The Horus Protector crypter is being used to distribute various malware families, including AgentTesla, Remcos, Snake, NjRat, and others, whose primarily spread through archive files containing VBE scripts, which are encoded VBS scripts.
Once executed, these scripts decode and execute the malicious payload, as this new distribution method makes detection and prevention more challenging due to the obfuscation techniques employed by the crypter.
The VBE script downloads encoded files from a remote server and stores them in a specific registry location, which contain executables and instructions for malicious activity.
It retrieves files from the server using HTTP requests and stores them in subkeys of the registry.
The registry path is defined by a SystemPath variable within the script, which is likely used to execute malicious code or perform other harmful actions on the infected system.
The attack establishes a new registry key under the existing parent registry, splitting the main payload into hexadecimal segments and storing them in subkeys like segment1, segment2, etc., while some instances use data1, data2, etc. for subkey names.
Following this, a VBS script is created in the user’s AppDataRoaming folder, sharing the same name as the script found in the previous registry key, suggesting a potential persistence mechanism, as the VBS script could be used to re-execute the malicious payload or perform other malicious actions.
According to Sonicwall report, the attacker downloads malicious data from a remote server and saves it as a VBS script, which is then scheduled to run every minute using Task Scheduler.
Before execution, the script checks if Windows Defender is enabled by querying the Security Center. If found active, the script terminates, preventing its detection and execution.
The VBS script checks if Windows Defender is enabled. If it is, it executes a PowerShell command to run the Elfetah.exe loader with specific parameters. If Defender is not enabled, the script directly runs the PowerShell command to decode and execute the loader file.
The loader file’s path is stored in the registry, and the script first ensures that the MSBuild.exe process is not running before executing the PowerShell command.
It retrieves reversed base64 data from the registry key [HKCU:SoftwareuOITNhlpKJsMLJxs], used to execute the module Elfetah.exe, which loads and executes the next injector file stored in the registry key [HKCU:SoftwareuOITNhlpKJsMLJxr].
The registry key path “uOITNhlpKJsMLJx” is passed as a parameter to Elfetah.exe, which retrieves the data, reverses it, converts it from hex to ASCII, and forms the raw binary, while the new assembly is then loaded by calling the “r” method from the newly loaded DotNet DLL, “erezake.dll.”
The malicious injector erezake.dll targets MSBuild.exe, a process specified in the registry that extracts and concatenates segments of the payload stored in the registry, reversing them into a PE file.
Using image hollowing, the payload is injected into MSBuild.exe, where the malware checks for a registry value indicating a BotKill option, possibly provided by the Horus Crypter service.
If present, it removes all malware persistence, including scheduled tasks, as the injected payload is the SNAKE Keylogger, known for stealing sensitive data like keystrokes, screenshots, clipboard content, and application data.
IOCs:
- c39a2e4fbcce649cb5ac409d4a2e1b1f
- f0fe04a3509d812ade63145fd37a1cb2
- 8acccb571108132e1bbe7c4c60613f59
- 405377b1469f31ff535a8b133360767d
- fd4302cdfacbc18e723806fde074625b
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)