Malware Authors are always using many sophisticated techniques to spreading advance persistent threats and Hiding Malware to evade the current defense mechanism such as hiding advance Malware in a legitimate process.
In this case, malware using some trusted system process to inject the malicious code into the victim’s machine without being caught by security tools.
A new malware variant discovered from Microsoft .NET that use trusted application InstallUtil.exe which is a .NET framework ( Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies.)
This process abuses the console utility InstallUtil.exe and runs a malicious .NET assembly and bypass the assembly entry point later it can able to Hiding Malware to an inside of the trusted process.
It uses the familiar file format such as pdf and images to Hiding Malware with password protection and sends it across to the victim and users are misled by executable file icons.
How Does They Hiding Malware
Initially, it takes place in %temp% folder where it starts to execute the process later on and performing the Further Infection Process.
Discovered Malicious files are highly obfusticated which is very Difficult to analyze its functions until and unless to deobfuscate its string, methods, and its structure.
The .NET Assembly not a right entry point to execute the file from InstallUtil.exe. Entrypoint has begun from an inherited class known as System.Configuration.Install.Installer.
According to Kaspersky “Dropper code in static class constructors is known to execute first when the assembly is loaded into memory, a feature utilized by the authors of this piece of malware”
Sample before deobfuscation
Sample after deobfuscation
In this Malicious file execution method, we could see that FirstMainClass using with keyword called “static” where assembly execution will begin.
CheckSandboxieEnvironment()- Checking the sandbox environment whether the file attempting to load the SbieDll.dll library. if its loaded then the malicious process will be terminated
CheckVirtualBoxEnvironment()– checking the vboxmrxnp.dll library in Virtualbox environment .if its found then malicious process will be terminated.
AddResourceResolver() – It helps to load the resource event that is a method of unpacking the assembly.
UnpackAllAssemblies()– This method is used to unpack the assembly later it helps to load the malicious file into the legitimate libraries.
RemoveZoneIdentifier() – it deletes the NTFS alternate stream Zone.Identifier through the command line to prevent a warning at startup if the file was downloaded from the Internet.
ElevatePrivilegesProxy() – This constrution method helps to UAC bypass technique .
Later, control will pass into traditional entry point – Main()
The traditional entry point is the Main() method
Here we can see that there is the Visual basic script used to run the Executable file from a Form5 class that runs the current assembly using InstallUtil.exe later current process is closed (Exit(0)).
Later Static class constructor called by InstallUtil.exe and he malicious object is run using the InstallUtil tool.
The static class constructor called by InstallUtil.exe
Finally, it Copying the malicious file to %APPDATA%\program\msexcel.EXE, setting the Hidden+System attributes for the “program” folder, running msexcel.EXE, and terminating the current process.
Until this case, things were described for an elevation of privileges, a startup from a trusted application.
Here Malicious process starts the inherit Process that contains 5 class.it has several interfaces but it uses IDisposable.
The overridden Dispose() method of the Form5 class
According to Kaspersky, It Executes various cycle to execute the malicious Utility. please have a deep look at it.
- At the first iteration, the full path to the RegAsm.exe utility from .NET Framework is retrieved;
- A chain of nested methods is called with a view to decoding strings from Base64 that are stored in another class and unpacking the resulting array using the SevenZipExtractor library. As a result, we get an array that is the remote administration tool NanoCore Client;
- The PERun.dll library is loaded from the assembly that was previously unpacked from the resource into memory;
- A class with the name “RunPE” and the Run method of this class are sought in this library;
- At the final iteration, the parameters are transferred and the Run method is called.
Here Run() method employs the technique of hiding malicious code in the address space of the trusted process RunPE and Run() method, a legitimate utility process is created in CREATE_SUSPENDED state .see the below image.
Creating a legitimate program process in CREATE_SUSPENDED state
Finally, RegAsm.exe process is loaded into the address space and starts to execute the payload: the remote administration tool NanoCore Client. Only trusted processes remain in the list of running processes, and even an experienced user might not realize that the system is compromised Kaspersky said.
Only legitimate utilities can be seen in the list of running processes
Here this sample contains NanoCore Client, which can be used to control the victim’s computer, take screenshots, record keystrokes, download files, and much more. It should be noted that the payload here can be anything: from “fashionable” encrypters and miners to advanced Trojans.