Suspect of persistent memory infection (BEM, Powershell)

core_federico

New Member
Thread author
Sep 22, 2018
6
Hello, we notice some strange behaviour on a customer that was involved in a BEM attack
No infection found on the endpoint (protected with Webroot) but after investigation we notice obfuscated REG entries:

We was able to decrypt some portions discovering some powersploit code but we would like to know more about it
For security, we pulled off the HD and made a physical-to-virtual in a protected environment

Thank you for any hint
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,264
The PowerShell command:
Code:
[System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\07DA97B2-BACF-D19B-FC2B-8E95F08FA299').Clourext)
should decode the malicious PowerShell code.
Did the code from the link https://www.pastefs.com/pid/103022 is from that registry key?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,264
Hi Andy, yes those are linked
You can see there's the same reference "07DA97B2-BACF-D19B-FC2B-8E95F08FA299"
I had to use this service because the paste is > 6mb
I tried to reproduce the malware, but something is missing in your registry keys, because the PowerShell command:
Code:
wmic.exe /output:clipboard process call create \"powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\07DA97B2-BACF-D19B-FC2B-8E95F08FA299').Clourext))\"
executes the code stored under the value Clourext of the key:
Code:
HKCU:\Software\AppDataLow\Software\Microsoft\07DA97B2-BACF-D19B-FC2B-8E95F08FA299
The value Clourext is missing on the https://www.pastefs.com/pid/103022, only another value Client32 is included. The value Client32 stores some large binary code, that is probably executed by the missing code from the value Clourext.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,264
Check line 14675 of https://www.pastefs.com/pid/103022
Is that what you're referring to?
I decoded the PowerShell commands which are started with Windows via registry value Clourext:
Code:
powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\07DA97B2-BACF-D19B-FC2B-8E95F08FA299').Clourext))
This code leverages QueueUserAPC bytecode injection, and it is almost identical to the code of Gozi ISFB Banking Malware Version 2.16/2.17 :
(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,264
Awesome Andy, thank you! We will look into it
Any technical reason why Webroot doesn't catch them? Like malware behaviour that webroot doesn't handle..
Most AVs will have a problem with this malware, because after an infection due to the weaponized MS Office document (macro + PowerShell dropper), the malware is stored fully in the Windows Registry, similarly to this:
See also the MT thread:
 
Last edited:

yarr

Level 2
Verified
Jul 5, 2018
52
This reminds me of the infection in trying to deal with. Even after format it injects all this weird stuff into registry using the defaultuser0 profile. I think it uses a faulty ntuser file. If you figure anything out I'd love to see your update and progress
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,264
This reminds me of the infection in trying to deal with. Even after format it injects all this weird stuff into registry using the defaultuser0 profile. I think it uses a faulty ntuser file. If you figure anything out I'd love to see your update and progress
Did you mean formatting the system disk? If so, then it can be something else, because the malware from this thread uses Windows Registry for persistence (disappears after formatting the system disk).
Anyway, it is possible to join boot sector infection with hiding the DLLs in the Windows Registry. There are also some other possibilities.
 
Last edited:

yarr

Level 2
Verified
Jul 5, 2018
52
Did you mean formatting the system disk? If so, then it can be something else, because the malware from this thread uses Windows Registry for persistence (disappears after formatting the system disk).
Anyway, it is possible to join boot sector infection with hiding the DLLs in the Windows Registry. There are also some other possibilities.
I did but at that point my router was infected and I wasn't aware of that at the time. I should try wiping one of the HD again to see what happens.
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top