Threat actors are leveraging a modified version of the SharpHide tool to create hidden registry entries, significantly complicating detection and removal efforts.
This technique exploits vulnerabilities in Windows registry handling, using null-terminated strings to obscure malicious entries.
The modified SharpHide has been integrated into sophisticated attack chains, enabling malware persistence while evading standard detection mechanisms.
Exploitation of Windows Registry Redirection
The modified SharpHide tool employs a technique originally documented by eWhiteHats researchers, which involves prepending two wide-character nulls to registry paths.
This method effectively hides malicious entries from the Windows Registry Editor (regedit), as the tool cannot properly process null characters.
The attackers use this capability to create hidden keys under critical registry paths such as HKCUSoftwareMicrosoftWindowsCurrentVersionRun or HKLM equivalents, ensuring persistence across system reboots.
When executed with administrator privileges, the malware leverages Windows registry redirection to write hidden values into the WOW6432Node branch on 64-bit systems.
This behavior occurs because the malicious script runs within a 32-bit process (RegSvcs.exe), causing Windows to redirect registry writes to the WOW6432Node branch.
These hidden entries are undetectable by standard SharpHide deletion techniques, further complicating remediation efforts.
Obfuscation and Payload Execution
The modified SharpHide is distributed as part of a PowerShell script that obfuscates two Base64-encoded binaries.
The first binary contains the primary malicious payload, while the second serves as a loader.
The loader abuses PowerShell’s reflection capabilities to dynamically load and execute the payload within the legitimate RegSvcs.exe process.
This approach ensures that the malware operates under the guise of a trusted system executable, reducing its visibility to security tools.
Upon execution, the hidden registry entry triggers the execution of mshta.exe, which retrieves and runs a secondary script from an attacker-controlled Command-and-Control (C2) server.
This multi-stage execution chain enables threat actors to maintain persistence and dynamically update their payloads.
To address these advanced persistence techniques, security researchers have developed a tool named SharpDelete.
This utility is designed to detect and remove hidden registry values created by SharpHide, including those in redirected paths such as WOW6432Node.
SharpDelete provides flexibility by allowing users to specify custom registry locations for analysis and cleanup.
The exploitation of modified SharpHide underscores the evolving sophistication of persistence mechanisms used by threat actors.
By abusing native APIs and leveraging registry redirection, attackers can achieve stealthy persistence that challenges traditional detection methods.
Security teams must adopt advanced tools capable of detecting hidden registry entries and monitor behaviors such as PowerShell activity and process injection.
This incident highlights the importance of proactive defense measures, including behavioral analysis tools like Sysinternals Autoruns and custom utilities like SharpDelete, to combat these emerging threats effectively.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar