CyberWire Daily - Malware in pirated Windows installation files. [Research Saturday]
Episode Date: July 3, 2021Guest Tom Roter from Minera Labs joins Dave to discuss his team research: "Rigging a Windows Installation." It is common knowledge that pirated software might contain malware, yet millions still put t...hemselves and their devices at risk and download from dubious sources. It is even more surprising to see the popularity of torrented operating system installations, which are ranked at the top of most torrent tracker ranking lists. Today we will prove conventional wisdom right and show off a devious, yet clever attack chain employed by an infected Windows 10 image, frequently shared and downloaded by tens of thousands of users. Over the last year, numerous malicious PowerShell events popped up in our telemetry. The events caught our attention because a payload was being downloaded into the “C:\Windows” directory, which is usually well guarded under NTFS permissions, this implies that the attacker had very high privilege on the compromised system. The research can be found here: Rigging a Windows installation Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
As part of our regular threat hunting, we saw some weird events, power shell events.
We saw them pretty regularly for over a year.
Only when a user contacted us, we figured out that the events are coming from a pirated Windows installation.
That's Tom Rotor.
He's a security researcher at Minerva Labs.
The research we're discussing today is titled
Rigging a Windows Installation.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, Thank you. billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
What we're talking about here is folks getting their hands on,
in this case, a copy of Windows 10,
but doing so by questionable means.
Yeah.
So the Windows installation file specifically,
it's shared on torrent sites.
And yeah, a lot of people use it.
I mean, if you look for this specific installation,
it has tens of thousands of seeders,
which means I couldn't even imagine how many people have installed it.
Also, this is not the first installation that is out there.
We have seen some other installations that behave similarly
and have the same malware in them.
So someone decides that they need a fresh copy of Windows 10
and rather than reaching out to Microsoft,
going through the normal channels and probably having to pay for it,
they go to a torrent site and it's very easy to find a copy of Windows 10 on the torrent sites.
But in this case, this copy of the Windows 10 installer is carrying an extra payload here,
and that's what you all looked into.
Yeah.
Well, let's walk through it together.
What exactly was going on here from a malware point of view?
So from the malware point of view,
the developer of this rogue Windows installation
configured a number of pretty sophisticated ways
to infect an installed device
and bypass the Windows Defender.
The first stage of the attack is carried by an executable file
that is located in the Windows subdirectory,
C Windows subdirectory,
and is started using the Windows attend file,
which allows for commands to be executed on the first boot
app of a fresh installation.
This executable is only responsible of setting up
other PowerShell scripts that will set up Windows services.
And where does it go from there?
This script launches and what does it do next?
So once this script launches, a Windows service will be created, two actually, will be created.
The first one is responsible for cleaning up a little bit of the artifacts that was created
during the installation. And the second one, the more interesting one,
uses directories that are created during the installation.
It actually uses their name to decode in-memory
a malicious PowerShell script,
the one we actually saw in our telemetry.
And this PowerShell script contacts a server
that is controlled by an attacker
and tries to download
a malicious executable.
And what malicious executable
are they trying to put on the system?
The malicious executable is,
if I recall correctly,
is a 7-zip SFX binary
which extracts a lot, a lot of different malware on the device
on a directory that was previously excluded
in the Windows Defender that was done by the service.
One of the most serious malware that it impacts
is ExtremeRat,
which is used by
various threat
actors. We didn't
attribute who
did this attack, but
we know that XtremeRat is being used
all over South America
and by the mole rats
threat actor,
which is attributed to Gaza.
And as you say, there's a whole bunch of stuff that this is installing.
Everything from adware, crypto miners, and as you mentioned,
the RAT for gathering and exfiltrating information off of the system.
And I suppose this speaks to the fact that if you can control the installation of someone's operating system, I mean, that's really the ballgame.
Yeah, yeah, you could do basically anything you want.
And also think of the scale of how many workstations, live workstations you can control with this rogue installation.
Now, describe to me specifically what they're doing to evade Windows Defender
What's going on there?
Okay, so first of all
the attackers have to store
a malicious PowerShell script
that contains the addresses they want to reach
If they would have stored this file on disk
the Windows Defender would have found it
and deleted it. What the attackers actually did, they took the script and encoded its value in
hex ASCII into directory names. These directory names then decoded in memory to download the payload.
That's one thing that the attackers did to bypass Defender.
Another thing they did was use the Windows attend file
in order to bypass the Defender.
This file actually allows them to execute their binary
before Windows Defender is up.
Interesting.
You know, I guess, I mean, I usually ask people,
you know, what can you do to try to protect yourself against this?
And I suppose that still counts from an organizational point of view.
You know, how do you prevent folks from downloading infected copies
of their operating system off of a torrent site?
I mean, that's sort of the basic thing here.
And beyond that, as we said, I mean,
if that's the way folks are getting their software,
it's kind of a self-inflicted wound, I suppose.
It is. Sometimes it is.
But sometimes you can, if you don't know a lot about computers
and you purchase your PC in someone's shop
and he's getting cheap on your operating system,
installing it from an illegal source,
you could get hurt by that.
And I'm sure a lot of people did.
So what sort of things could you do then
to kind of scan this system?
If you had endpoint protection,
would it be able to detect the installations
of the various types of malware that were dropped on a system like this?
So yeah, of course, even installing an external AV,
a good one, after the installation is done,
might be able to delete some of the files.
But the problem is you can never be sure if an attacker already installed another backdoor
on your device before you have installed the AV.
Yeah, I mean, I suppose it really speaks to what you kind of alluded to earlier,
which is that if you don't know the chain of custody of your device from beginning to end,
I suppose it's probably in your best interest when you're setting up a new system to start from scratch with a copy of your operating system where you know where it came from.
Yeah, it's pretty basic. Just pay for your operating system where you know where it came from. Yeah, it's pretty basic. Just pay for your operating system.
Yeah.
But I think the example you gave is a good one,
that I could see how someone could overlook that.
If you were buying a used system in a repair shop,
said, hey, no problem, we've got a clean copy,
a clean install of Windows 10 on here,
you are set to go.
And lots of people wouldn't think twice about that.
Yeah, yeah, that's true.
That's why it's so important to install antivirus software
and detection software on your device.
It's just in my opinion.
Our thanks to Tom Rotor from Minerva Labs for joining us.
The research is titled Rigging a Windows Installation.
We'll have a link in the show notes.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.