Colibri Loader's unique Persistence Technique using Get-Variable cmdlet

Written by Swapnil
Co-founder @ FourCore

New Persistence Technique in Town

Recently there has been a lot of talk on Twitter regarding the Colibri Loader and its persistence mechanism, which somehow uses the Powershell's Get-Variable cmdlet. According to MSDN, Get-Variable is a Powershell cmdlet that gets the PowerShell variables in the current console.

In short, on Windows 10 or later systems, Colibri Loader drops its copy in %APPDATA%\Local\Microsoft\WindowsApps directory with the name Get-Variable.exe. It then creates a scheduled task to run Powershell in a hidden manner using powershell.exe -windowstyle hidden

To the naked eye, it looks that only Powershell is running, but this scheduled task somehow triggers Colibri Loader to run.

A novel Mechanism?

The scheduled task has nothing to do with the persistence mechanism as it is just a trigger to run Powershell. On the other hand, Powershell on startup checks for Get-Variable.exe, first in the directories provided in System Path variables and then in the directories provided in User Path variables.

Query Directory to find Get-Variable
Lookup in Path directories to find Get-Variable

When it finds the file, it is mapped and executed with parameters Name host ValueOnly. This command is used to find the automatic variable "host" to get details about the host running the Powershell executable. You can test it out on your systems by starting Powershell and running "Get-Variable -name host -ValueOnly"

Mapping of Get-Variable.exe
Mapping of Get-Variable.exe
Execution of Get-Variable with parameters
Execution of Get-Variable.exe with parameters

This execution leads to a hijack of execution by Colibri Loader as it has placed a malicious file in the Search Order. Therefore, the TTP comes under the Technique "Hijack Execution Flow: Path Interception by Search Order Hijacking" under Persistence in Mitre ATT&CK.

Regarding whether any other cmdlets can be hijacked, again, looking at the ProcMon logs, it is evident that no further cmdlet executable is being searched. Hence, the attack is limited to the Get-Variable cmdlet.

Conclusion

To detect this specific procedure, you can search for Get-Variable.exe in any of your Path directories because the attack is not just limited to the WindowsApps folder.

FourCore ATTACK can simulate different Persistent Mechanisms like these and many others to validate your detections and response capabilities. Get an accurate idea about your security posture by assessing your Prevention, Detection, and Response capabilities on our Platform.

1type %TEMP%\ryuk\af\ad_users.txt
2type %TEMP%\ryuk\af\ad_computers.txt
3type %TEMP%\ryuk\af\trustdmp.txt
4type %TEMP%\ryuk\af\subnets.txt
5type %TEMP%\ryuk\af\trustdmp.txt
6type %TEMP%\ryuk\af\domainlist.txt
7type %TEMP%\ryuk\af\dcmodes.txt
8type %TEMP%\ryuk\af\adinfo.txt
9type %TEMP%\ryuk\af\dclist.txt
10type %TEMP%\ryuk\af\computer_pwdnotereqd.txt
11type %TEMP%\ryuk\af\ad_trustdmp.txt

References