Research Saturday 7.3.21
Ep 190 | 7.3.21

Malware in pirated Windows installation files.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Tom Roter: As part of our regular threat hunting, we saw some weird events, PowerShell events. We saw them pretty regularly for over a year. Only when a user contacted us, we figured out that the events are coming from a pirated Windows installation.

Dave Bittner: That's Tom Roter. He's a security researcher at Minerva Labs. The research we're discussing today is titled, "Rigging a Windows Installation."

Dave Bittner: What we're talking about here is folks getting their hands on, in this case, a copy of Windows 10, but doing so by questionable means.

Tom Roter: Mm-hmm, yeah. So, the Windows installation file – specifically it's shared on torrent sites, and, yeah, a lot of people use it. I mean, if you look for this specific installation, it has tens of thousands of seeders, which means – I couldn't even imagine how many people have installed it. Also, this is not the first installation that is out there. We have seen some other installations that behave similarly and have the same malware in them.

Dave Bittner: So, someone decides that they need a fresh copy of Windows 10, and rather than reaching out to Microsoft, going through the normal channels, and probably having to pay for it, they go to a torrent site and it's very easy to find a copy of Windows 10 on the torrent sites. But in this case, this copy of the Windows 10 installer is carrying an extra payload here, and that's what you all looked into.

Tom Roter: Yeah.

Dave Bittner: Well, let's let's walk through it together. What exactly was going on here from a malware point of view?

Tom Roter: So, from the malware point of view, the developer of this rogue Windows installation configured a number of pretty sophisticated ways to infect a device and bypass the Windows Defender. The first stage of the attack is carried by an executable file that is located in the "C:\Windows" subdirectory, and is started using the Windows unattend file, which allows for commands to be executed in the first boot up of a fresh installation. This executable is only responsible for setting up other PowerShell scripts that will set up Windows services.

Dave Bittner: And where does it go from there? I mean, this script launches and what does it do next?

Tom Roter: So, once this script launches, a Windows service will be created – two actually will be created. The first one is responsible for cleaning up a little bit of the artifacts that was created during the installation. And the second one, the more interesting one, uses directories that are created during the installation. It actually uses the name to decode, in-memory, a malicious PowerShell script – the one way we actually saw in our telemetry. And this PowerShell script contacts a server that is controlled by an attacker and tries to download a malicious executable.

Dave Bittner: And what malicious executable are they trying to put on the system?

Tom Roter: The malicious executable is, if I recall correctly, is 7-Zip SFX binary, which extracts a lot of different malware on the device, on the factory that was previously excluded in the Windows Defender. That was done by the service.

Dave Bittner: Interesting.

Tom Roter: One of the malware, one of the most serious malware that it infects is XtremeRAT, which is used by various threat actors. We didn't attribute did this attack, but we know that XtremeRAT is being used all over South America, and by the Molerats threat actor, which is attributed to Gaza.

Dave Bittner: And as you say, I mean, there's a whole bunch of stuff that this is installing. I mean, everything from adware, cryptominers, and as you mentioned, the RAT for gathering and exfiltrating information off of the system. And I suppose, I mean, this speaks to the fact that if, gosh, if you can control the installation of someone's operating system, I mean, that's really the ballgame.

Tom Roter: Yeah, yeah. You could do basically anything you want. And also think of the scale of how many workstations, live workstations, you can control with this rogue installation.

Dave Bittner: Hmm. Now, describe to me specifically what they're doing to evade Windows Defender. What's going on there?

Tom Roter: OK, so, first of all, the attackers have to store a malicious PowerShell script that contains the addresses they want to reach. If they would have stored this file on disk, the Windows Defender would have found it and deleted it. What the attackers actually did, they took the script and encoded its value in hex ASCII into directory names. These directory names then decoded in-memory to download the payload. That's one thing that the attackers did to bypass Defender. Another thing they did was use the Windows attend file in order to bypass the Defender. This file actually allows them to execute their binary before Windows Defender is up.

Dave Bittner: Interesting. You know, I guess I mean, I usually ask people, you know, what can you do to try to protect yourself against this? And I suppose that still counts from an organizational point of view – you know, how do you prevent folks from downloading infected copies of their operating system off of a torrent site? I mean, that's sort of the basic thing here. And beyond that, as we said, I mean, if that's the way folks are getting their software, it's kind of a self-inflicted wound, I suppose.

Tom Roter: It is. It is. Sometimes it is, but sometimes, if you don't know a lot about computers and you purchase your PC in someone's shop and he's getting cheap on your operating system, installing it from an illegal source, you could get hurt by that. And I'm sure a lot of people did.

Dave Bittner: So, what sort of things could you do then to kind of scan this system? If you had, you know, endpoint protection, would it be able to detect the installations of the various types of malware that were dropped on a system like this?

Tom Roter: So, yeah, of course, even installing an external AV, and a good one, after the installation is done, might be able to delete some of the files. But the problem is you can never be sure if an attacker already installed another backdoor on your device before you have installed the AV.

Dave Bittner: Yeah, I mean, I suppose it really speaks to what you kind of alluded to earlier, which is that if you don't know the chain of custody of your device from beginning to end, I mean, I suppose it's probably in your best interest when you're setting up a new system to start from scratch with a copy of your operating system where you know where it came from.

Tom Roter: Yeah, it's pretty basic just to pay for your operating system.

Dave Bittner: Yeah. But I think the example you gave is a good one, that I could see how someone could overlook that. If you were buying a used system in a repair shop, said, hey, you know, no problem, we've got a clean copy, a clean install of Windows 10 on here, you are set to go. And lots of people wouldn't think twice about that.

Tom Roter: Yeah, that's true. That's why it's so important to install antivirus software and detection software on your device, just in my opinion.

Dave Bittner: Our thanks to Tom Roter from Minerva Labs for joining us. The research is titled, "Rigging a Windows Installation." We'll have a link in the show notes. 

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.