A trojanized CPUID HWMonitor installer was used to deliver a multi-stage, fileless malware chain that leverages trusted Windows binaries (PowerShell, MSBuild, regsvr32) to execute scriptlet payloads such as Clippy.sct which reconstructs and runs a .NET assembly entirely in memory. The reconstructed payload is deserialized and dynamically invoked (with likely follow-on shellcode execution via VirtualAlloc/CreateThread), and organizations are advised to validate installers, deploy EDR, and monitor for regsvr32/MSBuild/scriptlet usage and large embedded arrays. #HWMonitor #Clippy.sct
Keypoints
- A trojanized CPUID HWMonitor installer was used as the initial delivery mechanism for a fileless, multi-stage attack.
- The installer chain invokes PowerShell, MSBuild, and regsvr32 to execute scriptlet files (e.g., Clippy.sct and ActiveX.sct) without dropping traditional executables to disk.
- Clippy.sct reconstructs a .NET assembly in memory by decoding a large embedded array of fake IPv6 strings into a raw byte stream and deserializing it with BinaryFormatter.
- Deserialized code dynamically invokes a malicious class (ServiceClass) that references reading a secondary data file and uses native APIs (VirtualAlloc, CreateThread), indicating likely shellcode execution.
- Encoding the payload as fake IPv6 addresses and performing in-memory deserialization are layered evasion techniques that complicate static detection and analysis.
- Defensive recommendations include validating installer signatures/hashes, restricting execution of new downloads, deploying EDR, and monitoring for regsvr32 usage with .sct files, MSBuild from user-writable paths, and large embedded arrays.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – The campaign used a trojanized vendor installer as the delivery vector (‘trojanized version of the CPUID HWMonitor installer being used to deliver a multi-stage, fileless malware chain’).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell is used as part of the multi-stage execution chain spawned by the installer (‘installer initiates a sequence involving PowerShell, MSBuild, and regsvr32’).
- [T1218 ] Signed Binary Proxy Execution – Legitimate Windows binaries (regsvr32, MSBuild) are abused to execute remote/local scriptlet payloads without dropping executables (‘”C:WindowsSystem32regsvr32.exe” /s /u “/i:C:UsersuserAppDataLocalMicrosoftInternet ExplorerClippy.sct” scrobj.dll’).
- [T1027 ] Obfuscated Files or Information – The payload is obfuscated by encoding raw binary as an array of fake IPv6 addresses to evade static detection (‘contains a large embedded array of fake IPv6 addresses, which are not network indicators but rather an obfuscated representation of raw binary data’).
- [T1055 ] Process Injection (in-memory execution) – The reconstructed .NET payload is executed in memory and references native API usage for running additional code (likely shellcode) via VirtualAlloc/CreateThread (‘reading a secondary file (data.dat) and executing it via native Windows APIs, such as VirtualAlloc and CreateThread, likely indicating shellcode execution’).
Indicators of Compromise
- [File Name ] Installer and scriptlet artifacts observed in the campaign – Clippy.sct, ActiveX.sct, and other files such as Portable HWMonitor Installer (1.63), Fake CRYPTBASE.dll, Trojanized HWMonitor, 0uenkytg.cs.
- [SHA256 Hash ] File hashes tied to observed artifacts – B31A9D919750567167A07EB6D4D53F9DCD25E8343624D54D98F528832CB4CDC7 (Clippy.sct), 02db6764d1f13b837b0a525e5931bdbc67e7a2a4d071e849c7e087255d4a2d5b (Trojanized HWMonitor), and 5 more hashes.
- [Domain/URL ] Command-and-control reference – hxxps://welcome[.]supp0v3[.]com/d/callback (referenced C2 URL).