Summary:
PSLoramyra is a sophisticated fileless malware loader that utilizes PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory. Its stealthy execution and minimal system footprint allow it to evade traditional detection methods, posing a significant threat to systems. #FilelessMalware #MalwareAnalysis #PSLoramyra
PSLoramyra is a sophisticated fileless malware loader that utilizes PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory. Its stealthy execution and minimal system footprint allow it to evade traditional detection methods, posing a significant threat to systems. #FilelessMalware #MalwareAnalysis #PSLoramyra
Keypoints:
PSLoramyra is classified as a fileless loader, bypassing traditional detection methods.
The infection chain begins with an initial PowerShell script that generates critical files.
It establishes persistence using Windows Task Scheduler to run scripts every two minutes.
The main malicious payload is executed directly in memory using .NET Reflection.
PSLoramyra employs multiple scripts (roox.vbs, roox.bat, roox.ps1) to facilitate its operation.
Stealth techniques include running scripts in hidden mode and bypassing security measures.
MITRE Techniques
Execution (T1203): Utilizes PowerShell, VBS, and BAT scripts to execute malicious payloads.
Persistence (T1053): Creates a scheduled task to ensure continuous execution of the malicious scripts.
Defense Evasion (T1027): Employs fileless techniques and obfuscation to evade detection.
Credential Access (T1070): Uses legitimate processes like RegSvcs.exe to execute malicious payloads.
Command and Control (T1071): Establishes communication with external servers for further instructions.
IoC:
[File Name] roox.vbs
[File Name] roox.bat
[File Name] roox.ps1
[Domain] Ronymahmoud[.]casacam[.]net
[IP Address] 3.145.156.44
[File Hash] ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9
[File Hash] 9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e
[File Hash] d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc
[File Hash] Ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb
Full Research: https://any.run/cybersecurity-blog/cybersecurity-blog/psloramyra-malware-technical-analysis/