To detect and remediate threats, Rapid7’s Managed Detection and Response (MDR) team uses specialised tools, malware analysis, tradecraft, and collaboration with our colleagues on the Threat Intelligence and Detection Engineering (TIDE) team.
We recently discovered a malware campaign whose payload instals itself as a Windows application after being delivered via a browser ad service and circumvents User Account Control (UAC) by abusing a Windows environment variable and a native scheduled task to run with elevated privileges indefinitely. The malware is classified as a stealer since it aims to steal sensitive data (such as browser credentials and bitcoin) from an infected asset, prevent browser updates, and execute arbitrary commands.
Detection:
After analysing the “UAC Bypass – Disk Cleanup Utility” and “Suspicious Process – TaskKill Multiple Times” warnings (written by Rapid7’s TIDE team) within Rapid7’s InsightIDR platform, the MDR SOC first became aware of this malware campaign.
The alert revealed a potential UAC bypass via the Disk Cleanup programme, as the name implies, due to a vulnerability in some versions of Windows 10 that allows a native scheduled process to execute arbitrary code by changing the content of an environment variable. A PowerShell command spawned by a suspicious executable named HoxLuSfo.exe was detected by the alert. Sihost.exe, a background process that launches and maintains the Windows action and notification centres, was found to be the source of HoxLuSfo.exe.
We discovered that the PowerShell command was used to attempt a Disk Cleanup Utility UAC bypass after sleeping. The command works because the Disk Cleanup Utility can run via the native scheduled job “SilentCleanup” on some Windows systems, which when triggered, performs the following command with elevated privileges:
%windir%\system32\cleanmgr.exe /autoclean /d %systemdrive%
By changing the value set for the environment variable percent windir percent in the path indicated in the “SilentCleanup” scheduled job, the PowerShell programme exploited the usage of the environment variable percent windir percent in the route given in the “SilentCleanup” scheduled task. The PowerShell command replaced the current percent windir percent environment variable with a new percent windir percent environment variable with the following value:
%LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM
As a result of the environment variable replacement, the scheduled task “SilentCleanup” was configured to run the following command whenever the task “SilentCleanup” was triggered:
%LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM\system32\cleanmgr.exe /autoclean /d %systemdrive%
The binary st.exe was a copied version of HoxLuSfo.exe
from the file path C:\Program Files\WindowsApps\3b76099d-e6e0-4e86-bed1-100cc5fa699f_113.0.2.0_neutral__7afzw0tp1da5e\HoxLuSfo\
.
The “REM” at the end of the Registry entry essentially comments out the rest of the native command for the “SilentCleanup” scheduled task, causing it to run as follows:
%LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe
The PowerShell command launched the “SilentCleanup” scheduled task after making the changes to the percent windir percent environment variable, thereby hijacking the “SilentCleanup” scheduled task to start st.exe with elevated rights.
st.exe spawned several instructions attempting to terminate any process called Google, MicrosoftEdge, or setu*, according to the alert for “Suspicious Process – TaskKill Multiple Times.”
HoxLuSfo.exe is being investigated.
Because the files HoxLuSfo.exe and st.exe were no longer present at the time of the investigation, Rapid7’s MDR was unable to remotely retrieve them from the infected assets. VirusTotal, however, provided us with a copy of the executable based on its MD5 hash.
HoxLuSfo.exe had the following features and behaviours, according to Rapid7’s MDR:
Obfuscated code in a 32-bit Microsoft Visual Studio.NET executable.
TorE.exe was the program’s original name.
Only ten antivirus programmes identified HoxLuSfo.exe as harmful at the time of writing.
The contaminated asset’s fingerprints
Drops and uses JiLuT64.dll (MD5: 14ff402962ad21b78ae0b4c43cd1f194), a 32-bit Microsoft Visual Studio.NET DLL that is an Agile.NET obfuscator signed by SecureTeam Software Ltd, to (de)obfuscate data.
To avoid fraudulent browser updates, it modifies the hosts file on the infected asset to prevent correct resolution of common browser update URLs.
Installed browsers are enumerated, and credentials are stolen from them.
Kills Google, MicrosoftEdge, and setu* processes.
It has the ability to steal cryptocurrency.
It comes with the ability to run arbitrary instructions on the infected object.
Uses AES-encrypted messages with the key e84ad660c4721ae0e84ad660c4721ae0 to communicate with s1.cleancrack[.]tech and s4.cleancrack[.]tech (both of which resolve to 172.67.187[.]162 and 104.21.92[.]68 at the time of analysis). The encryption algorithm used looks to be code that was previously used here.
E:msixChromeRceADMIN4CBTorEobjReleaseTorE.pdb is the PDB path.
Rapid7’s MDR analysed s4.cleancrack[.]tech and detected what looks to be a login site enabling the attacker to gain access to stolen data.
Infection’s source
The execution of chrome.exe was noticed by Rapid7’s MDR immediately before HoxLuSfo.exe spawned the PowerShell command we discovered with our alert.
Our study of the user’s Chrome browser history file revealed redirects to suspicious URLs before the first infection in one of our investigations:
hXXp:/updateslives[.]com/ hXXps:/getredd[.]biz/ hXXps:/eu.postsupport[.]net/
DNS data revealed a redirect chain that followed a similar pattern in another investigation:
hXXp:/chromesupdate[.]com/ hXXp:/getblackk[.]biz/ hXXp:/eu.postsupport[.]net/ hXXp:/updateslives[.]com/
The user’s Chrome profile revealed that the site permission settings for a suspicious domain, birchlerarroyo[.]com, had been changed shortly before to the redirects in the initial inquiry. The user specifically gave permission for the site housed at birchlerarroyo[.]com to send him notifications.
The Rapid7 MDR visited the birchlerarroyo[.]com website and discovered that the website displayed a browser notification requesting permission to show notifications to the user.
We believe the birchlerarroyo[.]com website was hacked because its source code included a link to a suspicious JavaScript file stored at fastred[.]biz:
We believe the birchlerarroyo[.]com website was hacked because its source code included a link to a suspicious JavaScript file stored at fastred[.]biz:
Rapid7’s MDR detected additional domains having similar source code by pivoting on the string “oд RedPush” within the source code of birchlerarroyo[.]com (see highlighted lines in Figure 9), as well as the workerName and applicationServerKey settings within the JavaScript file in Figure 10.
Rapid7’s MDR examined the websites hosted at birchlerarroyo[.]com, ostoday[.]com, and magnetline[.]ru, and discovered that each of them:
Figure 8 shows the type of browser notification that was displayed.
It was created with WordPress and the “WP Rocket” WordPress plugin.
Had source code that pointed to similar Javascript files stored at either fastred[.]biz or clickmatters[.]biz, and the JavaScript files were for the same purpose. BIbjCoVklTIiXYjv3Z5WS9oemREJPCOFVHwpAxQphYoA5FOTzG-xOq6GiK31R-NF—qzgT3 C2jurmRX N6nY4g BIbjCoVklTIiXYjv3Z5WS9oemREJPCOFVHwpAxQph
Had source code containing references to “од RedPush” (which means “Redpush code”), “од” (which means “CodeRB”), or “од нaтивноо а RB” (which means “Native PUSH code RB”).
Other discoveries were made after pivoting on the similar strings “CodeRB” and “Redpush” within source code.
Rapid7’s MDR first discovered RedPush, a marketing firm (see redpush[.]biz). Customers can use RedPush’s advertisement code to place on their own websites. The code generates pop-up alerts, allowing adverts to be pushed to clients’ website visitors. Customers of RedPush profit on the amount of advertisement clicks generated by their websites using RedPush’s code.