It is common knowledge that pirated software might contain malware, yet millions still put themselves and their devices at risk and download from dubious sources. It is even more surprising to see the popularity of torrented operating system installations, which are ranked at the top of most torrent tracker ranking lists. Today we will prove conventional wisdom right and show off a devious, yet clever attack chain employed by an infected Windows 10 image, frequently shared and downloaded by tens of thousands of users.
Over the last year, numerous malicious PowerShell events popped up in our telemetry. The events caught our attention because a payload was being downloaded into the “C:\Windows” directory, which is usually well guarded under NTFS permissions, this implies that the attacker had very high privilege on the compromised system.
A formatted snippet from the malicious PowerShell script:
The script tries to download and execute a file named “x.exe” into the “C:\Windows\servicing”, just after adding a Windows Defender exclusion for that path.
After some digging on the end-user side, we found out that the Windows installation on the device was pirated. The user even supplied us with the download link.
The first stage of infection during the installation comes in the form of a compiled AutoIt script, which resides in the path “C:\Windows\INF\MSDNC\0035\config\winarper.exe”. This file is executed using Microsoft-Windows-Shell-Setup logonCommands capability, which allows for custom command execution on the first boot-up of the system. Forensic evidence for such commands can be found inside the log file “C:\Windows\Panther\UnattendGC\setupact.log” or in the Microsoft answer file, which is used to configure a device when it is first installed.
The FirstLogonCommand from the Microsoft answer file:
The malicious binary itself is blacklisted by Microsoft Defender, which means that the execution method described above launches the malicious binary in a manner that bypasses the default Windows anti-virus.
The compiled-AutoIt Binary executes 2 PowerShell scripts. The first one is named “psm.ps1”, and its main role is to set up the next stage of the attack. It achieves that using the following logic:
- Windows’ official cmd.exe binary is copied into the path “C:\Windows\Logs\cmd.exe”
- For each user, a registry key is added to the Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers which will cause the cmd.exe binary to be executed as administrator without triggering a UAC popup:
- Two services are created which use the newly created cmd binary to execute PowerShell scripts.
The second script is named “cls.ps1”, and its main purpose is cleaning up winwarper.exe by deleting it and terminating any process by that name.
A view of cls.ps1:
The PowerShell Services:
The services were created on automatic start priority, but were not started, which means they will be started the next time the system is booted, according to MSDN. These services execute another duo of PowerShell scripts, that use an interesting evasion technique to load malicious in-memory PowerShell code.
The first script is only responsible for changing the NTFS permissions of the directories “C:\Windows\Servicing” and “C:\Windows\Panther\Setup.exe”, adding full control access to the Everyone group, effectively giving full access to these folders to anyone on the computer.
The second script is far more interesting, it uses a custom technique to decode a PowerShell script from directory names. The original script was encoded into its decimal ASCII value, and split into multiple chunks of space separated strings, then directories named after these chunks were created, which can be decoded given the proper reading order.
An example of the encoded directories:
The decoding script:
The resulting script turns out to be the same one that was discussed in the introduction, which downloads a 7zip SFX binary named “x.exe”.
When executed the binary will unpack a plethora of malware into the C:\Windows\Servicing directory. The downloaded viruses include benign yet annoying adware, a destructive crypto-miner and a sample of Xtreme RAT, which will enable full monetization of the infected device.
The individuals responsible for this trickery have introduced some clever ways to bypass Windows Defender, which can be used also by other malware and should be addressed. The specific torrent we have investigated has tens of thousands of seeders, and while we do not know how many live installations are out there, considering its popularity it is safe to assume that the number of successful infections is quite high. We recommend getting your software from legitimate sources, especially highly critical ones such as the operating system.
4e3816bcebdcd1c7b4416831536c22a99eeea2f2b7c473f949ff54a1e9d4f87c (Xtreme RAT)