In this article, ANY.RUN‘s analyst team will explore a malicious loader known as PSLoramyra. This advanced malware leverages PowerShell, VBS, and BAT scripts to inject malicious payloads into a system, execute them directly in memory, and establish persistent access.  

Classified as a fileless loader, PSLoramyra bypasses traditional detection methods by loading its primary payload entirely into memory, leaving minimal traces on the system. 

PSLoramyra Loader: Technical Analysis 

To see PSLoramyra loader in action, let’s have a look at its sample inside ANY.RUN’s sandbox: 

View analysis 

Initial PowerShell script 

Let’s take a closer look at this loader. The infection chain begins with an initial PowerShell script that contains both the main malicious payload and the scripts required to execute it. The script performs the following steps: 

1. File creation:  

The script generates three files critical to the infection chain: 

1. roox.ps1 

2. roox.bat 

3. roox.vbs 

2. Execution chain: 

1. The roox.vbs script is executed first to initiate the process. 

2. roox.vbs launches the roox.bat script. 

3. roox.bat then runs the roox.ps1 PowerShell script. 

3. Payload execution:  

The roox.ps1 script loads the main malicious payload directly into memory using Reflection.Assembly.Load.

It then leverages RegSvcs.exe to execute the payload. In this case, the payload is the Quasar RAT. 

Establishing Persistence with Task Scheduler 

The PowerShell script establishes persistence by creating a Windows Task Scheduler task that runs roox.vbs every two minutes. Here’s how it operates step by step: 
 

1. Creating the scheduler object: 

The script initializes a Task Scheduler object using the following command: 

New-Object -ComObject Schedule.Service  

It then connects to the Task Scheduler service: $scheduler.Connect() 

2. Defining a new task: 

A new task is created with: $taskDefinition = $scheduler.NewTask(0)  

The task is described, and its execution is enabled: $taskDefinition.Settings.Enabled = $true 

3. Setting the Trigger: 

A trigger is configured to execute the task every two minutes: $trigger.Repetition.Interval = “PT2M”  

4. Configuring the Task Action: 

The action specifies the execution of the roox.vbs script: $action.Path = “C:UsersPublicroox.vbs 

5. Registering the Task: 

Finally, the task is registered in the Task Scheduler, ensuring it runs continuously: $taskFolder.RegisterTaskDefinition() 

Script Creation 

The initial PowerShell script generates multiple scripts and writes them to the disk. This is achieved using the following command: [IO.File]::WriteAllText(“PATH”, CONTENT) 

The content of these scripts is initially stored in variables such as $Content. 

Detailed Script Breakdown 

Roox.vbs script 

This script runs every two minutes and acts as the starting point for executing the other scripts in the malware chain. Essentially, it serves as a link between the Task Scheduler and the subsequent scripts, ensuring the infection chain progresses successfully. 

The roox.vbs script launches the next script in the chain, roox.bat, in a hidden window. This ensures that its execution remains invisible to the user, maintaining the stealth of the infection process. 

1. Error handling: 

The command on error resume next suppresses error messages, allowing the script to continue execution even if exceptions occur. This ensures the script does not fail visibly during the process. 

2. CreateWshShellObj function 

This function creates a COM object named WScript.Shell. The object is used to execute commands and scripts, which are essential for launching the next stage in the infection chain. 

3. GetFilePath function 

This function retrieves the path to the next stage in the chain, specifically pointing to the BAT file roox.bat. 

4. GetVisibilitySetting function 

Configures the visibility settings to ensure that roox.bat runs without displaying a window on the desktop. This stealthy execution minimizes the chances of detection by the user. 

5. RunFile function

Executes a file at the specified path with the defined visibility settings. In this case, it launches roox.bat in hidden mode. 

6. Sequence of calls 

The script executes the required functions in the following order to launch roox.bat: 

• Creates the WScript.Shell object using CreateWshShellObj. 
• Retrieves the path to roox.bat via GetFilePath. 
• Configures the visibility mode to hidden (0) using GetVisibilitySetting. 
• Executes roox.bat in hidden mode through the RunFile function.

