PSLoramyra: Fileless Malware Exploits Windows Task Scheduler

PSLoramyra, a sophisticated fileless loader, employs PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, which evades traditional security measures by avoiding disk-based operations. 

By leveraging these scripting languages, PSLoramyra establishes persistent access to compromised systems, making it a potent threat to cybersecurity, and utilizes a multi-staged infection chain. 

The initial PowerShell script acts as a dropper, creating three critical files: roox.ps1 (main payload), roox.bat (intermediate script), and roox.vbs (initial execution point). 

Execution chain of the attack

This VBScript triggers the BAT file, which in turn launches the rogue PowerShell script (roox.ps1) containing the actual malicious functionality, which obfuscates the true nature of the payload and potentially bypasses security measures.   

The roox.ps1 script utilizes PowerShell’s Reflection.Assembly.Load functionality to reflectively load a malicious payload directly into memory, bypassing traditional file-based execution. 

To achieve persistence, it then employs RegSvcs.exe, a legitimate Windows registry service utility, to launch the loaded payload. In this specific instance, the payload being executed is the Quasar Remote Access Trojan (RAT)

Script used the malware

The PowerShell script leverages Windows Task Scheduler to establish persistence by creating a scheduled task, which is configured to execute the malicious script “roox.vbs” every two minutes, ensuring the malware’s continuous operation. 

It first instantiates a Task Scheduler object and connects to the service, setting the stage for task creation and configuration, where a new task is created and enabled. 

A trigger is set to execute the task every two minutes, and the task action is configured to run the “roox.vbs” script, which is then registered in the Task Scheduler to ensure continuous execution.

Script execution shown in the ANY.RUN sandbox

The PowerShell script dynamically generates and writes multiple scripts to disk by leveraging variables like $Content to store the initial script content. 

Subsequently, the `[IO.File]::WriteAllText(“PATH”, CONTENT)` command is employed to persist these scripts to specified file paths, which streamlines the creation of multiple scripts by automating the writing process and using variable-based content management.

The roox.vbs script is a stealthy VBScript designed to initiate a malware infection chain, which leverages Windows Task Scheduler to execute itself every two minutes, ensuring persistent operation. 

VBS Script

Once activated, the script launches the roox.bat script in a hidden window, maintaining a low profile and preventing detection by the user, which effectively establishes a foothold on the compromised system and enables the subsequent deployment of malicious payloads.

It employs a series of functions to launch a hidden executable (roox.bat) and potentially further the infection, which bypasses error handling by suppressing messages, then creates a WScript.Shell object (CreateWshShellObj) for command execution. 

Next, it retrieves the path to roox.bat using GetFilePath, and to ensure stealthy execution, GetVisibilitySetting configures the object to run hidden (0). Finally, RunFile leverages the WScript.Shell object and retrieved path to launch roox.bat in hidden mode, potentially evading user detection. 

PowerShell script

The ROOX.BAT script leverages PowerShell to launch a hidden, unrestricted execution of the roox.ps1 script, which utilizes obfuscation (# character) to hinder detection and retrieves the malicious payload stored as HEX strings within variables ($RoXstring_lla, $Mordexstring_ojj) and separated by “%&%.” 

Then decodes and loads the payload dynamically into memory for execution via .NET Reflection and the RegSvcs.exe utility, which measures and allows the hidden payload to execute malicious functionality. 

According to AnyRun, it deobfuscates a malicious .NET payload hidden within two HEX strings and splits these strings and converts each HEX value into a decimal byte, forming a byte array representing the payload’s binary code. 

Obfuscated commands are then cleaned by removing “#” symbols, revealing the original functionality, where the script dynamically loads the NewPE2.PE type from a .NET assembly stored in another HEX string and calls its Execute method. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here