Firmware replying trojan that uses genuine windows remoting to take over (2024)

Another 4104 Powershell script:

Creating Scriptblock text (2 of 4):

$sb = New-Object System.Text.StringBuilder $textToEscape.Length;
for($i=0; $i -lt $textToEscape.Length; $i++)
{
$curChar = $textToEscape[$i];
if($curChar -eq '\n')
{
$null = $sb.Append("\par");
}
elseif(($curChar -lt 0x20) -or ($curChar -eq '{') -or ($curChar -eq '}') -or ($curChar -eq '\\'))
{
$null = $sb.Append("\'");
$null = $sb.Append(([int]$curChar).ToString("X2", [System.Globalization.CultureInfo]::InvariantCulture));
}
elseif($curChar -lt 0x80)
{
$null = $sb.Append($curChar);
}
else
{
$null = $sb.Append("\u");
$null = $sb.Append(([int]$curChar).ToString([System.Globalization.CultureInfo]::InvariantCulture));
$null = $sb.Append('?');
}

}

return $sb.ToString();

}

function IsValidURL($URL)
{
&{
$uri = [System.URI]($URL);
$scheme = $uri.scheme;
if(($scheme -eq "http" ) -or ($scheme -eq "https") -or ($scheme -eq "ftp"))
{
return $uri.ToString();
}
else
{
return $null;
}
}
trap [Exception]
{
return $null;
}
}

function GetDefaultBrowser()
{
[string]$assocString = $null
$dll = "NetworkDiagnosticSnapIn.dll"

try
{
RegSnapin $dll

$assocString = [Microsoft.Windows.Diagnosis.Network.AssociationInfo]::GetAssociation("http","open");
trap [Exception]
{
$assocString = $null;
}
}
finally
{
UnregSnapin $dll
}

return $assocString;
}

function GetWebNDFIncidentData($URL, $DefaultConnectivity)
{
#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>URL</Name><Type>AT_STRING</Type><Value><![CDATA[" + $URL + "]]></Value></HelperAttribute>"
if($DefaultConnectivity)
{
#sqm explorer as the client rather than sdiaghost.exe
$haXML += "<HelperAttribute><Name>NDFSQMCallerApplication</Name><Type>AT_STRING</Type><Value>Windows\Explorer.EXE</Value></HelperAttribute>"
$defaultBrowser = GetDefaultBrowser;
if($defaultBrowser)
{
$haXML += "<HelperAttribute><Name>AppID</Name><Type>AT_STRING</Type><Value>"+ $defaultBrowser + "</Value></HelperAttribute>"
}
}
$haXML += "</HelperAttributes>"
return @{"HelperClassName" = "WinInetHelperClass"; "HelperAttributes" =$haXML}
}

function GetValidURL($CandidateURL)
{
$toReturn = $null
$url = IsValidURL $CandidateURL
if($url -eq $null)
{
if($CandidateURL.IndexOf("://") -eq -1)
{
$updatedURL = "http://" + $CandidateURL
$url = IsValidURL $updatedURL
if($url)
{
$toReturn = $url
}
}
}
else
{
$toReturn = $url
}

return $toReturn
}

function GetErrorRTF($Description, $Error)
{
$escapedDesc = EscapeForRTF $Description;
$escapedError = EscapeForRTF $Error;
$rtf = LoadResourceString($ERROR_MSG_RTF_RESOURCE);
return $rtf.Replace("%DESC%", $escapedDesc).Replace("%ERROR%", $escapedError);
}

function WebEntry()
{
$IT_WebChoice = Get-DiagInput -ID "IT_WebChoice"
if($IT_WebChoice -eq $null)
{
#Failed retriving Web Choice
return $null
}

$IT_URL = $DefaultDiagURL
if(!($IT_WebChoice -eq "Internet"))
{
$IT_URL = Get-DiagInput -ID "IT_URL"
if($IT_URL -eq $null) {
#Failed retriving URL
return $null
}

#verify that it is a valid URL
$validURL = GetValidURL $IT_URL[0]
while($validURL -eq $null)
{
#build the RTF text
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidURL_FormatError, $IT_URL[0]);
$RTFText = GetErrorRTF ($localizationString.interaction_InvalidURL_Desc) ($replacedError);

#reprompt for input
$IT_URL = Get-DiagInput -ID "IT_Invalid_URL" -p @{"URL" = $IT_URL; "RTFText" = $RTFText}
if($IT_URL -eq $null) {
#Failed retriving URL
return $null
}

