eset signature detection of the original script. The poster was lucky here in that the payload deployed by the script was one Eset had a signature detection for. If the payload was a 0-day one, he would have been nailed. Eset HIPS needs to be "beefed up" to detect suspicious script file creations. A file being created under hidden file critera; e.g. xxxxxx.tmp.ps1, with a script suffix is suspicious and should be quarantined until it is further examined by a malware expert. Alternatively, implement what Microsoft Defender does via optional ASR rule. Block execution of any obfuscated script via HIPS option. Edited February 2, 2023 by itman BlueTalon 1
Administrators Marcos 5,450 Posted February 3, 2023 Administrators Posted February 3, 2023 8 hours ago, itman said: Block execution of any obfuscated script via HIPS option. Obfuscated scripts are used by legitimate tools and on the Internet even by bank sites.
Recommended Posts