The ClearSky security team recently discovered a new type of malware, PowDesk. It is a simple powershell-based malware, which may come from the Iranian threat group APT34 (OilRig/HelixKitten), and the target is the host running LANDesk.
The malware is compatible with 32-bit and 64-bit systems, and can steal the name of the infected computer through a PHP page stored on the C&C server. After analyzing the behavior of the malware, the researchers speculated that the attacker might have created a whitelist of companies that used LANDesk management software.
The sample was uploaded to VirusTotal for the first time on December 13, 2019, and was detected as malicious by 26 antivirus software vendors.
File name: CBA8REINSTALL .exe
File type: Win32 EXE
File size: 66.50 KB
Creation date: 21/01/2017
MD5: 2 de2e528991ac2d85aa8f12fce5351ad
sha-1: 7 e14e661a577e7cb502717e9570c6651932ab4b8
ca490c60ec41569b35f31f1860ff4663bba44d1daac64760ecdfe694203d sha-256: 8406
After the initial executable file is run, the PowerShell file is generated in the %TEMP% folder with four random names of PowerShell files. A combination of uppercase letters or numbers. The script was first uploaded to VirusTotal on December 23, when no engine detected the file as malicious:
But one day later, three engines detected the script as malicious:
PowDesk contains Endpoint verification mechanism, after the check result is sent to the attacker, they decide whether to continue the attack. This mechanism may be used to verify whether the company is using LANDesk. PowDesk runs the following command to check:
The first assignment variable defined in the PowerShell code is "$ld32" and "$ld64" (the corresponding system version is 32-bit and 64-bit). The value is the folder of the program file. The names of both folders are "LANDesk". After that, some functions are activated:
"Send-Results" function is used to check whether there is a function named "cba8 "" service is active, and check whether the LANDesk folder exists in the target location defined in the above variables. The result of the inspection is sent to the C&C server via HTTP request in the form of "computer name + predefined fields":
The predefined fields seem to be able to filter out targets that do not have LANDesk Agent installed. The specific fields are as follows:
During the investigation, the researcher An attempt was made to bypass the authentication mechanism, but the C&C server rejected the communication in the laboratory environment. Researchers speculate that the attacker has created a whitelist of the IP range of the attacked company on the server, or a whitelist of specific computer names (low probability).
WireShark screenshot of C&C communication:
C&C response page:
In the further source code, you can see a condition, that is, if the LANDesk folder does exist on the attacked computer, four variables $exe, $Invscan, $reg, $pol will be defined to update the system The location of the component:
In the first stage, this function finds the two processes sdclient and vulscan in the system and stops them. The "sdclient" process enables the management interface to run project scans or vulnerability scans on the end station.
After that, the function uses the command "/r" to activate the "brokerconfig.exe" process, which requests a certificate from the cloud-based management server of LANDesk Management Suite.
Next, the commands "/sync" and "/noui" will be used to activate the "ldiscn32.exe" process to synchronize with the system's database. The "/noui" command is responsible for performing operations in the background without user notification.
Finally, the "policysync.exe" process responsible for rule synchronization will run.
Malware activation mechanism
At the bottom of the PowerShell file, you can find some core checking mechanisms. Checks include verifying the existence and running status of the LANDesk "cba8" service. The steps are as follows:
First, check whether the status of the "cba8" service is "running", and if so, activate the "Send-Results" function to update the attacker's C&C server.
If the service is not running, activate it and activate the "Start-LDProcesses" function.
If the service is not on the attacked system at all, the "/register" command will be used to activate the "residentAgent.exe" process, which will install the LANDesk Management Agent Service, and then activate "cba8" and related systems process.
This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/：http://www.internetweblist.com/Virus prevention/20297.html