The Horus Protector crypter is getting used to distribute numerous malware households, together with AgentTesla, Remcos, Snake, NjRat, and others, whose primarily unfold by way of archive recordsdata containing VBE scripts, that are encoded VBS scripts.
As soon as executed, these scripts decode and execute the malicious payload, as this new distribution technique makes detection and prevention more difficult because of the obfuscation methods employed by the crypter.
The VBE script downloads encoded recordsdata from a distant server and shops them in a selected registry location, which comprise executables and directions for malicious exercise.
It retrieves recordsdata from the server utilizing HTTP requests and shops them in subkeys of the registry.
The registry path is outlined by a SystemPath variable throughout the script, which is probably going used to execute malicious code or carry out different dangerous actions on the contaminated system.
The assault establishes a brand new registry key below the prevailing guardian registry, splitting the primary payload into hexadecimal segments and storing them in subkeys like segment1, segment2, and so forth., whereas some cases use data1, data2, and so forth. for subkey names.
Following this, a VBS script is created within the person’s AppDataRoaming folder, sharing the identical title because the script discovered within the earlier registry key, suggesting a possible persistence mechanism, because the VBS script might be used to re-execute the malicious payload or carry out different malicious actions.
In response to Sonicwall report, the attacker downloads malicious knowledge from a distant server and saves it as a VBS script, which is then scheduled to run each minute utilizing Process Scheduler.
Earlier than execution, the script checks if Home windows Defender is enabled by querying the Safety Middle. If discovered energetic, the script terminates, stopping its detection and execution.
The VBS script checks if Home windows Defender is enabled. Whether it is, it executes a PowerShell command to run the Elfetah.exe loader with particular parameters. If Defender will not be enabled, the script instantly runs the PowerShell command to decode and execute the loader file.
The loader file’s path is saved within the registry, and the script first ensures that the MSBuild.exe course of will not be operating earlier than executing the PowerShell command.
It retrieves reversed base64 knowledge from the registry key [HKCU:SoftwareuOITNhlpKJsMLJxs], used to execute the module Elfetah.exe, which hundreds and executes the following injector file saved within the registry key [HKCU:SoftwareuOITNhlpKJsMLJxr].
The registry key path “uOITNhlpKJsMLJx” is handed as a parameter to Elfetah.exe, which retrieves the info, reverses it, converts it from hex to ASCII, and kinds the uncooked binary, whereas the brand new meeting is then loaded by calling the “r” technique from the newly loaded DotNet DLL, “erezake.dll.”
The malicious injector erezake.dll targets MSBuild.exe, a course of specified within the registry that extracts and concatenates segments of the payload saved within the registry, reversing them right into a PE file.
Utilizing picture hollowing, the payload is injected into MSBuild.exe, the place the malware checks for a registry worth indicating a BotKill choice, presumably offered by the Horus Crypter service.
If current, it removes all malware persistence, together with scheduled duties, because the injected payload is the SNAKE Keylogger, identified for stealing delicate knowledge like keystrokes, screenshots, clipboard content material, and software knowledge.
IOCs:
- c39a2e4fbcce649cb5ac409d4a2e1b1f
- f0fe04a3509d812ade63145fd37a1cb2
- 8acccb571108132e1bbe7c4c60613f59
- 405377b1469f31ff535a8b133360767d
- fd4302cdfacbc18e723806fde074625b
Easy methods to Select an final Managed SIEM answer for Your Safety Crew -> Obtain Free Information(PDF)