Last Updated on Tue Apr 26, 2022
Colibri Loader's unique Persistence Technique using Get-Variable cmdlet
New Persistence Technique in Town
Recently there has been a lot of talk on Twitter regarding the Colibri Loader and its persistence mechanism, which somehow uses the Powershell's Get-Variable cmdlet. According to MSDN, Get-Variable is a Powershell cmdlet that gets the PowerShell variables in the current console.
In short, on Windows 10 or later systems, Colibri Loader drops its copy in %APPDATA%\Local\Microsoft\WindowsApps directory with the name Get-Variable.exe. It then creates a scheduled task to run Powershell in a hidden manner using powershell.exe -windowstyle hidden
To the naked eye, it looks that only Powershell is running, but this scheduled task somehow triggers Colibri Loader to run.
A novel Mechanism?
The scheduled task has nothing to do with the persistence mechanism as it is just a trigger to run Powershell. On the other hand, Powershell on startup checks for Get-Variable.exe, first in the directories provided in System Path variables and then in the directories provided in User Path variables.
When it finds the file, it is mapped and executed with parameters Name host ValueOnly. This command is used to find the automatic variable "host" to get details about the host running the Powershell executable. You can test it out on your systems by starting Powershell and running "Get-Variable -name host -ValueOnly"
This execution leads to a hijack of execution by Colibri Loader as it has placed a malicious file in the Search Order. Therefore, the TTP comes under the Technique "Hijack Execution Flow: Path Interception by Search Order Hijacking" under Persistence in Mitre ATT&CK.
Regarding whether any other cmdlets can be hijacked, again, looking at the ProcMon logs, it is evident that no further cmdlet executable is being searched. Hence, the attack is limited to the Get-Variable cmdlet.
To detect this specific procedure, you can search for Get-Variable.exe in any of your Path directories because the attack is not just limited to the WindowsApps folder.
FourCore ATTACK can simulate different Persistent Mechanisms like these and many others to validate your detections and response capabilities. Get an accurate idea about your security posture by assessing your Prevention, Detection, and Response capabilities on our Platform.
1type %TEMP%\ryuk\af\ad_users.txt 2type %TEMP%\ryuk\af\ad_computers.txt 3type %TEMP%\ryuk\af\trustdmp.txt 4type %TEMP%\ryuk\af\subnets.txt 5type %TEMP%\ryuk\af\trustdmp.txt 6type %TEMP%\ryuk\af\domainlist.txt 7type %TEMP%\ryuk\af\dcmodes.txt 8type %TEMP%\ryuk\af\adinfo.txt 9type %TEMP%\ryuk\af\dclist.txt 10type %TEMP%\ryuk\af\computer_pwdnotereqd.txt 11type %TEMP%\ryuk\af\ad_trustdmp.txt