Key Takeaways

• Cyble Research and Intelligence Labs (CRIL) identified a campaign that utilizes malicious LNK files disguised as wallpapers to trick users into executing them.
• The malware uses a multi-stage execution process, using obfuscated PowerShell scripts to fetch additional payloads from the remote server.   
• The Threat Actor (TA) behind this campaign leverages the open-source tool Null-AMSI to bypass the malware Scan Interface (AMSI) and Event Tracing for Windows (ETW).
• The PowerShell script used to bypass AMSI and ETW contains comments and error messages in Portuguese, suggesting that the TA may be a Portuguese-speaking individual or group.
• The malware employs AES encryption and GZIP compression to conceal its payloads, making it harder for security tools to analyze and detect malicious components.
• The final payload is executed into memory using reflection loading, bypassing traditional security measures while ensuring persistence and executing AsyncRAT for remote control.

Overview

Cyble Research and Intelligence Labs (CRIL) identified a campaign likely orchestrated by a Portuguese-speaking TA, as evidenced by the comments and error messages present in one of the malicious scripts. While the initial infection vector remains unknown, the campaign distributes malware through a deceptive shortcut file.

Specifically, the campaign uses a malicious LNK file disguised as a wallpaper featuring popular animated characters, indicating that the TA is exploiting users’ interests to increase the likelihood of infection. When executed, the shortcut file initiates a series of malicious actions, including retrieving and executing additional payloads, ultimately leading to the deployment of a remote access trojan (RAT).

Upon execution, the shortcut file runs an obfuscated PowerShell script. This script initiates a web request to retrieve a second-stage payload from an external source and executes it directly in memory to avoid leaving traces on disk. This payload further downloads and runs additional files, including a batch script responsible for the persistence and further execution of malicious code. The use of encoded and encrypted content within these scripts complicates analysis for security researchers.

A critical aspect of this campaign is its ability to bypass security mechanisms such as the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). The campaign leverages the “Null-AMSI” tool, which is publicly available on GitHub.

By employing reflection and native .NET functions, the malware dynamically manipulates AMSI in memory without triggering security alerts. By modifying memory protections and patching key system functions, the malware effectively disables these security features, ensuring its activities remain undetected.

The malware also incorporates encryption and compression techniques to obfuscate its payloads. It leverages AES encryption and GZIP compression, ensuring that its code remains concealed from static analysis tools. These protective measures prevent security solutions from detecting malicious content until it is decrypted and executed dynamically within the compromised system.

The final stage of the attack delivers AsyncRAT, a well-known remote access trojan (RAT), granting the attacker full control over the victim’s system. AsyncRAT enables TAs to steal data, install additional malware, and execute remote commands. The figure below shows the overall infection chain.

Technical Analysis

The filename ‘sasuke wallpaper.lnk‘ suggests that the TA is targeting users looking for wallpapers of Sasuke Uchiha, a popular character from the anime Naruto. However, the initial infection vector is currently unknown.

Upon execution, the malicious LNK file executes an obfuscated PowerShell script via cmd.exe, utilizing delayed variable expansion (/v:on) and executing the command within quotes to evade detection, as shown below.

The script then creates a web request object, which is used to fetch a PowerShell script from a specified external URL, “hxxps://0x0.st/8ZOv.txt”. Once the remote content is downloaded, it is immediately executed in memory using Invoke-Expression, as shown in the figure below.

The code in the “8zov.txt” file first downloads a batch file named “output.bat” from the URL “hxxps://tempsend.com/tamnd/ac7f7b/1739357320/output[.]bat”, saves it to the %temp% directory, and executes it. Additionally, the file “8zov.txt” contains Base64-encoded content, which is decoded, saved to the %temp% directory, and executed. The figure below shows the content of the “8zov.txt” file.

The decoded BASE64 content is a Sasuke wallpaper image that appears to the victims, luring them into thinking it’s simply a wallpaper. However, in reality, the malicious code is executed in the background, carrying out harmful actions while the user is distracted by the image.

The figure below shows the “Itachi Uchiha” lure image observed in another sample associated with this campaign.

output.bat

The malicious batch file, “output.bat”, is highly obfuscated and contains Base64-encoded PowerShell code along with two AES-encrypted data chunks, where the encrypted data is prefixed with the marker “::”. When executed, it copies itself as “dwm.bat” in the current user directory and runs the embedded Base64 PowerShell script. This script then retrieves another PowerShell file from “https://0x0.st/8KuV.ps1”, which is designed to bypass Anti Malware Scan Interface (AMSI) and Event Tracing for Windows (ETW).

Bypassing AMSI and ETW

The PowerShell script “8KuV.ps1” resembles the NullAMSI script but with several modifications, including translating comments from English to Portuguese, renaming functions and variables, and removing verbose output.

The author of Null-AMSI claims that using Add-Type in PowerShell to load .NET types and access Win32 APIs is often flagged by Antivirus (AV) and Endpoint Detection and Response (EDR) solutions. To avoid this detection, Null-AMSI uses reflection and native functions from .NET to dynamically obtain the addresses of critical functions like “GetModuleHandle” and “GetProcAddress”.

This approach allows the script to patch AMSI in memory without raising alarms, resulting in a stealthier and more effective bypass of AMSI protections. Additionally, the author demonstrated in a video that the technique successfully evades AMSI and ETW without being detected by security products.

