While conducting a recent investigation, FRSecure CSIRT observed an interesting and apparently relatively unobserved spin on an old persistence technique being used by SolarMaker malware. Shortly after downloading and executing a trojan claiming to be a free PDF editor, the malware started running obfuscated PowerShell commands.
The attackers were using this encoded PowerShell to drop .lnk files into the Start Menu\Programs\Startup folder referencing files in the user’s AppData\Local\Temp\ folder. This is a common technique to maintain persistence by causing a malicious application to be executed every time the user logs onto a system. What’s different in this case is that the files being referenced were randomly named with very long file extensions. The files themselves were encrypted text. In order to allow the system to execute these, they registered the file extensions with another randomly named application name in the user’s NTUSER.DAT registry hive (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\<application name>). They then provided the system with instructions regarding how to decipher and execute the referenced files in an application key within the user’s UserClass.dat registry hive (<application name>\shell\open\command).
Using this technique provides the attackers a great degree of flexibility in obfuscating their scripts and will make signature detection very difficult. Further, this malware appears to be perfectly capable of executing within the context of a standard user, rather than needing administrative privileges. On an upside, it restricts the malware to the user’s profile until the attackers are able to elevate their privileges.
The initial PowerShell setup script was found in the Microsoft-Windows-Powershell Operational.evtx.
MFT Record of the creation of the LNK files in the Startup folder.
Data contained within the LNK file above points to a randomly named file.
NTUSER.DAT registry key where the file extension above is defined and application associated.
The following is the command to be issued when the application is referenced and was found in the UsrClass.dat file for the compromised user.
In this case, the attackers frequently modified the LNK files and files referenced during the duration of the compromise, but this specific persistence mechanism was observed being triggered in the logs below.
User logged into the compromised system causing execution of the LNKs in the Startup Folder.
Followed immediately by the combined file and execution instructions being triggered, as can be observed in the Microsoft-Windows-Powershell Operational.evtx event below.
In addition to the above, the executable appeared to have been specifically sized to barely exceed the maximum file size for most automated detonation resources available to the public.
Recommendations:
The following recommendations would have prevented this attack from being successful.
- Educate users not to do something like this.
- Restrict PowerShell execution to organization signed scripts only.
- Explicitly ban executables/scripts from being run from a user’s profile. In this case, the “PDF Merge” application was executed from the user’s Downloads folder.
- Convince Adobe to include editing in their freemium version to kill off a whole class of malware 😊
