In recent months, we have started to receive various reports about suspicious and malicious registry keys that had been created on users’ equipment. ESET’s Diego Perez explores.

Over the years, we have witnessed how cybercriminals have developed and implemented sophisticated new techniques to outwit users. That being said, one thing has not changed and remains a constant challenge: ensuring perseverance and avoiding detection both by security solutions and the human eye.

In recent months, we have started to receive various reports about suspicious and malicious registry keys that had been created on users’ equipment. For this reason, we decided to explore the subject further and started gathering interesting data which is presented in this article.

As we can see on the map below, our systems have picked up a considerable detection rate, worldwide. It is also evident that Latin American users are a major target for cybercriminals when it comes to carrying out attacks.

Analysis

The attack begins with a mass mailing of malicious JavaScript files attached. Once this has been carried out, they write an entry in the Windows registry with a random name and assign it a base64 encrypted code, as shown in this image:

Following extraction and decoding of the registry contents, we obtained a PowerShell exit code. This scripting language can only be executed and interpreted on Windows platforms, as it was conceived for the management of this system.

The image below displays part of this code, whose purpose is to load a new script into the memory and inject an executable code:

In the following shot, on the left-hand side, we can see the other script mentioned above, which is used in real-time execution. This means that at no point will a file be created on the disk.

The function Invoke-ReflectivePEInjection is the command called up along with the corresponding arguments and parameters in order to inject the bytes of an executable code into the PowerShell process.

In this particular case, the attackers are using a method called reflective injection, which involves an injection of a DLL or EXE file into any process so that it subsequently goes undetected by any monitoring tools. Therefore, the malicious activity is transparent to users, who will only see the legitimate processes running on their system:

Finally, we can uncover the malicious code that was to be injected and run in the memory, (the binary header is indicated in the following image):

This file is a variant of Win32/TrojanDownloader.Wauchos, which is designed to download another malicious file, such as ransomware. When checked, the Wauchos detection rate is found to be very similar in each of the countries listed above:

In summary, cybercriminals generate spam campaigns with malicious JavaScript, which create registry keys containing PowerShell scripts. In turn, these scripts load another script in the same language into the memory and inject a trojan into a process that is running on the system, in order to download yet more malicious code.

This method is used by attackers in order to avoid any type of security solution they may encounter on the victim’s machine.

Taking all of this into account, it is important to be aware of the risks involved in receiving an email or browsing the internet.