The recent use of the Horus Protector crypter has brought to light a concerning trend in the distribution of various malware families. These families, including AgentTesla, Remcos, Snake, and NjRat, are being spread through archive files containing VBE scripts, which are encoded VBS scripts. This new distribution method poses a significant challenge for detection and prevention due to the obfuscation techniques employed by the crypter.
Upon execution, the VBE scripts decode and execute the malicious payload. The scripts download encoded files from a remote server and store them in a specific registry location. These files contain executables and instructions for malicious activity. This process of retrieval and storage is done through HTTP requests and involves creating new registry keys to obscure the main payload.
One notable aspect of this attack is the creation of a VBS script in the user’s AppData\Roaming folder. This script shares the same name as the one found in the registry key, hinting at a potential persistence mechanism. The script could be used to re-execute the malicious payload or perform other harmful actions on the infected system.
According to a report from Sonicwall, the attacker downloads malicious data from a remote server and saves it as a VBS script. This script is then scheduled to run every minute using Task Scheduler. Before execution, the script checks if Windows Defender is enabled by querying the Security Center. If Windows Defender is active, the script terminates to avoid detection and execution.
The VBS script also checks for the status of Windows Defender during execution. If Windows Defender is enabled, the script executes a PowerShell command to run the Elfetah.exe loader with specific parameters. If Windows Defender is not enabled, the script directly runs the PowerShell command to decode and execute the loader file. The loader file’s path is stored in the registry, and the script ensures that the MSBuild.exe process is not running before execution.
To retrieve the necessary data for execution, the reversed base64 data is extracted from the registry key and used to execute the module Elfetah.exe. This module loads and executes the next injector file stored in a different registry key. The malicious injector erezake.dll targets MSBuild.exe and extracts segments of the payload stored in the registry, reversing them into a PE file. The payload is then injected into MSBuild.exe using image hollowing.
If a registry value indicating a BotKill option is found, the payload removes all malware persistence, including scheduled tasks. The injected payload is identified as the SNAKE Keylogger, known for stealing sensitive data like keystrokes, screenshots, clipboard content, and application data.
In conclusion, the use of the Horus Protector crypter to distribute various malware families highlights the evolving tactics of cyber attackers. These sophisticated techniques make detection and prevention more challenging for organizations and security teams. Vigilance and proactive security measures are essential to combat such threats in today’s digital landscape.