Suspect of persistent memory infection (BEM, Powershell)

C

core_federico

New Member
Thread author
Sep 22, 2018
6
Hello, we notice some strange behaviour on a customer that was involved in a BEM attack
No infection found on the endpoint (protected with Webroot) but after investigation we notice obfuscated REG entries:
pastebin.com

Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Wi - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
pastebin.com pastebin.com

We was able to decrypt some portions discovering some powersploit code but we would like to know more about it
For security, we pulled off the HD and made a physical-to-virtual in a protected environment

Thank you for any hint
 
  • Like
Reactions: brambedkar59, Weebarra, Kuttz and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,828
The PowerShell command:
Code: 
[System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\07DA97B2-BACF-D19B-FC2B-8E95F08FA299').Clourext)
should decode the malicious PowerShell code.
Did the code from the link https://www.pastefs.com/pid/103022 is from that registry key?
 
  • Like
Reactions: brambedkar59, Weebarra, notabot and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,828
feed said:
Hi Andy, yes those are linked
You can see there's the same reference "07DA97B2-BACF-D19B-FC2B-8E95F08FA299"
I had to use this service because the paste is > 6mb
Click to expand...
I tried to reproduce the malware, but something is missing in your registry keys, because the PowerShell command:
Code: 
wmic.exe /output:clipboard process call create \"powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\07DA97B2-BACF-D19B-FC2B-8E95F08FA299').Clourext))\"
executes the code stored under the value Clourext of the key:
Code: 
HKCU:\Software\AppDataLow\Software\Microsoft\07DA97B2-BACF-D19B-FC2B-8E95F08FA299
The value Clourext is missing on the https://www.pastefs.com/pid/103022, only another value Client32 is included. The value Client32 stores some large binary code, that is probably executed by the missing code from the value Clourext.
 
  • Like
  • +Reputation
Reactions: brambedkar59, Weebarra, notabot and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,828
feed said:
Check line 14675 of https://www.pastefs.com/pid/103022
Is that what you're referring to?
Click to expand...
I decoded the PowerShell commands which are started with Windows via registry value Clourext:
Code: 
powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\07DA97B2-BACF-D19B-FC2B-8E95F08FA299').Clourext))
This code leverages QueueUserAPC bytecode injection, and it is almost identical to the code of Gozi ISFB Banking Malware Version 2.16/2.17 :
(y)
 
Last edited:
  • Like
  • +Reputation
Reactions: brambedkar59, Vasudev, Weebarra and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,828
feed said:
Awesome Andy, thank you! We will look into it
Any technical reason why Webroot doesn't catch them? Like malware behaviour that webroot doesn't handle..
Click to expand...
Most AVs will have a problem with this malware, because after an infection due to the weaponized MS Office document (macro + PowerShell dropper), the malware is stored fully in the Windows Registry, similarly to this:
blog.talosintelligence.com

Cisco AMP tracks new campaign that delivers Ursnif

Talos continues to see Ursnif in the wild. In this most recent example, we blocked it before it could do any damage to the target.
blog.talosintelligence.com blog.talosintelligence.com
See also the MT thread:
malwaretips.com

New Ursnif Malware Campaign Uses Fileless Infection to Avoid Detection

A new malware campaign spreading the Ursnif banking Trojan using PowerShell to achieve fileless persistence to hide from anti-malware solutions was detected by Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine. Ursnif, which is also known as Gozi ISFB, is an offspring of the...
malwaretips.com malwaretips.com
 
Last edited:
  • Like
  • +Reputation
Reactions: brambedkar59, Vasudev, core_federico and 3 others
yarr

yarr

Level 2
Verified
Jul 5, 2018
52
This reminds me of the infection in trying to deal with. Even after format it injects all this weird stuff into registry using the defaultuser0 profile. I think it uses a faulty ntuser file. If you figure anything out I'd love to see your update and progress
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,828
yarr said:
This reminds me of the infection in trying to deal with. Even after format it injects all this weird stuff into registry using the defaultuser0 profile. I think it uses a faulty ntuser file. If you figure anything out I'd love to see your update and progress
Click to expand...
Did you mean formatting the system disk? If so, then it can be something else, because the malware from this thread uses Windows Registry for persistence (disappears after formatting the system disk).
Anyway, it is possible to join boot sector infection with hiding the DLLs in the Windows Registry. There are also some other possibilities.
 
Last edited:
yarr

yarr

Level 2
Verified
Jul 5, 2018
52
Andy Ful said:
Did you mean formatting the system disk? If so, then it can be something else, because the malware from this thread uses Windows Registry for persistence (disappears after formatting the system disk).
Anyway, it is possible to join boot sector infection with hiding the DLLs in the Windows Registry. There are also some other possibilities.
Click to expand...
I did but at that point my router was infected and I wasn't aware of that at the time. I should try wiping one of the HD again to see what happens.
 
  • Like
Reactions: Andy Ful
You must log in or register to reply here.

Similar threads

Trident
    • Like
    • +Reputation
    • Hundred Points
Serious Discussion Harmony Endpoint by Check Point
Replies
704
Views
69,795
Other security for Windows, Mac, Linux
Trident
Trident
Bot
    • Like
  • Locked
Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis
Replies
2
Views
2,068
Microsoft Defender
RoboMan
RoboMan
Av Gurus
    • Like
Surprise Ransomware Installed via TeamViewer and Executes from Memory
Replies
0
Views
1,897
News Archive
Av Gurus
Av Gurus

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top