For many of us in the Managed Services Provider market, we were rocked with news of a vulnerability in聽. The purpose of this blog is to shine technical light on what the 杏吧传媒 ThreatOps team observed and analyzed thus far. For official Kaseya guidance, make sure you reference their聽听补苍诲听聽(kudos Kaseya Security Team on the discovery and quick response efforts!)
Over the last few weeks, our team uncovered dozens of suspicious Scheduled Tasks used to execute a persistent payload with Local System privileges. When run, the footholds launched PowerShell to run Base64 encoded files stored within the Windows Registry and on Dropbox hosted domains. The original script used to infect the hosts looked like this:
As illustrated above, a persistent foothold is established with a single PowerShell command that downloads and executes the PowerShell script at:
When run, the script first validates whether its payload is already running. To do this, it gathers the list of running processes and won鈥檛 execute any further if more than one PowerShell process is already running.
As silly as it sounds, this particular threat could be temporarily 鈥渋mmunized鈥 against by running two or more long running PowerShell processes :)
When delivering malware to victims, some attackers take the time to make sure their payloads match the same architecture of the compromised systems. In this case, the following code performs this check:
For those unfamiliar, the attacker chose to measure the size of an聽. If the size is 4 bytes (32 bits), the malware downloads the content of the x86 payloads from the appropriate URLs (notice they end in _32.txt). If the structure is any other size, it assumes the host is a 64-bit system.
With this payload data, the malware stores the contents within several registry key values along with another heavily obfuscated PowerShell script. The data was stored within the following paths:
As mentioned earlier, the infection script leveraged scheduled tasks for its foothold. Many attackers use schtasks.exe and its聽聽to create/configure tasks to run:
However, this actor decided to create the scheduled tasks from an XML template that鈥檚 also downloaded from DropBox.
Rather than simply create a scheduled task with a hard-coded name, the infection script cleverly generates a 鈥渞andom鈥 name. It does this by combining the path and task name of two legitimate, randomly selected scheduled tasks with the following code:
To better illustrate how this works, let鈥檚 use these examples as the randomly selected scheduled tasks:
The above code splits each of them into a 鈥渢ask path鈥 and 鈥渢ask name鈥:
Now the script joins the second task path to the first task name to create a scheduled task name that easily hides in plain sight from human analysis:
With this custom task name and the downloaded XML template, the infection script executes schtasks.exe with to create the malicious scheduled task.
schtasks /CREATE /XML $file /TN 鈥$fullTaskName鈥 /F
On the evening of January 29th, 2018, the attackers updated the PowerShell command described in this blog to evade Kaseya鈥檚 Automated Removal Procedure.
Most notably, the registry key path and value name were updated from:
to:
This caused Kaseya鈥檚 initial Automated Removal Script (XMR.xml) to no longer delete all of the malicious registry key values.
Unfortunately, the attacker designed this change to prevent any new Scheduled Task based footholds from being removed as the original 鈥渟ignature鈥 matched on the presence of 鈥淪criptInit鈥 within the command鈥檚 arguments (which is now 鈥淪tart鈥).
Lastly, the attacker got extra crafty and decided to backdoor one of Microsoft鈥檚 legitimate Scheduled Tasks: 鈥渟ihboot鈥.
Using the Scheduled Task XML template from the URL above, the attacker added an extra聽聽which once again runs the malicious PowerShell payload:
聽from Kaseya has already updated the official聽听补苍诲听.
To help mitigate the impact of these payloads, the 杏吧传媒 ThreatOps team has coordinated with Dropbox to remove the following malicious URLs
On the afternoon of January 30th, 2018, the Dropbox team took these suckers down :)
If you鈥檇 like to analyze these files and scripts for yourself, drop us a line at support[at]huntresslabs.com and we鈥檒l gladly send them your way.
We offer a聽聽of 杏吧传媒 for an unlimited number of computers. Simply deploy our agent, setup a reporting integration into your ticketing system, and we鈥檒l deliver step-by-step remediation procedures for each compromised host we discover. When the trial ends, our team can remotely uninstall our agents with a single click (no extra cleanup). Contact sales[at]huntresslabs.com for demos and more details :)
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
