Detecting PureHVNC malware with Wazuh

September 19th 2024 | by Oluwaseyi Soneye | Wazuh 4.9.0

PureHVNC is a Remote Access Trojan (RAT) that focuses specifically on the stealthy remote control of Windows endpoints. The HVNC in PureHVNC stands for “Hidden Virtual Network Computing.” This means attackers can manipulate an endpoint remotely without the user’s awareness.

PureHVNC malware is usually distributed through phishing campaigns that use urgent messaging to deceive victims into opening malicious attachments. Once executed, the malware deploys silently, enabling attackers to perform various harmful activities on the endpoint.

This blog post demonstrates using Wazuh to detect PureHVNC malware on an infected Windows endpoint.

PureHVNC malware behavior

When PureHVNC malware infects a Windows endpoint, it exhibits the following behavior:

It attempts to download a decoy PDF file from a remote file share, TryCloudflare, and opens the file by running the following CMD command:

timeout  /t 5   REM Wait for PDF to open (adjust timeout as needed)

It attempts to download two ZIP files DXJS.zip and FTSP.zip, from a remote file share using PowerShell to the destination %USERPOFILE%\Downloads.
It extracts the contents of the DXJS.zip file into the folder %USERPOFILE%\Downloads\Python and sets the folder to hidden.
It executes the following Python scripts which were extracted from the DXJS.zip file: money.py, update.py, upload.py, time.py, kam.py, moment.py, and info.py.
It attempts to reopen the decoy PDF file.
It extracts the contents of FTSP.zip into the folder %USERPOFILE%\Downloads\Print and sets the folder to hidden.
It attempts to communicate with a C2 server.

Analyzed IOC

Type	Value
Hash (SHA256)	441c4502584240624f4af6d67eded476c781ff0b72afe95ea236cc87a50e5650
MD5	372d3835bc694a7d9934727030bf7be6

Infrastructure

We use the following infrastructure to demonstrate the detection of PureHVNC malware with Wazuh:

A pre-built, ready-to-use Wazuh OVA 4.9.0 which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
A Windows 10 victim endpoint with Wazuh agent 4.9.0 installed and enrolled in the Wazuh server. Refer to the installation guide for installing the Wazuh agent.

Detection with Wazuh

We use the following Wazuh capabilities to detect PureHVNC malware on an infected Windows endpoint:

Using custom detection rules to detect PureHVNC malware activities.
Using the Wazuh Security Configuration Assessment (SCA) module to check for the presence of PureHVNC malware artifacts.

Detection rules

We use Sysmon to monitor several system events on the Windows endpoint and create rules on the Wazuh server to detect the malicious activities of PureHVNC malware.

Windows endpoint

Perform the following steps to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred location.

3. Download the Sysmon configuration file – sysmonconfig.xml using PowerShell. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Wazuh server:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Wazuh server

In this section, we create rules to detect the PureHVNC malware behavior on the monitored endpoint.

1. Create a file purehvnc_malware.xml in the /var/ossec/etc/rules/ directory:

# touch /var/ossec/etc/rules/purehvnc_malware.xml

2. Add the rules below to the /var/ossec/etc/rules/purehvnc_malware.xml file:

<group name="purehvnc,malware,">
  <rule id="100201" level="12">
	<if_sid>61603</if_sid>
	<field name="win.eventdata.Image" type="pcre2">(?i)timeout\.exe</field>
	<field name="win.eventdata.CommandLine" type="pcre2">\/t 5</field>
	<field name="win.eventdata.CommandLine" type="pcre2">REM\sWait\sfor\sPDF\sto\sopen</field>
	<description>Possible PureHVNC malware activity: PDF delayed execution with timeout.exe.</description>
	<mitre>
  	<id>T1059</id>
	</mitre>
  </rule>

  <rule id="100202" level="12">
	<if_sid>61603</if_sid>
	<field name="win.eventdata.Image" type="pcre2">(?i)powershell\.exe</field>
	<field name="win.eventdata.CommandLine" type="pcre2">Net.ServicePointManager</field>
	<field name="win.eventdata.CommandLine" type="pcre2">Net.SecurityProtocolType</field>
	<field name="win.eventdata.CommandLine" type="pcre2">Invoke-WebRequest\s-Uri</field>
	<field name="win.eventdata.CommandLine" type="pcre2">DXJS.zip</field>
	<description>Possible PureHVNC malware activity: Suspicious ZIP file DXJS.zip downloaded from a remote file share.</description>
	<mitre>
  	<id>T1105</id>
	</mitre>
  </rule>

