Forfiles used in a ‘living off the land’ attack to spread ransomware

Forfiles is a utility tool commonly used by Windows system administrators. However, Avira researchers have found that it is now being leveraged by threat actors who use it as a stepping stone to stage an attack by the Locdoor ransomware (DryCry).

We’ve previously looked at how Certutil, a legitimate Windows file had been abused by attackers to spread threats. Lately, we have seen an increase ‘living off the land’ where attackers make use of tools already installed on targeted computers to run simple scripts and Shellcode directly in memory to evade detection.

In this blog, we’ll explain how Fortfiles is being used to spread ransomware and how you can protect against its malicious use.

How Attackers Use Forfiles

By: Amr Elkhawas, specialist threat researcher, Avira Protection Labs

During our analysis we observed that upon launching the excel sheet an “Amazon Web Services” image appeared with a Russian language text box translating to “Database Private Content”. This is a social engineering trick to lure the victim to enable the content and carry out malicious activity.

Further analysis of the embedded macro code revealed a small two line code snippet that automatically runs when a file is launched. This snippet creates a wscript object and executes the code present in the cell (201, 30) which translates to cell in the “AD” column, row 201.

Further analysis shows the content of this cell in the image below. It leverages forfiles with a “/c” operator that is used to run a command on a file or a set of files. The command in the mentioned snippet is “Start-Process” and the file is contained between quotation marks, the Powershell one-line downloader. It is used to download a file from a remote URL save it in the “Temp” directory.

Then Forfiles is executed as shown in the process execution tree below:

A second stage downloader is triggered in the VBS to executables which triggers the download of the rest of the payload using a stealthy Powershell instance that is set to sleep for 80000 milliseconds. The triage information can be shown in the Powershell transcript below:

Further four other instances of Powershell are spawned from this executable as seen in the hex dump below:

Then the first payload is inspected and it turns out to be a VBS script. This script pops out an error message that ‘this workbook can only be opened on the latest version of Microsoft Excel’ to distract the victim from noticing that some malicious activity has occurred in the background.

The Powershell transcript logs for each of the four instances are shown below:

First instance

The VBS script mentioned previously

Second Instance

An executable called “Usermode Font.exe” that is dropped in the Startup folder to persist between restarts

Third Instance

An executable called “Service Graphic Manager.exe” that is dropped in the Startup folder

Fourth Instance

An executable called “System Audio RHTS.exe” that is dropped in the Startup folder

Conclusion

Threat actors have become skilled at leveraging legitimate tools to evade security defenses. Here we’ve see how Forfiles, a utility tool that is commonly used by system administrators isleveraged by threat actors to carry out malicious activities. In this case, Forfiles is used as the stepping stone to stage the attack for the Locdoor ransomware (DryCry).

It is important to look out for uncommon process execution trees even if they involve utilities that do not have any known or documented malicious behavior.

A better solution is to use security tools with advanced scan engines that can detect and autonomously respond to anomalous code execution regardless of whether it is from a trusted source or not.

Indicators of Compromise (IoCs)

URLs

hxxp://paradiz.zzz.com.ua/—With_err.jpg

hxxp://paradiz.zzz.com.ua/tmp4384err13.jpg

hxxp://paradiz.zzz.com.ua/1.jpg

hxxp://paradiz.zzz.com.ua/2.jpg

hxxp://paradiz.zzz.com.ua/3p.jpg