ROOX.BAT Script 

This script runs roox.ps1 using PowerShell. It employs the following flags to enhance stealth and bypass security measures: 

• NoProfile: Prevents the loading of user-specific PowerShell profiles 

• WindowStyle Hidden: Hides the PowerShell window during execution, ensuring that the process remains invisible to the user. 

• ExecutionPolicy Bypass: Overrides Windows PowerShell execution policies, allowing scripts to run without restrictions imposed by security configurations. 

ROOX.PS1 Script

The roox.ps1 PowerShell script deobfuscates the main malicious payload, dynamically loads it into memory, and executes it using .NET Reflection and RegSvcs.exe. The script employs simple obfuscation using the # character to make detection more challenging.

The variables $RoXstring_lla and $Mordexstring_ojj store the main malicious payload in the form of HEX strings, with each byte separated by %&% as a means of obfuscation. 

Deobfuscation Process 

The script uses the following commands to convert the obfuscated HEX strings into usable binary code: 

[Byte[]] $NKbb = $Mordexstring_ojj -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } 

[Byte[]] $pe = $RoXstring_lla -split '%&%' | ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } 

What these commands do: 

• Split the HEX strings: They split the HEX strings $Mordexstring_ojj and $RoXstring_lla into arrays using %&% as a delimiter. 
• Convert HEX to decimal bytes: Then, each element in the array converts the HEX string into a decimal byte value. 

ForEach-Object { [byte]([convert]::ToInt32($_, 16)) } 

Form byte arrays: This forms a byte array (Byte[]), representing the binary code of the payload. 

Deobfuscate using -replace: 
Obfuscated commands are cleaned by removing # symbols using the -replace command. For example, a string like L####o####a####d is transformed into Load. 

Restore the method name: 
The variable $Fu restores the method name [Reflection.Assembly]::Load, which is used to load a .NET assembly into memory. 

Payload execution in memory: The script dynamically loads the NewPE2.PE type from the .NET assembly and calls its Execute method. The Execute method injects malicious code into a legitimate process, such as aspnet_compiler.exe. In this case, the target process is RegSvcs.exe. 

The initial variable $RoXstring_lla contains the injector for the .NET assembly NewPE2, which is responsible for loading the main payload into the process.

Within this assembly, the script locates the type NewPE2.PE and executes the Execute method. The latter is provided with parameters: the path and the malicious .NET assembly itself. 

Use the following query to search for more samples and threat data in TI Lookup:

Conclusion

PSLoramyra is a sophisticated fileless loader. It leverages PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, evading traditional detection methods. Its infection chain begins with an initial PowerShell script that generates essential files and establishes persistence through Windows Task Scheduler. The malware’s stealthy execution and minimal system footprint make it a serious threat.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

• Detect malware in seconds
• Interact with samples in real time
• Save time and money on sandbox setup and maintenance
• Record and study all aspects of malware behavior
• Collaborate with your team 
• Scale as you need

Explore all Black Friday 2024 offers →

Indicators of Compromise (IOCs)

Hashes 

ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9 

9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e 

d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc 

Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb 

Files 

C:UsersPublicroox.vbs 

C:UsersPublicroox.bat 

C:UsersPublicroox.ps1 

Domain 

Ronymahmoud[.]casacam[.]net 

IP 

3[.]145[.]156[.]44 

The post PSLoramyra: Technical Analysis of Fileless Malware Loader appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Overview

The 2023–2024 Annual Cyber Threat Report from the Australian Signals Directorate (ASD) reports a new rise in cyber threats targeting both individuals and businesses in Australia. As global tensions escalate, particularly due to ongoing conflicts such as Russia’s invasion of Ukraine and strife in the Middle East, cybercriminals and state-sponsored threat actors are intensifying their efforts to exploit vulnerabilities across nations.  

