Suspect of persistent memory infection (BEM, Powershell)

C

core_federico

New Member
Thread author
Sep 22, 2018
6
37
6
Italy
Hello, we notice some strange behaviour on a customer that was involved in a BEM attack
No infection found on the endpoint (protected with Webroot) but after investigation we notice obfuscated REG entries:
pastebin.com

Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Wi - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
pastebin.com pastebin.com

We was able to decrypt some portions discovering some powersploit code but we would like to know more about it
For security, we pulled off the HD and made a physical-to-virtual in a protected environment

Thank you for any hint
 
  • Like
Reactions: brambedkar59, Weebarra, Kuttz and 4 others
The PowerShell command:
Code: 
[System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\07DA97B2-BACF-D19B-FC2B-8E95F08FA299').Clourext)
should decode the malicious PowerShell code.
Did the code from the link https://www.pastefs.com/pid/103022 is from that registry key?
 
  • Like
Reactions: brambedkar59, Weebarra, notabot and 6 others
feed said:
Hi Andy, yes those are linked
You can see there's the same reference "07DA97B2-BACF-D19B-FC2B-8E95F08FA299"
I had to use this service because the paste is > 6mb
Click to expand...
I tried to reproduce the malware, but something is missing in your registry keys, because the PowerShell command:
Code: 
wmic.exe /output:clipboard process call create \"powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\07DA97B2-BACF-D19B-FC2B-8E95F08FA299').Clourext))\"
executes the code stored under the value Clourext of the key:
Code: 
HKCU:\Software\AppDataLow\Software\Microsoft\07DA97B2-BACF-D19B-FC2B-8E95F08FA299
The value Clourext is missing on the https://www.pastefs.com/pid/103022, only another value Client32 is included. The value Client32 stores some large binary code, that is probably executed by the missing code from the value Clourext.
 
  • Like
  • +Reputation
Reactions: brambedkar59, Weebarra, notabot and 5 others
  • Like
Reactions: brambedkar59, Weebarra, upnorth and 2 others
feed said:
Check line 14675 of https://www.pastefs.com/pid/103022
Is that what you're referring to?
Click to expand...
I decoded the PowerShell commands which are started with Windows via registry value Clourext:
Code: 
powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\07DA97B2-BACF-D19B-FC2B-8E95F08FA299').Clourext))
This code leverages QueueUserAPC bytecode injection, and it is almost identical to the code of Gozi ISFB Banking Malware Version 2.16/2.17 :
(y)
 
Last edited:
  • Like
  • +Reputation
Reactions: brambedkar59, Vasudev, Weebarra and 5 others
feed said:
Awesome Andy, thank you! We will look into it
Any technical reason why Webroot doesn't catch them? Like malware behaviour that webroot doesn't handle..
Click to expand...
Most AVs will have a problem with this malware, because after an infection due to the weaponized MS Office document (macro + PowerShell dropper), the malware is stored fully in the Windows Registry, similarly to this:
blog.talosintelligence.com

Cisco AMP tracks new campaign that delivers Ursnif

Talos continues to see Ursnif in the wild. In this most recent example, we blocked it before it could do any damage to the target.
blog.talosintelligence.com blog.talosintelligence.com
See also the MT thread:
malwaretips.com

New Ursnif Malware Campaign Uses Fileless Infection to Avoid Detection

A new malware campaign spreading the Ursnif banking Trojan using PowerShell to achieve fileless persistence to hide from anti-malware solutions was detected by Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine. Ursnif, which is also known as Gozi ISFB, is an offspring of the...
malwaretips.com malwaretips.com
 
Last edited:
  • Like
  • +Reputation
Reactions: brambedkar59, Vasudev, core_federico and 3 others
This reminds me of the infection in trying to deal with. Even after format it injects all this weird stuff into registry using the defaultuser0 profile. I think it uses a faulty ntuser file. If you figure anything out I'd love to see your update and progress
 
yarr said:
This reminds me of the infection in trying to deal with. Even after format it injects all this weird stuff into registry using the defaultuser0 profile. I think it uses a faulty ntuser file. If you figure anything out I'd love to see your update and progress
Click to expand...
Did you mean formatting the system disk? If so, then it can be something else, because the malware from this thread uses Windows Registry for persistence (disappears after formatting the system disk).
Anyway, it is possible to join boot sector infection with hiding the DLLs in the Windows Registry. There are also some other possibilities.
 
Last edited:
Andy Ful said:
Did you mean formatting the system disk? If so, then it can be something else, because the malware from this thread uses Windows Registry for persistence (disappears after formatting the system disk).
Anyway, it is possible to join boot sector infection with hiding the DLLs in the Windows Registry. There are also some other possibilities.
Click to expand...
I did but at that point my router was infected and I wasn't aware of that at the time. I should try wiping one of the HD again to see what happens.
 
  • Like
Reactions: Andy Ful
You must log in or register to reply here.

You may also like...