The Windows Registry is a database of settings used by Microsoft Windows system applications and core utilities. The registry of often abused by adversaries to either store configuration information, hide code, evade detection, inhibit system function, establish persistence among other reasons. The “CurrentVersion” registry key in either HKCU (Current User) or the HKLM (Local Machine) hives is one of the most abused registry keys, more specifically the Run key within CurrentVersion. Because of this the Run key is heavily scrutinized by detection and prevention tools. The targeted technique in this package utilizes only the CurrentVersion key to add the malware’s configuration information and potentially establish persistence. This is most likely due to the Run key’s heavy scrutiny by defense tools.
This technique was observed being utilized by Nobelium’s (UNC2452) Sibot malware in early 2021. According to Microsoft “Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task.” Aside from the reported Nobelium activity, analysts can look for general vbscript code within the registry value. Its presence should be relatively obvious, given likely length and inclusion of keywords like Execute, vbscript, Shell.Application, etc. In many cases the code in the value will be heavily obfuscated and require decoding using tools like CyberChef. If unsure of the encoding schema, try using the “Magic” function with Intense Mode on. Additionally, as indicated by the Nobelium activity noted above, searching for suspicious scheduled tasks containing a registry value in its details can be indicative of a scheduled task that executes the code stored in the registry key observed.
Tactic: Defense Evasion
Techniques: Modify Registry (T1112),