The Australia government stresses the growing threat to its critical infrastructure, with malicious actors continuing to engage in espionage, cybercrime, and disinformation campaigns. At the same time, technological advancements are enabling both state and non-state actors to enhance their cyber capabilities, creating new challenges for businesses, individuals, and government entities alike.

In response to these mounting risks, the Australian Government has committed $15–$20 billion to support the nation’s cyber resilience, strengthen infrastructure security, and support offensive operations against cyber threats. Central to this strategy is the importance of public-private partnerships and the ongoing use of cyber sanctions to target adversarial actors such as Russian cybercriminals.

2023–2024 Annual Cyber Threat Report: Key Findings on Cyber Threat Trends for Individuals

In the 2023–2024 Cyber Threat Trends, the report reveals troubling statistics and insights into the personal cyber risks faced by Australians. Over 87,400 cybercrime reports were made in FY2023–24, marking a 7% decrease from the previous year. This equates to an average of one cybercrime report every six minutes. The Australian Cyber Security Hotline responded to over 36,700 calls in the same period, an increase of 12% compared to FY2022–23, signaling that cyber threats targeting individuals are on the rise.

The most prevalent types of cybercrimes reported by individuals were:

• Identity fraud (26%)
• Online shopping fraud (15%)
• Online banking fraud (12%)

The financial impact of these crimes is substantial. The average cost of cybercrime per report for individuals has risen to approximately $30,700, a 17% increase from the previous year. This figure highlights the growing financial burden that cybercrime places on individuals, many of whom find themselves victims of scams, data breaches, and fraud. According to the Australian Institute of Criminology’s Cybercrime in Australia 2023 report, 34% of Australians had their financial or personal information exposed in a data breach in the last year, with 79% of them being notified by the affected company or a government agency.

Cybercriminals continue to exploit various tactics to carry out their attacks, with common methods including phishing, where cybercriminals impersonate trusted businesses to trick individuals into revealing sensitive information, such as passwords or credit card details. Malware is another frequent tool used to infect devices, steal data, or carry out unauthorized transactions.

The main 2023–2024 cyber threats individuals need to be aware of include:

• Identity fraud: The theft and misuse of personal information for financial gain or to create fake accounts.
• Online shopping fraud: Scams that occur when individuals purchase goods or services online, only to be defrauded or receive counterfeit products.
• Online banking fraud: Cybercriminals gain unauthorized access to bank accounts to steal funds or commit fraudulent activities.

2023–2024 Annual Cyber Threat Report: Cyber Threat Trends for Businesses

The 2023–2024 Annual Cyber Threat Report also provides insights into the growing risks faced by businesses in Australia, particularly those that deal with sensitive customer data or proprietary information. In FY2023–24, businesses reported over 87,400 cybercrime incidents, with a slight 7% decrease from the previous year, though the number remains concerningly high. The Australian Cyber Security Hotline received more than 36,700 calls, highlighting that businesses continue to grapple with increasing cyber threats.

The three primary types of cybercrimes reported by businesses were:

• Email compromise (20%)
• Online banking fraud (13%)
• Business email compromise (BEC) fraud, which resulted in financial losses (13%)

The average self-reported cost of cybercrime to businesses showed a mixed picture. For small businesses, the average loss increased by 8%, reaching $49,600, while medium-sized businesses saw a significant 35% decline, down to $62,800, and large businesses experienced an 11% decrease, to $63,600. Despite this overall decrease, BEC remains one of the most financially damaging threats, with Australian businesses reporting losses of nearly $84 million due to these scams.

BEC continues to have a impact, with an average loss of more than $55,000 per confirmed incident. This type of fraud typically involves attackers impersonating trusted figures within an organization to trick employees into authorizing fraudulent transactions or providing sensitive information.

In terms of security incidents, ASD responded to over 1,100 incidents, with 11% of these attacks targeting critical infrastructure, reflecting the growing vulnerability of Australia’s essential services to cyber threats. Ransomware attacks, in particular, have increased by 3% from the previous year, further underscoring the need for businesses to adopt proactive measures to defend against cybercriminals.

