{"id":13447,"date":"2026-06-08T04:03:39","date_gmt":"2026-06-08T04:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/08\/33054\/"},"modified":"2026-06-08T04:03:39","modified_gmt":"2026-06-08T04:03:39","slug":"33054","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/08\/33054\/","title":{"rendered":"The Evil MSI Background is Back!, (Fri, Jun 5th)"},"content":{"rendered":"\n<div>The Evil MSI Background is Back!, (Fri, Jun 5th)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A few months ago, I wrote a diary about a payload that was embedded into a JPEG picture. It was a MSI-branded background[<a href=\"https:\/\/isc.sans.edu\/diary\/Malicious+Script+Delivering+More+Maliciousness\/32682\">1<\/a>]. Yesterday, I spotted another one! It seems that the technic is getting more and more popular. This time, it started with a mail containing a WeTransfer link.<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260605-1.png?ssl=1\" style=\"width: 600px; height: 923px;\"><\/p>\n<p>Often, the WeTransfer brand is abused in phishing emails. Here, it&#8217;s was an official link:\u00a0<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\nhxxps:\/\/we[.]tl\/t-R4Wv1JkvFfC4Awus<\/pre>\n<p>The thread-actor shared the initial file via this platform. The file is a piece of Javascript called &#8220;Remittance Advice.js&#8221; (SHA256:8a83de81fbac4eb0961f3d58982f299664a5fa4c874c7469e69f85f3fc5bd33f).<\/p>\n<p>The contains a lot of junk code that will just do nothing:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260605-2.png?ssl=1\" style=\"width: 600px; height: 361px;\"><\/p>\n<p>Every for-loop will just move to the next line. In the middle of the file (&gt;2MB), we have the interesting code that will perform the following tasks:<\/p>\n<p>It will decode the next payload in an environment variable:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\n[Environment]::SetEnvironmentVariable(\"INTERNAL_DB_CACHE\", &lt;encoded_payload&gt;)<\/pre>\n<p>The obfuscation technique used is ROT13, old but still very efficient:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\ncbjrefuryy.rkr -RkrphgvbaCbyvpl Olcnff -AbCebsvyr -JvaqbjFglyr Uvqqra -Pbzznaq<\/pre>\n<p>Decoded, it becomes:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\npowershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command<\/pre>\n<p>PowerShell is executed throug WMI:<\/p>\n<ul>\n<li>winmgmts:rootcimv2: connect to WMI<\/li>\n<li>Win32_ProcessStartup: configure process startup (hidden window)<\/li>\n<li>Win32_Process.Create(): spawn the process<\/li>\n<\/ul>\n<p>The full command is:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\npowershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command [ScriptBlock]::Create(${env:INTERNAL_DB_CACHE})<\/pre>\n<p>This code will fetch an MSI background JPEG file from this location:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\nhxxp:\/\/icy-lab-0431[.]guilherme-telecomunicacoes2024[.]workers[.]dev\/mCSlB<\/pre>\n<p>Note that the threat-actor likes to use well-known services to store his\/her payloads. workers.dev is the default, free subdomain provided by Cloudflare for deploying serverless applications[<a href=\"https:\/\/developers.cloudflare.com\/workers\/\">2<\/a>].<\/p>\n<p>The technique to hide the next payload is the same as my previous diary. The Base64-encode payload is delimited here with &#8220;IN-&#8221; and &#8220;-in1&#8221;. To defeat simple Base64 lookups, all &#8220;A&#8221; characters have been replaced by &#8220;#&#8221;. Once decoded, the payload is a .Net DLL (SHA256:184a3008adff54cb345a599b4f3ca0c7bde29d8ac8379783ff40cd4e7ecc931b). It&#8217;s a modified version of the Microsoft.Win32.TaskScheduler, an open-source .NET library for managing Windows Task Scheduler[<a href=\"https:\/\/github.com\/dahall\/taskscheduler\">3<\/a>].<\/p>\n<p>The PowerShell payload will also fetch another file that will be passed to the loaded malicious DLL:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\nhxxps:\/\/pub-a06eb79f0ebe4a6999bcc71a2227d8e3[.]r2[.]dev\/snake.png<\/pre>\n<p>Here again, a legit online service is used. r2.dev is the default domain used by Cloudflare R2 to serve files and assets stored in public cloud-native buckets. It is a globally distributed, S3-compatible object storage service that allows developers to store large amounts of unstructured data[<a href=\"https:\/\/developers.cloudflare.com\/r2\/buckets\/public-buckets\/\">4<\/a>].<\/p>\n<p>The file looks to be another background and contains probably another payload protected by steganograpy (very common with the .Net loaders):<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260605-3%281%29.png?ssl=1\" style=\"width: 1024px; height: 574px;\"><\/p>\n<p>I&#8217;m now reversing the .Net loader. Stay tuned for more details soon!<\/p>\n<p>[1]\u00a0<a href=\"https:\/\/isc.sans.edu\/diary\/Malicious+Script+Delivering+More+Maliciousness\/32682\">https:\/\/isc.sans.edu\/diary\/Malicious+Script+Delivering+More+Maliciousness\/32682<\/a><br \/>\n[2]\u00a0<a href=\"https:\/\/developers.cloudflare.com\/workers\/\">https:\/\/developers.cloudflare.com\/workers\/<\/a><br \/>\n[3]\u00a0<a href=\"https:\/\/github.com\/dahall\/taskscheduler\">https:\/\/github.com\/dahall\/taskscheduler<\/a><br \/>\n[4]\u00a0<a href=\"https:\/\/developers.cloudflare.com\/r2\/buckets\/public-buckets\/\">https:\/\/developers.cloudflare.com\/r2\/buckets\/public-buckets\/<\/a><\/p>\n<p><b>Xavier Mertens (@xme)<\/b><br \/>\nXameco<br \/>\nSenior ISC Handler &#8211; Freelance Cyber Security Consultant<br \/>\n<a href=\"https:\/\/raw.githubusercontent.com\/xme\/pgp\/refs\/heads\/main\/public.key\">PGP Key<\/a><\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/33054\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Evil MSI Background is Back!, (Fri, Jun 5th) A few months ago, I wrote a diary about a payload that was embedded into a JPEG picture. It was a MSI-branded background[1]. Yesterday, I spotted another one! It seems that the technic is getting more and more popular. This time, it started with a mail [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-13447","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13447"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13447"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13447\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}