The script features two key functions: “Get-SystemProcAddress” and “Get-SystemDelegate“. The “Get-SystemProcAddress” function retrieves the address of a specified function from a given DLL by utilizing “UnsafeNativeMethods” to call “GetModuleHandle” and “GetProcAddress”.

On the other hand, “Get-SystemDelegate” is responsible for creating a dynamic delegate that maps a function pointer to a specific Win32 API, such as VirtualProtect(). It achieves this by defining a delegate type using reflection and linking the function pointer to the delegate, enabling the execution of the API function with the specified argument types and return type.

The script further interacts with the Antimalware Scan Interface (AMSI) by invoking the “AmsiInitialize” function from the “amsi.dll” library with the parameter “Scanner.” It utilizes the “Get-SystemProcAddress” and “Get-SystemDelegate” methods from “UnsafeNativeMethods” to retrieve the context of AMSI providers present on the target system.

Once the AMSI providers are identified, the script modifies the memory protection of each provider’s “AmsiProviderScanFunc” using the “VirtualProtect“ function, changing the protection to PAGE_EXECUTE_WRITECOPY. It then overwrites the first 6 bytes of the scan function with the byte sequence (0xb8, 0x00, 0x00, 0x00, 0x00, 0xC3), effectively forcing the function to return immediately without performing any scanning. Finally, the script restores the original memory protection settings.

Similarly, the script patches the “EtwEventWrite” function from “ntdll.dll” using the same method as with AMSI. For 64-bit systems, it applies a 0xC3 return instruction, while for 32-bit systems, it uses the patch (0xb8, 0xff, 0x55). The script then verifies the patch and displays the message “[ * ] Success” upon successful completion.

AES Decryption and GZIP Decompression

Next, the PowerShell script present in the “output.bat” reads the contents of the file “dwm.bat”, which was previously copied to the current user’s directory. It then scans each line of the batch file, looking for lines that begin with the marker ‘::’. When it finds such a line, it extracts a base64 encoded string following the marker, splits it by backslashes, and stores the result in an array, as shown in the figure below.

The extracted array elements are then passed to a function that decrypts the content using AES decryption in CBC mode with a hardcoded key and IV, as shown below. The output from this function is then passed to another function that performs GZIP decompression.

After decompressing both array elements, the script extracts two executables—one without any code in the main function and another file that loads the AsyncRAT payload. The figure below shows the decrypted/decompressed content using Cyberchef.

Once the executables are extracted, the script passes them to a function that employs reflection loading to execute code directly within PowerShell memory, as shown below.

The executable extracted from the first array element loads a main function with no code, suggesting that the TA may be attempting to evade detection, as shown below.

AsyncRAT Loader

The executable created from the second element of the array functions as an AsyncRAT loader. Upon execution, it creates persistence by copying the “dwm.bat” file to a startup folder as shown below.

Upon execution, it loads “ntdll.dll” and retrieves the address of “EtwEventWrite”. It then changes the memory protection of this function to PAGE_EXECUTE_READWRITE, allowing direct modifications. For 32-bit systems, it writes the instruction sequence 0xC2 0x14, which returns from the function while cleaning up 20 bytes from the stack, ensuring stability while disabling ETW logging.

For 64-bit systems, it writes 0xC3, a simple RET instruction, effectively preventing EtwEventWrite from executing. After altering EtwEventWrite, the loader restores the original memory protection to prevent further modifications. This effectively turns EtwEventWrite into a no-operation function, disabling event logging and making it harder for security tools to detect malicious activity.

Finally, the loader retrieves the manifest resource names and looks for a resource named “xxxxxxxxxxxxxxxxxxxxxxxxxxxx.exe“. If found, it uses the executingAssembly.GetManifestResourceStream() function to extract the resource content.

This content is a GZIP and AES encrypted stream, which will be decrypted using a hardcoded key and IV. The resulting payload is an AsyncRAT, which is then invoked to carry out malicious actions on the victim’s machine.

Conclusion

This campaign demonstrates the TA’s use of advanced evasion techniques, including Null-AMSI, to bypass security mechanisms and execute malware stealthily. By dynamically modifying AMSI and ETW in memory, the malware disables security features, allowing the execution of obfuscated PowerShell scripts without detection.

Additionally, AES encryption and GZIP compression ensure that malicious payloads remain concealed until execution, complicating static analysis. The final deployment of AsyncRAT grants the attacker full control over the compromised system, enabling data theft, remote command execution, and further malware propagation.

Our Recommendations

• Users should be cautious when downloading files, especially LNK shortcuts, from unverified sources or links shared via spam email and social media channels. Always verify the authenticity of the file before opening it.
• Deploy advanced antivirus and endpoint detection and response (EDR) solutions that can identify and block malicious scripts, AMSI bypass techniques, and unauthorized memory modifications.
• Configure PowerShell execution policies to restrict unauthorized scripts and enable logging for PowerShell activities to detect suspicious commands running in the background.
• Monitor outbound network traffic regularly for unusual activity, such as connections to unknown external servers. Implement web filtering and blocklisted domain policies to prevent malicious payload retrieval.
• Keep operating systems, security tools, and applications up to date to patch vulnerabilities. Educate users on phishing tactics, social engineering risks, and safe browsing practices to prevent falling victim to such attacks.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

Related