Keypoints
- Attackers lure victims to malicious GitHub/YouTube pages hosting password-protected self-extracting archives that evade AV scanning.
- Extraction to %ALLUSERSPROFILE%jedist deploys UnRar.exe, WaR.rar, Iun.bat and Uun.bat which set up tasks, restart the host, and execute payloads.
- AutoIt interpreter renamed as ShellExt.dll loads a signed UTShellExt.dll carrying an obfuscated AutoIt script that unpacks and stages malicious modules.
- The loader checks for debuggers, extracts network and malicious components, uses Ncat and cmd.exe for remote commands, and configures IFEO for persistence.
- DeviceId.dll (miner) and 7zxa.dll (clipper) inject into explorer.exe via Process Hollowing to run SilentCryptoMiner and a clipboard clipper that replaces wallet addresses.
- Post-infection actions include revoking file permissions, disabling Windows Recovery, and exfiltrating system and AV details to attackers via a Telegram bot.
- Over 28,000 infections observed, demonstrating wide abuse of signed/legitimate libraries and common Windows features for stealth and persistence.
MITRE Techniques
- [T1055] Process Hollowing – Injects malicious payloads into explorer.exe to run miner/clipper under a legitimate process (‘the DeviceId.dll and 7zxa.dll files … inject their payload into the explorer.exe … using the Process Hollowing technique’).
- [T1203] Image File Execution Options Injection – Abuses IFEO to launch malicious binaries in place of legitimate services and update processes (‘Image File Execution Options (IFEO) … attackers can use the IFEO technique to gain a foothold … they “hijacked” Windows system services, as well as the Google Chrome and Microsoft Edge update processes’).
- [T1059] Command and Scripting Interpreter – Uses cmd.exe and BAT/AutoIt scripts to orchestrate extraction, task creation, and execution (‘communicated with a remote network host and waited for an incoming connection to immediately launch the cmd.exe command line interpreter’).
- [T1003] Credential Dumping – Gathers system and AV information to aid follow-on actions and reporting to attackers (‘Sends the specifications of the compromised computer, its name, operating system version and information about the installed antivirus software to the attackers using a Telegram bot.’).
Indicators of Compromise
- [File names] Staging and payload files – UnRar.exe, WaR.rar, Iun.bat, Uun.bat (and other extracted files such as ShellExt.dll, UTShellExt.dll, DeviceId.dll, 7zxa.dll).
- [DLL/Library names] Malicious components masquerading as legitimate libs – ShellExt.dll (renamed AutoIt3.exe), UTShellExt.dll (signed Uninstall Tool lib), DeviceId.dll, 7zxa.dll.
- [Process names] Targets and impersonated services – StartMenuExperienceHost.exe (disguised), explorer.exe (injected), MoUsoCoreWorker.exe, svchost.exe, TrustedInstaller.exe, GoogleUpdate.exe, MicrosoftEdgeUpdate.exe.
- [File path] Extraction location – %ALLUSERSPROFILE%jedist (temporary extraction and persistence staging folder).
- [URLs / Hosting] Infection vectors – fraudulent GitHub pages and YouTube video description links leading to the password-protected archives; campaign source: https://news.drweb.com/show/?i=14920&lng=en.
Doctor Web’s analysis shows the attack chain begins with victims downloading a password-protected self-extracting archive from malicious GitHub or YouTube links; because the archive is encrypted, AV engines cannot scan its contents until the user supplies the password. Once extracted to %ALLUSERSPROFILE%jedist, the staged files (UnRar.exe, WaR.rar, Iun.bat, Uun.bat) set up scheduled tasks, trigger a reboot, and execute an AutoIt interpreter (renamed ShellExt.dll) which loads a signed UTShellExt.dll carrying an obfuscated AutoIt payload.
The AutoIt loader checks for debugger processes and, if clear, extracts both benign networking utilities (Ncat) and malicious modules, creates system events to use Ncat and cmd.exe for remote control, modifies the registry using Image File Execution Options to persist by hijacking legitimate services and updaters, removes delete/modify permissions on created files, disables Windows Recovery, and exfiltrates host and antivirus details via a Telegram bot. Core payloads DeviceId.dll and 7zxa.dll perform cryptomining and clipboard clipping by injecting into explorer.exe using Process Hollowing: DeviceId.dll launches the SilentCryptoMiner with stealth configuration and remote control, while 7zxa.dll monitors and replaces clipboard wallet addresses to steal funds.
Read more: https://news.drweb.com/show/?i=14920&lng=en