Common cyber threats facing businesses today include:

• Online banking fraud
• Email compromise, including phishing attacks
• Business email compromise (BEC) fraud

To mitigate these threats, businesses must implement comprehensive security measures and adopt best practices such as the ASD’s Essential Eight—a set of cybersecurity strategies designed to reduce the risk of cyberattacks. Additionally, organizations should train their employees to recognize phishing attempts and suspicious activity.

The Cyble ANZ Report on Cyber Threat Trends

Along with the 2023–2024 Annual Cyber Threat Report, Cyble recently shared its ANZ Cyber Threat Landscape Report 2024 offering a critical supplement to the annual report, providing additional insights into the threat environment faced by both individuals and businesses in Australia. Cyble’s report highlights the rapid rise of cybercrime-as-a-service (CaaS) platforms, which continue to democratize cybercrime, allowing even less technically skilled individuals to launch devastating attacks. These platforms sell malware, ransomware, and exploits, lowering the entry barriers for criminals and increasing the frequency and sophistication of attacks.

Key Threats Identified in the Cyble ANZ Report

1. Ransomware: Cyble’s research highlights the growing risk of ransomware attacks across various sectors, with Australian businesses increasingly falling victim to this type of threat. Notably, Conti, LockBit, and Clop are some of the most active ransomware families identified in the region, and their impact continues to grow. These groups have increasingly used tactics such as data exfiltration, threatening to release sensitive data unless a ransom is paid.
2. Supply Chain Attacks: The report notes an increase in attacks targeting third-party suppliers, leveraging their vulnerabilities to gain access to larger organizations. Attackers often infiltrate smaller organizations with weaker cybersecurity measures, using them as steppingstones to gain access to larger, more lucrative targets. This type of attack is particularly concerning as businesses often rely on third-party suppliers for critical services and infrastructure, making them vulnerable to cascading effects.
3. Phishing and Business Email Compromise (BEC): Cyble’s analysis of social engineering tactics reveals a rise in phishing attacks, which remain one of the most commonly used methods for infiltrating organizations. BEC campaigns are also on the rise, where attackers impersonate trusted business partners or executives to deceive employees into transferring funds or sharing sensitive information.
4. Dark Web Activity: The Cyble report emphasizes the growing role of the dark web in facilitating cybercrime. The increasing volume of stolen credentials, malicious tools, and data leaks sold on dark web marketplaces presents a serious risk to both individuals and businesses.

A key focus of both the 2023–2024 Annual Cyber Threat Report and the Cyble ANZ Report is the growing risks to Australia’s critical infrastructure. Cybercriminals, as well as state-sponsored threat actors, continue to target sectors vital to the nation’s security and economic stability, including energy, water, transportation, and telecommunications. These sectors are particularly attractive to cyber adversaries due to the potential for widespread disruption and financial and operational impact.

Conclusion

To effectively mitigate the growing cyber risks highlighted in the 2023–2024 Annual Cyber Threat Report and the Cyble ANZ Cyber Threat Landscape Report 2024, both individuals and businesses must stay alert and adopt proactive security measures. For individuals, practices like multi-factor authentication, strong passphrases, and regular software updates are essential for reducing the likelihood of cybercrime. Businesses should follow the ASD’s Essential Eight guidelines, implement vulnerability management, and maintain strong partnerships with cybersecurity agencies.

References

• https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2023-2024
• https://www.cyber.gov.au/sites/default/files/2024-11/2023-24-cyber-threat-trends-for-individuals.pdf
• https://www.cyber.gov.au/sites/default/files/2024-11/2023-24-cyber-threat-trends-for-businesses-and-organisations.pdf
• https://www.aic.gov.au/sites/default/files/2023-06/sr43_cybercrime_in_australia_2023.pdf

The post The 2023–2024 Annual Cyber Threat Report Reveals Rising Cyber Threat Trends for Individuals and Businesses appeared first on Cyble.

Blog – Cyble – ​Read More