$validURL = GetValidURL $IT_URL[0]
}
}

return GetWebNDFIncidentData $validURL $false
}

function IsUNCFormat($UNC)
{
&{
$uri = [System.URI]($UNC);
$scheme = $uri.scheme;
if(($scheme -eq "file" ))
{
if($uri.IsUnc)
{
return $uri.LocalPath;
}
}
return $null;
}
trap [Exception]
{
return $null;
}
}

#function assumes passed in UNC is in \\host\share form (share can be missing)
function ContainsInvalidUNCChars($UNC)
{
&{
#will return an exception if the string has invalid characters
$ignoreResult = [System.IO.Path]::IsPathRooted($UNC)

#check the path for invalid characters
#remove the starting slashes
$tmp = $UNC.Substring(2)
$nextSlash = $tmp.IndexOf("\")
if(($nextSlash -lt 0) -or ($nextSlash -eq ($nextSlash.Length - 1)))
{
#string only contains hostname
#hostname is already validated in IsUNCFormat function
return $false
}
#remove host and backslash after host
$UNCPath = $tmp.Substring($nextSlash+1)

#under certain circ*mstances some of these make it through the above check
#so we do a direct sanity check here
if(!($UNCPath.IndexOfAny(@('/',':','*','?','"','<','>','|')) -eq -1))
{
return $true;
}

return $false;
}
trap [Exception]
{
return $true;
}
}

function GetValidUNC($CandidateUNC)
{
$toReturn = $null

#is it valid
$unc = IsUNCFormat $CandidateUNC
if($unc)
{
$invalidChars = ContainsInvalidUNCChars $unc
if($invalidChars)
{
$toReturn = -1;
}
else
{
$toReturn = $unc
}
}

return $toReturn;
}

function GetUNCNDFIncidentData($UNC)
{
#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>UNCPath</Name><Type>AT_STRING</Type><Value><![CDATA[" + $UNC + "]]></Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "SMBHelperClass"; "HelperAttributes" =$haXML}
}

function FileSharingEntry()
{
$IT_UNC = Get-DiagInput -ID "IT_UNC"
if($IT_UNC -eq $null) {
#Failed retriving UNC path
return $null
}

#assign input to non-array variable to facilitate usage and transform
$validUNC = GetValidUNC $IT_UNC[0]
while((!$validUNC) -or ($validUNC -eq -1))
{
#build the RTF text
#use original entry for re-prompt even though "file://" UNC may have been transformed
$replacedError = "";
if(!$validUNC)
{
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_FormatError, $IT_UNC[0]);
}
else
{
$replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_CharError, $IT_UNC[0]);
}
$RTFText = GetErrorRTF ($localizationString.interaction_InvalidUNC_Desc) ($replacedError);

#reprompt for input
$IT_UNC = Get-DiagInput -ID "IT_Invalid_UNC" -p @{"UNC" = $IT_UNC; "RTFText" = $RTFText}
if($IT_UNC -eq $null) {
#Failed retriving UNC path
return $null
}

$validUNC = GetValidUNC $IT_UNC[0]
}

return GetUNCNDFIncidentData $validUNC
}

function NetworkAdapterEntry()
{
#enumerate interfaces to build options list
$interfaces = get-wmiobject -class Win32_NetworkAdapter
#hash table with options
$optionList = @()
foreach($curInterface in $interfaces)
{
if($curInterface.GUID -ne $null)
{
$curHash = @{"Name"=$curInterface.NetConnectionID}
$curHash += @{"Description"=$curInterface.NetConnectionID}
$curHash += @{"Value"=$curInterface.GUID}

$optionList += @($curHash)
}
}

if($optionList.Count -gt 1)
{
#add zero guid entry to check all interfaces
$optionList += @(@{"Name"=$localizationString.interaction_AllAdapters; "Description"=$localizationString.interaction_AllAdapters; "Value"="{00000000-0000-0000-0000-000000000000}"; "ExtensionPoint"="<Default />"})

#get interface selection from user
$IT_NetworkAdapter = Get-DiagInput -ID "IT_NetworkAdapter" -c $optionList

if($IT_NetworkAdapter -eq $null) {
throw "Failed retriving Network Connetion ID from user"
}
}
elseif($optionList.Count -eq 1)
{
$IT_NetworkAdapter = $optionList[0]["Value"]
}
else
{
#No NICs, do zero GUID diag
$IT_NetworkAdapter = "{00000000-0000-0000-0000-000000000000}"
}

#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>guid</Name><Type>AT_GUID</Type><Value>" + $IT_NetworkAdapter + "</Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "NetConnection"; "HelperAttributes" =$haXML}
}

function WinsockEntry()
{
$IT_RemoteAddress = Get-DiagInput -ID "IT_RemoteAddress"
if($IT_RemoteAddress -eq $null -or $IT_RemoteAddress[0].Length -eq 0) {
#Failed retriving Remote Address
return $null
}

