New Malware PSLoramyra Employs Fileless Techniques for Stealth
/ 3 min read
Quick take - PSLoramyra is a sophisticated malware loader that employs fileless techniques and PowerShell scripts to execute its payload, the Quasar Remote Access Trojan, while evading detection through memory-based operations and scheduled tasks.
Fast Facts
- PSLoramyra is a sophisticated malware loader that employs fileless techniques using PowerShell, VBS, and BAT scripts, making it hard to detect.
- The infection process starts with a PowerShell script that generates three files (
roox.ps1,roox.bat,roox.vbs), withroox.vbsserving as the entry point for executing the malicious payload. - The main payload, identified as the Quasar Remote Access Trojan (RAT), is loaded into memory using the
Reflection.Assembly.Loadmethod and injected into the legitimate processRegSvcs.exe. - To maintain persistence, PSLoramyra creates a scheduled task that triggers the execution of
roox.vbsevery two minutes. - Indicators of Compromise (IOCs) include specific file hashes, paths in the
C:\Users\Publicdirectory, and the domainRonymahmoud[.]casacam[.]net, with an associated IP address of3[.]145[.]156[.]44.
Sophisticated Malware PSLoramyra Utilizes Fileless Techniques for Stealthy Operations
PSLoramyra, a newly identified malicious loader, has been classified as a sophisticated threat due to its use of PowerShell, VBS, and BAT scripts. This malware operates primarily in memory, making it difficult to detect with traditional security measures.
Infection Process and Execution Chain
The infection process begins with a PowerShell script that contains the main malicious payload and necessary execution scripts. Upon execution, the PowerShell script generates three files: roox.ps1, roox.bat, and roox.vbs. The execution chain starts with the roox.vbs script, which calls the roox.bat script, leading to the execution of the roox.ps1 PowerShell script. The roox.ps1 script is responsible for loading the main malicious payload into memory using the Reflection.Assembly.Load method. This payload has been identified as the Quasar Remote Access Trojan (RAT).
To maintain persistence, PSLoramyra creates a scheduled task in Windows Task Scheduler. This task triggers the execution of the roox.vbs script every two minutes. The initial PowerShell script initializes a Task Scheduler object and connects to the Task Scheduler service. It defines a new task that runs roox.vbs at the specified interval.
Stealth Techniques and Obfuscation
The roox.vbs script serves as the entry point for the malware chain. It executes roox.bat in a hidden window to enhance its stealth. The script incorporates error handling mechanisms to continue executing even if errors occur. It uses the CreateWshShellObj function to create a COM object for executing commands. Several utility functions are included, such as GetFilePath to retrieve the path to roox.bat. The GetVisibilitySetting function ensures that roox.bat runs without displaying a window. The RunFile function is employed to execute the roox.bat file in hidden mode.
The roox.bat script runs the roox.ps1 script using PowerShell with specific flags. These flags include NoProfile, WindowStyle Hidden, and ExecutionPolicy Bypass. The roox.ps1 script contains obfuscation techniques to complicate detection. It uses HEX strings and the # character for obfuscation. The deobfuscation process involves manipulating these HEX strings, converting them into decimal bytes, and reconstructing a byte array. It also cleans obfuscated commands and restores method names necessary for loading the .NET assembly.
Indicators of Compromise and Analysis Tools
The payload is injected into a legitimate process, specifically targeting RegSvcs.exe. This helps the malware evade detection by blending in with normal system operations. The initial variable within the script contains the injector for the .NET assembly.
Indicators of Compromise (IOCs) related to PSLoramyra have been identified. These include specific file hashes and paths, with files located in the C:\Users\Public directory. The domain associated with PSLoramyra is Ronymahmoud[.]casacam[.]net, and the associated IP address is 3[.]145[.]156[.]44. Cybersecurity professionals can use tools such as ANY.RUN for malware analysis. These tools provide threat intelligence to counteract emerging threats like PSLoramyra.
Original Source: Read the Full Article Here
