The researchers found out that the criminals behind this malware have taken strenuous effort to hide the real payload of this malware behind the jumble of random characters. This malware has been designed to change the underlying operating system settings, and make use of tricks like encoded characters, regex replace, regex search, conditional statements and unusual base conversions.
The researchers have charted out all the steps the script undergoes:
- A new folder is created in AppDataRoaming directory. It is then hidden using a new registry key.
- The legitimate Windows wscript.exe application is then copied inside this new folder. A new random name is assigned to it.
- It then copies itself inside this new folder, creates a shortcut to itself. The shortcut is named ‘Start’ and is placed in the “Startup” folder. This makes it accessible via the Windows Start Menu.
- A fake folder icon is assigned to the Start shortcut. This is aimed to trick the users into thinking its a folder and not a file.
- The rest of the code of the script then starts checking for the internet connection through Microsoft, Google or Bing.
- The telemetry data is then sent to urchintelemetry dot com. It then downloads an encrypted file from this site and runs it.
- This script also uses Windows Management Instrumentation to look for security software.
- If such a software is found, it is terminated using a bogus error message.
- If the user locates this malware running in the task manager and tries to stop it, the PC is shutdown as the script executed a CLI command for the same.
The solution to this malicious script is to start PC in safe mode and then remove the startup link and roaming folder.