$IT_Protocol = Get-DiagInput -ID "IT_Protocol"
if($IT_Protocol -eq $null -or $IT_Protocol[0].Length -eq 0) {
#Failed retriving Remote Port
return $null
}

$IT_ApplicationID = Get-DiagInput -ID "IT_ApplicationID"
if($IT_ApplicationID -eq $null -or $IT_ApplicationID[0].Length -eq 0) {
#Failed retriving Application ID
return $null
}

#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>remoteaddr</Name><Type>AT_SOCKADDR</Type><Value>" + $IT_RemoteAddress + "</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>protocol</Name><Type>AT_UINT32</Type><Value>" + $IT_Protocol + "</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>localaddr</Name><Type>AT_SOCKADDR</Type><Value>0.0.0.0</Value></HelperAttribute>";
$haXML += "<HelperAttribute><Name>appid</Name><Type>AT_STRING</Type><Value>" + $IT_ApplicationID + "</Value></HelperAttribute>";
$haXML += "</HelperAttributes>";
return @{"HelperClassName" = "Winsock"; "HelperAttributes" =$haXML}
}

function GroupingEntry()
{
$IT_GroupName = Get-DiagInput -ID "IT_GroupName"
if($IT_GroupName -eq $null -or $IT_GroupName[0].Length -eq 0) {
#Failed retriving Remote Address
return $null
}

#build entry point parameters
$haXML = "<HelperAttributes><HelperAttribute><Name>groupname</Name><Type>AT_STRING</Type><Value>" + $IT_GroupName + "</Value></HelperAttribute></HelperAttributes>"
return @{"HelperClassName" = "GroupingHelperClass"; "HelperAttributes" =$haXML}
}

function GetValidExePath($File)
{
&{
$uri = [System.URI]($File);
$scheme = $uri.scheme;
if(($scheme -eq "file" ))
{
#make sure it send in .exe
if($File.ToLower().IndexOf(".exe") -eq ($File.Length - 4))
{
return $File;
}
}
return $null;
}
trap [Exception]
{
return $null;
}
}

function InboundEntry()
{
$staticOptionRes = @($INBOUND_FILESHARE_RESOURCE, $INBOUND_REMOTEDESKTOP_RESOURCE, $INBOUND_DISCOVERY_RESOURCE)
$staticOptions = @($INBOUND_FILESHARE_PARAM, $INBOUND_REMOTEDESKTOP_PARAM, $INBOUND_DISCOVERY_PARAM)
# If defined for the corresponding option, the item will be filtered out if the current sku matches anything in the list
# Sku values as defined in the OperatingSystemSKU property of Win32_OperatingSystem
$SKUFilters = @($null, @(2,3,5,11), $null)

#get the SKU, to filter out inappropriate static options
$SKUObject = get-wmiobject -class Win32_OperatingSystem -property "OperatingSystemSKU"
$SKU = $SKUObject.OperatingSystemSKU

$optionList = @()
$curOptionIndex = 0
for($curStaticOption = 0; $curStaticOption -lt $staticOptions.Length; $curStaticOption++)
{
$SKUFilter = $SKUFilters[$curStaticOption]
if($SKUFilter)
{
if($SKUFilter -contains $SKU)
{
#should filter out this option from the list because it is not present in the SKU
continue;
}
}

$curApp = LoadResourceString($staticOptionRes[$curStaticOption])
$curHash = @{}
$curHash.Add("Name",$curApp)
$curHash.Add("Value",$curOptionIndex)
$curHash.Add("Description",$curApp)
$curHash.Add("HelperAttributeName","serviceid")
$curHash.Add("HelperAttributeValue",$staticOptions[$curStaticOption])
$optionList += $curHash
$curOptionIndex++
}

#add dynamic options (do not fail if call fails)
$script:ExpectingException = $true

$dll = "NetworkDiagnosticSnapIn.dll"

try
{
RegSnapin $dll

$droppedApps = [Microsoft.Windows.Diagnosis.Network.FirewallApi.ManagedMethods]::GetDiagnosticAppInfo()
$script:ExpectingException = $false
if($droppedApps)
{
foreach($droppedApp in $droppedApps)
{
#omit svchosts since we cannot display a friendly name for them
if($droppedApp.Path.IndexOf("svchost") -eq -1)
{
$appEntryDisplayStr = [System.String]::Format([System.Globalization.Cul

ScriptBlock ID: 9dde433b-59f7-43ff-9724-da85bd9a7705
Path: C:\Users\Chaz\AppData\Local\Temp\SDIAG_fc401818-2c95-4b72-9b00-d91a618105c1\UtilityFunctions.ps1