Data stealing Trojan was found using Windows PowerShell Remoting

May 28, 2015

Whether is it a ransomware trying to hold your files for a fee or a botnet trying to take down your servers, much of today’s malware use several different techniques to evade detection by security products and to stay hidden during execution. The Dell SonicWALL Threats Research team has discovered a data stealing Trojan using Windows PowerShell and Windows Remote Management in an attempt to fly under the radar. The Trojan leverages these technologies to establish a persistent connection to the victim’s computer and allow it to run PowerShell commands directly on the remote machine. This enables cyber attackers to query the machine’s file system, the registry, running processes, stop system services or scheduled jobs, and more without being flagged as suspicious by the victim’s security product.

Infection Cycle:

The Trojan uses the following icon:

Figure 1: Trojan purports to be Wise Cleaner application

Upon execution The Trojan spawns svchost.exe and injects its own code:

Figure 2: Trojan creating a new process – svchost.exe

Svchost.exe then downloads the Windows Management Framework Core package.

Figure 3: HTTP GET request for KB968930 on microsoft.com

Figure 4: Showing svchost.exe as the parent process which executed the downloaded file

The downloaded file is then unpacked in a temporary directory which will then be deleted after files are moved over to appropriate system directories:

  • c:7dd9ff4d2e44e82ca3dd98ddcf8e

Several other legitimate processes are then executed to carry out the full installation of Windows Remote Management and PowerShell. The following are just some of the commands executed to perform the installation and configuration:

  • c:7dd9ff4d2e44e82ca3dd98ddcf8eupdateupdate.exe /quiet /norestart
  • C:WINDOWSsystem32cmd.exe [C:WINDOWSsystem32cmd.exe /c copy /y C:WINDOWSassemblyGAC_MSILSystem.Management.Automation1.0.0.0__31bf3856ad364e35System.Management.Automation.dll C:WINDOWSsystem32WindowsPowerShellv1.0]
  • C:WINDOWSsystem32cmd.exe [C:WINDOWSsystem32cmd.exe /c copy /y C:WINDOWSassemblyGAC_MSILMicrosoft.PowerShell.ConsoleHost1.0.0.0__31bf3856ad364e35Microsoft.PowerShell.ConsoleHost.dll C:WINDOWSsystem32WindowsPowerShellv1.0]
  • C:WINDOWSsystem32cmd.exe [“C:WINDOWSsystem32cmd.exe” /c move /y “C:Documents and SettingsAll UsersStart MenuProgramsWindows PowerShell 1.0Windows PowerShell.lnk” “C:WINDOWS$NtUninstallKB968930$Windows PowerShell.lnk”]
  • C:WINDOWSsystem32wsmanhttpconfig.exe install
  • C:WINDOWSsystem32wsmanhttpconfig.exe downlevelsetup
  • C:WINDOWSsystem32wbemmofcomp.exe C:WINDOWSsystem32winrmprov.mof
  • C:WINDOWS$968930Uinstall_KB968930$PSCustomSetupUtil.exe” /install
  • C:WINDOWSMicrosoft.NETFrameworkv2.0.50727ngen.exe install /queue:1 /silent /nologo /NoDependencies “System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil”]

In order to ensure uninterrupted communication over certain ports it adds the following values into the registry (Note that by default, WS-Man and PowerShell remoting use port 5985 and 5986 for connections over HTTP and HTTPS, respectively):

  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist[5985:tcp]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist[80:tcp]
  • HKLMsystemcurrentcontrolsetserviceshttpparametersurlaclinfo[http://+:47001/wsman/]
  • HKLMsystemcurrentcontrolsetserviceshttpparametersurlaclinfo[http://+:5985/wsman/]
  • HKLMsystemcurrentcontrolsetserviceshttpparametersurlaclinfo[https://+:5986/wsman/]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist[5985:tcp]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist[80:tcp]
  • HKLMsystemcurrentcontrolsetservicessens[start]4 (disables system event notification service)

It creates a copy of itself with a random folder and filename in the following directory:

  • %APPDATA%gixojgixoj.exe

In order to start after reboot the Trojan adds the following key to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun [null] “%APPDATA%gixojgixoj.exe”

It then sends TCP connection requests from random source addresses.

Figure 5: SYN flood attack

At one instance, it rendered the machine useless and caused it to crash.

Figure 6: Trojan causing the machine to bluescreen

It periodically sends encrypted data to remote servers:

Figure 7: Encrypted data sent to different remote servers

While we did not observe any powershell commands executed remotely during our analysis, this malware still poses a big threat. Depending on the initial data sent out to its remote servers, these cyber criminals may intend to use this on more lucrative targets like governments and businesses to retrieve useful critical information and gain control over their systems.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Kovter.POW_2 (Trojan)