![]() ![]()
At the time of writing, only 10 antivirus solutions detected HoxLuSfo.exe as maliciousįigure 3: Low detection rate for HoxLuSfo.exe on VirusTotal. MICROSOFT ONEDRIVE STARTUP JAVA SCRIPT ERROR FIREFOX CODENET executable containing obfuscated code Rapid7’s MDR concluded that HoxLuSfo.exe had the following characteristics and behaviors: Figure 2: Overview of HoxLuSfo.exe (originally named TorE.exe) within dnSpy and its partially obfuscated contents. However, we obtained a copy of the executable from VirusTotal based on its MD5 hash, 1cc0536ae396eba7fbde9f35dc2fc8e3. Rapid7’s MDR could not remotely acquire the files HoxLuSfo.exe and st.exe from the infected assets because they were no longer present at the time of the investigation. The alert for “Suspicious Process - TaskKill Multiple Times” later detected st.exe spawning multiple commands attempting to kill any process named Google*, MicrosoftEdge*, or setu*. %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exeĪfter making the changes to the %windir% environment variable, the PowerShell command ran the “SilentCleanup” scheduled task, thereby hijacking the “SilentCleanup” scheduled task to run st.exe with elevated privileges. The trailing “REM” at the end of the Registry entry commented out the rest of the native command for the “SilentCleanup” scheduled task, effectively configuring the task to execute: The binary st.exe was a copied version of HoxLuSfo.exe from the file path C:\Program Files\WindowsApps\3b76099d-e6e0-4e86-bed1-100cc5fa699f_113.0.2.0_neutral_7afzw0tp1da5e\HoxLuSfo\. ![]() %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM\system32\cleanmgr.exe /autoclean /d %systemdrive% The environment variable replacement therefore configured the scheduled task “SilentCleanup” to execute the following command whenever the task “SilentCleanup” was triggered: %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM Specifically, the PowerShell command deleted the existing %windir% environment variable and replaced it with a new %windir% environment variable set to: The PowerShell command exploited the use of the environment variable %windir% in the path specified in the “SilentCleanup” scheduled task by altering the value set for the environment variable %windir%. %windir%\system32\cleanmgr.exe /autoclean /d %systemdrive% MICROSOFT ONEDRIVE STARTUP JAVA SCRIPT ERROR FIREFOX WINDOWSThe command works because, on some Windows systems, it is possible for the Disk Cleanup Utility to run via the native scheduled task “SilentCleanup” that, when triggered, executes the following command with elevated privileges: We determined the purpose of the PowerShell command was, after sleeping, to attempt to perform a Disk Cleanup Utility UAC bypass. Figure 1: PowerShell command identified by Rapid7's MDR on infected assets We determined that HoxLuSfo.exe was spawned by sihost.exe, a background process that launches and maintains the Windows action and notification centers. Specifically, the alert detected a PowerShell command spawned by a suspicious executable named HoxLuSfo.exe. MICROSOFT ONEDRIVE STARTUP JAVA SCRIPT ERROR FIREFOX WINDOWS 10The MDR SOC first became aware of this malware campaign upon analysis of “UAC Bypass - Disk Cleanup Utility” and “Suspicious Process - TaskKill Multiple Times” alerts (authored by Rapid7's TIDE team) within Rapid7's InsightIDR platform.Īs the “UAC Bypass - Disk Cleanup Utility” name implies, the alert identified a possible UAC bypass using the Disk Cleanup utility due to a vulnerability in some versions of Windows 10 that allows a native scheduled task to execute arbitrary code by modifying the content of an environment variable. ![]() The malware is classified as a stealer, which intends to steal sensitive data from an infected asset (such as browser credentials and cryptocurrency), prevent browser updates, and allow for arbitrary command execution. Recently, we identified a malware campaign whose payload installs itself as a Windows application after delivery via a browser ad service and bypasses User Account Control (UAC) by abusing a Windows environment variable and a native scheduled task to ensure it persistently executes with elevated privileges. Rapid7's Managed Detection and Response (MDR) team leverages specialized toolsets, malware analysis, tradecraft, and collaboration with our colleagues on the Threat Intelligence and Detection Engineering (TIDE) team to detect and remediate threats. This post also includes contributions from Reese Lewis, Andrew Christian, and Seth Lazarus. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |