blog.sonicwall.com Open in urlscan Pro
107.154.75.50  Public Scan

Form analysis
1 forms found in the DOM

GET https://blog.sonicwall.com/en-us/

<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
  <div>
    <input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello">
    <input type="text" id="s" name="s" value="" placeholder="Search">
  </div>
</form>

Text Content

 * Home
 * Topics
   * All Posts
   * Boundless Cybersecurity
   * BYOD and Mobile Security
   * Cloud Security
   * Education
   * Email Security
   * Government
   * Healthcare
   * Industry News and Events
   * Network Security
   * Partners
   * Retail
   * Small & Medium Businesses
   * SonicWall Community
   * Threat intelligence
   * Wireless Security
 * Authors
 * English
 * Search
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * Menu

 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss




HORUS PROTECTOR PART 2: THE NEW MALWARE DISTRIBUTION SERVICE




By Security News
October 14, 2024

Recently, the SonicWall Capture Labs threat research team came across a new
Horus FUD (Fully Un-Detectable) malware crypter used for spreading different
malware families including AgentTesla, Remcos, Snake, NjRat and many others.
Here, we will be discussing the infection chain/spreading mechanism followed by
payloads distributed using Horus Protector. If you want to learn more about
Horus Protector, please read our previous blog.

Most malicious files are distributed through scripts contained in archive files.
Recent infections have been attributed to VBE scripts, which are encoded VBS
scripts that can be decoded using various tools.



Figure 1: Infection Chain

Upon execution, the VBE script downloads all the required data from its CnC
server hxxp://144.91.79[.]54. From this server, it initially retrieves a few
encoded files hxxp://144.91.79[.]54/1109/s, hxxp://144.91.79[.]54/1109/r and
hxxp://144.91.79[.]54/1109/H011yiDJHSNr3TuAtkpt.txt. All this downloaded data is
stored in a particular registry. The registry path is
[HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx], where uOITNhlpKJsMLJx is
predefined as a SystemPath variable in the VBE script.

All this data is stored in different subkeys of this registry which we will
discuss further. The data mostly contains executables and instructions. Below
are the registries and their values.



Figure 2: Registry Entries

Another registry named \donn is formed under the same parent registry, with the
main payload in hexadecimal format distributed across several subkeys based on
the size of the payload. The subkeys are named as segment1, segment2, …,
segmentn. In few instances we have also observed the names as data1, data2, …,
datan.



Figure 3: Main Payload

After this, it creates a new VBS script at “<UserName>\AppData\Roaming” location
with the same name uOITNhlpKJsMLJx.VBS.

Later, the VBS file is written with the data downloaded from the URL
hxxp://144.91.79[.]54/1109/file. A task scheduler with same name is created for
this VBS script, with a trigger configured to execute it once a minute.



Figure 4: Task Scheduler

Afterward, it checks for existence of antivirus software using
“winmgmts:\\.\root\SecurityCenter2”. It particularly verifies the presence of
Windows Defender by looking for the string “Windows Defender Enabled” in this
object.



Figure 5: Check Antivirus

If Windows Defender is enabled on the system, the script executes the file
located in the registry subkey [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx\s]
essentially functioning as a loader(Elfetah.exe) using the following command
parameters:

“PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoExit.”

Conversely, if the defender is not enabled, the VBS script
<UserName>\AppData\Roaming\uOITNhlpKJsMLJx.vbs is automatically executed through
the already scheduled task.

The uOITNhlpKJsMLJx.vbs script first checks for existence of genuine process
name provided in registry subkey [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx\i],
here, MSBuild.exe in the running processes.

In case the process is not running, it runs powerShell and executes command in
registry [HKEY_CURRENT_USER\Software\uOITNhlpKJsMLJx\v]. This command
perticularly decodes the loader file from
[HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx\s] registry and passes the path
uOITNhlpKJsMLJx as a parameter.


EXECUTION STEP 1:

As discussed above, the registry value [HKCU:\Software\uOITNhlpKJsMLJx\s]
contains reversed base64 data. Using this data, the dropped VBS executes module
named Elfetah.exe. The exclusive purpose of this file is to load and execute
assembly of next injector file stored in registry
[HKCU:\Software\uOITNhlpKJsMLJx\r]. The registry key path i.e. “uOITNhlpKJsMLJx”
is passed to Elfetah.exe as a parameter. Using this it retrieves data from
registry [HKCU:\Software\uOITNhlpKJsMLJx\r], reverse it and converts from hex to
ascii to form raw binary.



Figure 6: Call to second stage

The new assembly is loaded by calling the r method from in newly loaded DotNet
dll, erezake.dll.


EXECUTION STEP 2:

The second stage of the malware execution is the injector erezake.dll, which
injects the payload into the target process provided by service user.

Here, we already know that the intended target process is MSBuild.exe which is
stored in registry [HKCU:\Software\uOITNhlpKJsMLJx\i].



