Hackers Using Legitimate Windows Tools for Hiding Malware and Evade the Detection

Malware Authors are always using many sophisticated techniques to spreading advance persistent threats and Hiding Malware to evade the current defense mechanism such as hiding advance Malware in a legitimate process.

In this case, malware using some trusted system process to inject the malicious code into the victim’s machine without being caught by security tools.

A new malware variant discovered from Microsoft .NET that use trusted application  InstallUtil.exe which is a .NET framework ( Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies.)

This process abuses the console utility InstallUtil.exe and runs a malicious .NET assembly and bypass the assembly entry point later it can able to Hiding Malware to an inside of the trusted process.

It uses the familiar file format such as pdf and images to Hiding Malware with password protection and sends it across to the victim and users are misled by executable file icons.

Also Read:   Beware!! Dangerous Locky Ransomware Now Spreading through Microsoft Office Word Documents

How Does They Hiding Malware

Initially, it takes place in %temp% folder where it starts to execute the process later on and performing the Further Infection Process.

Discovered Malicious files are highly obfusticated which is very Difficult to analyze its functions until and unless to deobfuscate its string, methods, and its structure.

The .NET Assembly not a right entry point to execute the file from InstallUtil.exe. Entrypoint has begun from an inherited class known as System.Configuration.Install.Installer.

According to Kaspersky “Dropper code in static class constructors is known to execute first when the assembly is loaded into memory, a feature utilized by the authors of this piece of malware”

Sample before deobfuscation

Sample after deobfuscation

In this Malicious file execution method, we could see that FirstMainClass using with keyword called “static” where assembly execution will begin.

CheckSandboxieEnvironment()- Checking the sandbox environment whether the file attempting to load the SbieDll.dll library. if its loaded then the malicious process will be terminated

CheckVirtualBoxEnvironment()– checking the vboxmrxnp.dll library in Virtualbox environment .if its found then malicious process will be terminated.

AddResourceResolver() – It helps to load the resource event that is a method of unpacking the assembly.

UnpackAllAssemblies()–  This method is used to unpack the assembly later it helps to load the malicious file into the legitimate libraries.

RemoveZoneIdentifier() – it deletes the NTFS alternate stream Zone.Identifier through the command line to prevent a warning at startup if the file was downloaded from the Internet.

ElevatePrivilegesProxy()  – This constrution method helps to UAC bypass technique .

Later, control will pass into  traditional entry point – Main() 

The traditional entry point is the Main() method

Here we can see that there is the Visual basic script used to run the Executable file from a Form5 class that runs the current assembly using InstallUtil.exe later current process is closed (Exit(0)).

Later Static class constructor called by InstallUtil.exe and he malicious object is run using the InstallUtil tool.

The static class constructor called by InstallUtil.exe

Finally, it Copying the malicious file to %APPDATA%\program\msexcel.EXE, setting the Hidden+System attributes for the “program” folder, running msexcel.EXE, and terminating the current process.

Until this case, things were described for an elevation of privileges, a startup from a trusted application.

Here Malicious process starts the inherit Process that contains 5 class.it has several interfaces but it uses IDisposable.

The overridden Dispose() method of the Form5 class

According to Kaspersky, It Executes various cycle to execute the malicious Utility. please have a deep look at it.

• At the first iteration, the full path to the RegAsm.exe utility from .NET Framework is retrieved;
• A chain of nested methods is called with a view to decoding strings from Base64 that are stored in another class and unpacking the resulting array using the SevenZipExtractor library. As a result, we get an array that is the remote administration tool NanoCore Client;
• The PERun.dll library is loaded from the assembly that was previously unpacked from the resource into memory;
• A class with the name “RunPE” and the Run method of this class are sought in this library;
• At the final iteration, the parameters are transferred and the Run method is called.

Here Run() method employs the technique of hiding malicious code in the address space of the trusted process RunPE and Run() method, a legitimate utility process is created in CREATE_SUSPENDED state .see the below image.

Creating a legitimate program process in CREATE_SUSPENDED state

Finally, RegAsm.exe process is loaded into the address space and starts to execute the payload: the remote administration tool NanoCore Client. Only trusted processes remain in the list of running processes, and even an experienced user might not realize that the system is compromised Kaspersky said.

Only legitimate utilities can be seen in the list of running processes

Here this sample contains NanoCore Client, which can be used to control the victim’s computer, take screenshots, record keystrokes, download files, and much more. It should be noted that the payload here can be anything: from “fashionable” encrypters and miners to advanced Trojans.

IOC (MD5)

263DC85DE7EC717E8940B1CCDD6EE119
payload: EF8AF3D457DBE875FF4E3982B34F1DE9

3E4825AA1C09E27C2E6A1309BE8D6382
payload: 82709B139634D74DED404A516B7952F

7E3863F827C1696835A49B8FD7C02D96
payload: D1A9879FFCB14DF70A430E59BFF5EF0

8CB8F81ECF1D4CE46E5E96C86693919
payload: D8652841C19D619D2E3B5D7F78827B6E

FDF4086A806826503D5D332077D47187
payload: BF4A3F4B31E68B3DE4FB1F046253F2D0