Full Report
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”
Analysis Summary
# Tool/Technique: PS1Bot
## Overview
PS1Bot is a multi-stage malware framework implemented in PowerShell and C#. It is designed for stealthy operations, utilizing in-memory execution to minimize disk artifacts, and features a modular design to facilitate various malicious activities, including information theft, keylogging, reconnaissance, and establishing persistent access.
## Technical Details
- Type: Malware family
- Platform: Windows (implied by PowerShell usage)
- Capabilities: Modular functionality, in-memory execution, information stealing (including cryptocurrency wallet credentials), keylogging, screen capture, reconnaissance, persistence establishment, C2 communication via polled requests.
- First Seen: Active campaigns observed since early 2025.
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1566 - Phishing
* T1566.002 - Spearphishing Link (Implied via Malvertising delivery)
* **TA0002 - Execution**
* T1059 - Command and Scripting Interpreter
* T1059.001 - PowerShell
* **TA0003 - Persistence**
* T1547 - Boot or Logon Autostart Execution (Implied by "establishes persistence")
* **TA0005 - Defense Evasion**
* T1027 - Obfuscated Files or Information (Used in downloader script)
* T1055 - Process Injection (Implied by in-memory execution of follow-on modules)
* **TA0007 - Discovery**
* T1082 - System Information Discovery (Collecting C: drive serial number)
* **TA0009 - Collection**
* T1005 - Data from Local System (File enumeration; targeting passwords/seed phrases)
* T1056 - Input Capture
* T1056.001 - Keylogging
* **TA0010 - Command and Control**
* T1071 - Application Layer Protocol
* T1071.001 - Web Protocols (Implied by C2 polling via HTTP/S)
## Functionality
### Core Capabilities
- **Multi-stage Infection Chain:** Begins with compressed archives delivered via malvertising/SEO poisoning, leading to a JS file containing VBScript/downloader.
- **Module Delivery:** Pulls subsequent stages (JScript scriptlet) from C2 infrastructure.
- **PowerShell Staging:** Writes a PowerShell script (`ntu.ps1` on disk in one observed instance) to `C:\ProgramData\` to manage C2 interaction.
- **In-Memory Execution:** Core strategy to execute received PowerShell content using `Invoke-Expression (IEX)` without writing follow-on modules to disk.
- **C2 Polling:** Periodically polls the C2 server using a URL constructed using the C: drive serial number, executing retrieved commands via IEX.
### Advanced Features
- **Information Stealing Module:** Specifically targets files containing passwords and cryptocurrency wallet seed phrases using embedded wordlists for enumeration.
- **Stealth Design:** Minimizes persistent artifacts on the infected system.
- **Modular Architecture:** Ability to deliver various follow-on modules (information stealer, keylogger, screen capture collector).
- **Persistence Implementation:** Mechanisms are in place to ensure continued operation after system reboots.
## Indicators of Compromise
- File Hashes: *Not provided in the summary text.* (Reference is made to an external GitHub repository for IOCs)
- File Names:
- Downloaded Archive examples: `chapter 8 medicare benefit policy manual.zip`, `Counting Canadian Money Worksheets Pdf.zip.e49`, `zebra gx430t manual.zip.081`, etc.
- Stage 1 Downloader: `FULL DOCUMENT.js`
- Stage 1 Written File: `ntu.ps1` (written to `C:\ProgramData\`)
- Registry Keys: *Not explicitly mentioned.*
- Network Indicators: C2 infrastructure overlap with Skitnet campaigns noted; C2 polling mechanism observed. (Specific domains/IPs are defanged and not listed here, directing to external IOC source).
- Behavioral Indicators: Use of VBScript obfuscation, JScript execution, dynamic PowerShell script generation in `C:\ProgramData\`, and heavy use of `Invoke-Expression (IEX)` for staged command execution.
## Associated Threat Actors
- Threat actors associated with **TA866** (due to design similarity with AHK Bot).
- Actors utilizing **Skitnet** infrastructure and overlapping C2 overlap are associated with this campaign cluster.
## Detection Methods
- Signature-based detection:
- ClamAV Detections: `Win.Backdoor.PS1Bot-10056514-0` through `Win.Backdoor.PS1Bot-10056542-0` (a large range provided).
- Snort SIDs: 65231 - 65233 (for both Snort2 and Snort3).
- Behavioral detection: Monitoring for execution chains starting with compressed ZIPs leading to `.js` files containing VBScript, dynamic creation of PowerShell scripts in `C:\ProgramData\`, and excessive use of `Invoke-Expression` within PowerShell processes.
## Mitigation Strategies
- **Network Security:** Implement Secure Internet Gateway (SIG) solutions (e.g., Cisco Umbrella) to block connections to known malicious domains/IPs.
- **Endpoint Protection:** Utilize endpoint detection and response (EDR) capabilities capable of detecting fileless or in-memory PowerShell execution chains.
- **Web Filtering:** Employ Web Security solutions (e.g., Cisco Secure Web Appliance) to block access to sites hosting the initial compressed archives (related to malvertising/SEO poisoning).
- **Authentication:** Enforce Multi-Factor Authentication (MFA) via solutions like Cisco Duo, if persistence leads to credential harvesting.
- **File System Hardening:** Monitor and restrict write access to common staging directories like `C:\ProgramData\`.
## Related Tools/Techniques
- **AHK Bot** (Design similarities noted in technical implementation).
- **Skitnet** (Campaign overlap detected regarding C2 infrastructure and observed PowerShell implementation).