Friday, November 1, 2024
HomeMalwareFileless malware that uses PowerShell scripts from Window’s registry leading to Click...

Fileless malware that uses PowerShell scripts from Window’s registry leading to Click Fraud Malware Campaign

Published on

Malware protection

Nowadays Hackers Distributing Advanced Fileless Malware with Evasion capabilities which are very Difficult to Detect. These types of malware sit in the system registry and making hard for Antivirus hard to identify the infection.

The security researchers from Quick Heal Security Labs detected as Fileless malware which uses PowerShell scripts stored in the windows registry.

Also read A Complete Fileless Malware “JS_POWMET” with Highly Sophisticated Evasion Technique

- Advertisement - SIEM as a Service

This malware has been distributed through a Click Fraud Malware Campaign from malicious Russian website ‘https://soplifan.ru”, in the further analysis they found it triggered in numerous computer at the same time and it resides on windows registry. They have published a detailed Technical analysis of malware in the runtime environment.

Malware found on the runtime entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{CLSID} and then it contains following codes to execute malware.

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\HZMUQQOTHEK’).QJBBSZWJ)));

The malware uses ‘CreateRemoteThread’ and API such as, ‘VirtualAlloc’, ‘VirtualAllocEx’, ‘WriteProcessMemory’, and ‘ReadProcessMemory’ to do so.

To avoid interception script launched in non-interactive and bypass mode. Once executed malware maintains a continuous interaction with the domain and it leads to perform a Click Fraud Activity.

Malware injection Process

Recently we read Fileless ransomware SOREBRECT’s and code injection capabilities that encrypt the files on the local machine and network shares by inject the svhost.exe process and execute the payload.

Security researchers from quick heal say it likely an outcome of malicious spam emails and exploit kits as like the couple of Fileless malware that appeared before.

Common Defence’s to stay safe

  • Don’t open the attachments that you are not expecting.
  • Patch or Update your software.
  • Use a reputable security suite.
  • Download applications from Reputed sites.
  • Stay strict with CIA Cycle.
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...