Horus Protector, a new FUD malware crypter, is being used to distribute various malware families through VBE scripts contained in archive files, as these VBE scripts, when decoded, can execute malicious payloads like AgentTesla, Remcos, Snake, NjRat, and others.
The VBE script downloads encoded files from a remote server and stores them in a specific registry path, where the downloaded file likely contains executables and instructions, which are stored in subkeys of the registry, that are used to execute malicious actions or collect sensitive information.
A new registry, named \donn, has been created under the same parent registry, whose primary payload is stored in hexadecimal format across multiple subkeys, labeled segment1, segment2, etc., or data1, data2, etc., depending on the payload size.
The script downloads a file from a specified URL and saves it as a VBS script in the user’s AppData folder, and then creates a task scheduler entry to run the VBS script every minute.
It checks the Windows Management Instrumentation (WMI) namespace “SecurityCenter2” to determine if antivirus software is installed and specifically searches for the “Windows Defender Enabled” string to confirm the presence and activation of Windows Defender.
The Windows Defender-enabled system executes a loader (Elfetah.exe) hidden from view using PowerShell, where the loader’s location is specified in a registry subkey, and it bypasses security restrictions to run undetected.
The uOITNhlpKJsMLJx.vbs script, scheduled to run when the defender is disabled, verifies the presence of MSBuild.exe. If MSBuild.exe is not running, the script proceeds with its intended actions.
While the process runs PowerShell to decode a loader file stored in the registry using a command located in another registry key, the decoded file’s path is then passed as a parameter to the command.
The VBS script executes Elfetah.exe, which loads a DotNet assembly from a registry key and retrieves reversed base64 data from another registry key and converts it into raw binary, where the r method in the DotNet assembly loads the new assembly from the raw binary data.
The injector DLL, erezake.dll, obtains the target process path MSBuild.exe from the registry key HKCU:\Software\uOITNhlpKJsMLJx\i and injects the malware payload into the running MSBuild.exe process.
A payload in the registry key is concatenated and reversed to form a PE file, which is searched in specific directories for execution, which may vary depending on the target process.
The malware injects itself into a target process using image hollowing, then checks for a registry value indicating botkill activation, and if found, it removes all malware persistence from the system, including scheduled tasks.
According to Sonicwall, the SNAKE Keylogger, malicious software, secretly records user actions like keystrokes, captures screenshots, and copies clipboard content.
Not only does it target sensitive data from applications like web browsers and email clients, but it also has the potential to compromise individual privacy and security.