Figure 7: Search Target Process

This MSBuild.exe is searched in the directories shown in the image. These paths
may vary according to the target process to be searched. So, there is
a possibility that this dll file might be generated separately for specific user
requests.

The main payload which is stored in [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx\
donn] key with subkeys segment1, segment2, …, segment, etc. is concatenated and
reversed to form a PE file.



Figure 8: Extract Payload

The payload is then injected into the target process by using an image hollowing
process injection technique. All win APIs are wrapped using French function
names as mentioned in the below image.



Figure 9: Process Hollowing

After the process injection, it checks for the presence of the value in
the registry [HKEY_CURRENT_USER\SOFTWARE\uOITNhlpKJsMLJx\b]. Although we’re not
sure of its use, there is a large possibility that it is used for a BotKill
option which was provided by the Horus Crypter service provider. Also, it will
be present only if the user has opted or ticked the BotKill checkbox while
creating the payload.



Figure 10: BotKill Check

If the registry value is “1”, then it removes all the persistence of the malware
from the victim’s system. This also includes Scheduled Task deletion from
the system.



Figure 11: Delete Persistence

 

Here, the injected payload was the SNAKE Keylogger. The SNAKE Keylogger is
infamous for stealing sensitive data, such as:

 * Key logs
 * Screenshots
 * Clipboard data
 * Application data (browsers, email clients, etc.)



Figure 12: SNAKE Keylogger Strings

You can read more about SNAKE Keylogger in our old blog.

We have observed similar mechanisms spreading different malware over this
period. It would be interesting to see what new versions authors will bring in
future.

 


IOCS:

c39a2e4fbcce649cb5ac409d4a2e1b1f

f0fe04a3509d812ade63145fd37a1cb2

8acccb571108132e1bbe7c4c60613f59

405377b1469f31ff535a8b133360767d

fd4302cdfacbc18e723806fde074625b

 


IPS:

144.91.79[.]54

 

 * 
 * 
 * 
 * 
 * 

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets
cross-vector threat information from the SonicWall Capture Threat network,
consisting of global devices and resources, including more than 1 million
security sensors in nearly 200 countries and territories. The research team
identifies, analyzes, and mitigates critical vulnerabilities and malware daily
through in-depth research, which drives protection for all SonicWall customers.
In addition to safeguarding networks globally, the research team supports the
larger threat intelligence community by releasing weekly deep technical analyses
of the most critical threats to small businesses, providing critical knowledge
that defenders need to protect their networks.
Categories: Threat intelligence
Tags: Security News

SHARE THIS ENTRY

 * Share on Facebook
 * Share on Twitter
 * Share on Google+
 * Share on Pinterest
 * Share on Linkedin
 * Share on Tumblr
 * Share on Vk
 * Share on Reddit
 * Share by Mail



https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png
500 1200 Security News
https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png
Security News2024-10-14 10:43:122024-10-14 10:43:12HORUS Protector Part 2: The
New Malware Distribution Service


RECOMMENDED CYBER SECURITY STORIES

GOZ InfoStealer: Sending information over SMTP and using steganography
New Buzus Trojan (Mar 27 2009)
Trojan uses EternalBlue to install cryptominer
Hackers Attack Websites with Ransomware - August 2017
Ransomware not asking for payment but asks the victim to help the needy
Windows SMBv3 Remote Code Execution Vulnerability CVE-2020-0796
Spam campaign roundup: The Thanksgiving Day Edition (Nov 23, 2016)
Microsoft Security Bulletin Coverage for June 2024
Connect with an Expert


SEARCH




FACEBOOK


Recent
Tags
Recent
 * Code Injection in Spring Cloud: CVE-2024-37084October 18, 2024 - 10:28 am
 * National Cybersecurity Awareness Month: Turn On Your MF...October 15, 2024 -
   10:00 am
 * HORUS Protector Part 2: The New Malware Distribution Se...October 14, 2024 -
   10:43 am
 * CoreWarrior Spreader Malware SurgeOctober 11, 2024 - 1:01 pm

Tags
802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud
App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS
Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection
endpoint security Firewall Industry Awards IoT Malware MSSP Network Security
news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time
Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst
Partner Program Secure Mobile Access Security Security News SMB SonicWall
Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat
Intelligence Threat Report zero-day


ABOUT SONICWALL

About Us
Leadership
Awards
News
Press Kit
Careers
Contact Us


PRODUCTS

Firewalls
Advanced Threat Protection
Remote Access
Email Security


SOLUTIONS

Advanced Threats
Risk Management
Industries
Managed Security
Use Cases
Partner Enabled Services


CUSTOMERS

How To Buy
MySonicWall.com
Loyalty & Trade-In Programs


SUPPORT

Knowledge Base
Video Tutorials
Technical Documentation
Partner Enabled Services
Support Services
CSSA and CSSP Certification Training
Contact Support
Community

© Copyright 2023 SonicWall. All Rights Reserved.
 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss

CoreWarrior Spreader Malware Surge National Cybersecurity Awareness Month: Turn
On Your MFA




PIN IT ON PINTEREST


Scroll to top