Rigging a Windows Installation

Over the last year, numerous malicious PowerShell events popped up in our telemetry. The events caught our attention because a payload was being downloaded into the “C:\Windows” directory, which is usually well guarded under NTFS permissions, this implies that the attacker had very high privilege on the compromised system.

The script tries to download and execute a file named “x.exe” into the “C:\Windows\servicing”, just after adding a Windows Defender exclusion for that path.

After some digging on the end-user side, we found out that the Windows installation on the device was pirated. The user even supplied us with the download link.

Installation Analysis:

The first stage of infection during the installation comes in the form of a compiled AutoIt script, which resides in the path “C:\Windows\INF\MSDNC\0035\config\winarper.exe”. This file is executed using Microsoft-Windows-Shell-Setup logonCommands capability, which allows for custom command execution on the first boot-up of the system. Forensic evidence for such commands can be found inside the log file “C:\Windows\Panther\UnattendGC\setupact.log” or in the Microsoft answer file, which is used to configure a device when it is first installed.

The FirstLogonCommand from the Microsoft answer file:

The malicious binary itself is blacklisted by Microsoft Defender, which means that the execution method described above launches the malicious binary in a manner that bypasses the default Windows anti-virus.

The compiled-AutoIt Binary executes 2 PowerShell scripts. The first one is named “psm.ps1”, and its main role is to set up the next stage of the attack. It achieves that using the following logic:

• Windows’ official cmd.exe binary is copied into the path “C:\Windows\Logs\cmd.exe”
• For each user, a registry key is added to the Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers which will cause the cmd.exe binary to be executed as administrator without triggering a UAC popup:
• Two services are created which use the newly created cmd binary to execute PowerShell scripts.
  

The second script is named “cls.ps1”, and its main purpose is cleaning up winwarper.exe by deleting it and terminating any process by that name.

The PowerShell Services:

The services were created on automatic start priority, but were not started, which means they will be started the next time the system is booted, according to MSDN. These services execute another duo of PowerShell scripts, that use an interesting evasion technique to load malicious in-memory PowerShell code.

The first script is only responsible for changing the NTFS permissions of the directories “C:\Windows\Servicing” and “C:\Windows\Panther\Setup.exe”, adding full control access to the Everyone group, effectively giving full access to these folders to anyone on the computer.

The second script is far more interesting, it uses a custom technique to decode a PowerShell script from directory names. The original script was encoded into its decimal ASCII value, and split into multiple chunks of space separated strings, then directories named after these chunks were created, which can be decoded given the proper reading order.

An example of the encoded directories:

The decoding script:

The resulting script turns out to be the same one that was discussed in the introduction, which downloads a 7zip SFX binary named “x.exe”.

When executed the binary will unpack a plethora of malware into the C:\Windows\Servicing directory. The downloaded viruses include benign yet annoying adware, a destructive crypto-miner and a sample of Xtreme RAT, which will enable full monetization of the infected device.

Conclusion:

The individuals responsible for this trickery have introduced some clever ways to bypass Windows Defender, which can be used also by other malware and should be addressed. The specific torrent we have investigated has tens of thousands of seeders, and while we do not know how many live installations are out there, considering its popularity it is safe to assume that the number of successful infections is quite high. We recommend getting your software from legitimate sources, especially highly critical ones such as the operating system.

Torrent Hash:

75e82ffaf0804f930b287039b6ad0955ff7282aa

IOCs:

25f240f2eed626463dea5609cd3482ad2eab9e1cb4ff2e20c1de7410af64d449

710abcfaa44c8d7d830efbd783fb74567fc7978cd67d75b65dfe2f78f73f7fe7

a40f339ef8d2e73dfb7174ed38ac87d9b08f1517837b2a3b6e3287471ab0a1e7

e10425bfb15b8563a8f435953a6b308c7861da79facce8c1c49bc7f6f5bfbba6

5381b27d69dc88c1e9f5914d9b7f06229f40fd2071e62b96ed4c04b553950b78

1bee5cd8e46a7cfe6f162acd695a05a046585f84f0d4558aa3ce12f29f589c38

4e3816bcebdcd1c7b4416831536c22a99eeea2f2b7c473f949ff54a1e9d4f87c (Xtreme RAT)

3e2257ab513bc32de6148c3e340f46b45e05e78b57092ecd429732569c90a944

bc56fd3f96019a75f8e80b1dcace4360a3105fbb2e4c7598728400bfa6d2419e

b2d6eb2591cb7052ae69249dd7bce0ef461774c19637852a1460422508f24b4e

cf984d5fde5ea2342fa0bf16f703af9fb43e72ca181482893ed090a486e3f027 (x.exe)

a94f73ee161092d21815f48b18a83539abbc9b909353aa58fc421684678a7680 (cls.ps1)

e45918929025a0eb20fc084a5c1943d057d2a69b2f707f2a72c44f3c9b8cbaf5 (PRNP.ps1)

1a244f5c12ac1cca52711743cd12e3450b4caa411c553734987980d6e519c11a (psm.ps1)

eecaeb0065f5c8d027929c89dc51dd6f9fd201a436f971fbae7a5a44658a3c52 (ssfr.ps1)

5f0a4d221bb1dd964f5cd04fe7251301106e789c393c0d389a8edc3224a94ff3 (winwarper.exe)

Files:

C:\Windows\Logs\Cmd.exe

C:\Windows\INF\MSDNC\0035\config\winarper.exe

C:\Windows\Logs\Log\231546531\ssfr.ps1

C:\Windows\INF\LSM\0407\0409\cls.ps1

C:\Windows\INF\LSM\0407\0409\psm.ps1

C:\Windows\INF\PRNPSvc\0409\0301\PRNP.ps1

DNS Names:

http://knubis[.]duckdns[.]org

http://m[.]msz[.]su