  <rule id="100203" level="15">
	<if_sid>61603</if_sid>
	<field name="win.eventdata.Image" type="pcre2">(?i)powershell\.exe</field>
	<field name="win.eventdata.CommandLine" type="pcre2">Expand-Archive</field>
	<field name="win.eventdata.CommandLine" type="pcre2">\-DestinationPath</field>
	<field name="win.eventdata.CommandLine" type="pcre2">DXJS.zip</field>
	<field name="win.eventdata.CommandLine" type="pcre2">\-Force</field>
	<description>Possible PureHVNC malware activity: Suspicious ZIP file DXJS.zip extracted.</description>
	<mitre>
  	<id>T1059.001</id>
	</mitre>
  </rule>

  <rule id="100204" level="15">
	<if_sid>61603</if_sid>
	<field name="win.eventdata.Image" type="pcre2">(?i)attrib\.exe</field>
	<field name="win.eventdata.CommandLine" type="pcre2">\+h</field>
	<description>Possible PureHVNC malware activity: Suspicious folder hiding activity.</description>
	<mitre>
  	<id>T1564.001</id>
	</mitre>   
  </rule>

  <rule id="100205" level="15">
	<if_sid>61603</if_sid>
	<field name="win.eventdata.Image" type="pcre2">(?i)AppInstallerPythonRedirector\.exe</field>
	<field name="win.eventdata.CommandLine" type="pcre2">python\.exe</field>
	<field name="win.eventdata.CommandLine" type="pcre2">(?i)(money|update|upload|time|kam|moment|info)\.py</field>
	<description>Possible PureHVNC malware activity: Suspicious Python script executed.</description>
	<mitre>
  	<id>T1059.006</id>
	</mitre>    
  </rule>

  <rule id="100206" level="12">
	<if_sid>61603</if_sid>
	<field name="win.eventdata.Image" type="pcre2">(?i)powershell\.exe</field>
	<field name="win.eventdata.CommandLine" type="pcre2">Net.ServicePointManager</field>
	<field name="win.eventdata.CommandLine" type="pcre2">Net.SecurityProtocolType</field>
	<field name="win.eventdata.CommandLine" type="pcre2">Invoke-WebRequest\s-Uri</field>
	<field name="win.eventdata.CommandLine" type="pcre2">FTSP.zip</field>
	<description>Possible PureHVNC malware activity: Suspicious ZIP file FTSP.zip downloaded from a remote file share.</description>
	<mitre>
  	<id>T1105</id>
	</mitre>
  </rule>

  <rule id="100207" level="15">
	<if_sid>61603</if_sid>
	<field name="win.eventdata.Image" type="pcre2">(?i)powershell\.exe</field>
	<field name="win.eventdata.CommandLine" type="pcre2">Expand-Archive</field>
	<field name="win.eventdata.CommandLine" type="pcre2">\-DestinationPath</field>
	<field name="win.eventdata.CommandLine" type="pcre2">FTSP.zip</field>
	<field name="win.eventdata.CommandLine" type="pcre2">\-Force</field>
	<description>Possible PureHVNC malware activity: Suspicious ZIP file FTSP.zip extracted.</description>
	<mitre>
  	<id>T1059.001</id>
	</mitre>
  </rule>
</group>

The following rule IDs are triggered when Wazuh detects PureHVNC malware activities:

Rule ID 100201 is triggered when PureHVNC malware attempts to open a decoy PDF file.
Rule ID 100202 is triggered when PureHVNC malware downloads DXJS.zip.
Rule ID 100203 is triggered when PureHVNC malware extracts DXJS.zip.
Rule ID 100204 is triggered when PureHVNC malware hides a folder.
Rule ID 100205 is triggered when PureHVNC malware executes any of the following Python scripts: money.py, update.py, upload.py, time.py, kam.py, moment.py, and info.py.
Rule ID 100206 is triggered when PureHVNC malware downloads FTSP.zip.
Rule ID 100207 is triggered when PureHVNC malware extracts FTSP.zip.

3. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Detection results

The alerts below are generated on the Wazuh dashboard when the PureHVNC malware is executed on a Windows endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.

1. Navigate to Server management > Endpoints Summary and select the Windows agent.

2. Click on Threat Hunting and select the Events tab.

3. Click + Add filter. Then filter for rule.id in the Field field. Select is one of in the Operator field.

4. Add the filters 100201, 100202, 100203, 100204, 100205, 100206, and 100207 in the Values field.

5. Click Save.

Security configuration assessment (SCA)

The Wazuh SCA module evaluates system configurations by comparing them against a predefined set of rules and benchmarks. It performs checks that test system hardening, detect vulnerable software, and validate configuration policies on a monitored endpoint. The SCA module can help organizations enhance their security posture, thus ensuring compliance with industry standards and reducing the risk of security breaches.

Windows endpoint

We configure the Wazuh SCA module to check for the presence of PureHVNC malware artifacts on the Windows endpoint.

1. Launch PowerShell with administrative privilege and create a folder to store custom SCA policy files:

> New-Item -Path "C:\Program Files (x86)\" -Name "sca_policies" -ItemType Directory

Note: Custom SCA policy files created inside the default Wazuh rule set folder are not retained after upgrades. Hence, the C:\Program Files (x86)\sca_policies folder is created outside the Wazuh agent installation folder for persistence.

2. Create a file purehvnc_malware_check.yml in the C:\Program Files (x86)\sca_policies folder:

> New-Item -Path 'C:\Program Files (x86)\sca_policies\purehvnc_malware_check.yml' -ItemType File

3. Add the following content to the C:\Program Files (x86)\sca_policies\purehvnc_malware_check.yml file:

# Security Configuration Assessment
# Audit for PureHVNC malware
# Copyright (C) 2024, Wazuh Inc.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation
policy:
  id: "PureHVNC_malware"
  file: "purehvnc_malware_check.yml"
  name: "PureHVNC malware Windows OS check"
  description: "Detecting PureHVNC malware"

requirements:
  title: "Checking PureHVNC malware on Windows based systems"
  description: "Requirements for running the audit policy under a Windows platform"
  condition: all
  rules:
    - 'r:HKEY_LOCAL_MACHINE\SAM\SAM'

checks:
  - id: 77000
    title: "Checking for Possible PureHVNC malware artifacts (ZIP files) in Downloads folder"
    description: "Check for ZIP files associated with PureHVNC malware in Downloads folder."
    remediation: "Delete the files DXJS.zip and FTSP.zip from the Downloads folder."
    condition: all
    rules:
      - 'not f:C:\Users\<USERNAME>\Downloads\DXJS.zip'
      - 'not f:C:\Users\<USERNAME>\Downloads\FTSP.zip'

  - id: 77001
    title: "Checking for Possible PureHVNC malware artifacts (Python scripts) in Downloads folder"
    description: "Check for Python scripts associated with PureHVNC malware in Downloads folder."
    remediation: "Delete the Python scripts and the Python folder from the Downloads folder."
    condition: all
    rules:
      - 'not f:C:\Users\<USERNAME>\Downloads\Python\Python312\money.py'
      - 'not f:C:\Users\<USERNAME>\Downloads\Python\Python312\update.py'
      - 'not f:C:\Users\<USERNAME>\Downloads\Python\Python312\upload.py'
      - 'not f:C:\Users\<USERNAME>\Downloads\Python\Python312\time.py'
      - 'not f:C:\Users\<USERNAME>\Downloads\Python\Python312\kam.py'
      - 'not f:C:\Users\<USERNAME>\Downloads\Python\Python312\moment.py'
      - 'not f:C:\Users\<USERNAME>\Downloads\Python\Python312\info.py'

  - id: 77002
    title: "Checking for Possible PureHVNC malware artifacts (batch file) in Downloads folder"
    description: "Check for batch file associated with PureHVNC malware in Downloads folder."
    remediation: "Delete the startuppp.bat file from the Downloads folder."
    condition: all
    rules:
      - 'not f:C:\Users\<USERNAME>\Downloads\startuppp.bat'

  - id: 77003
    title: "Checking for Possible PureHVNC malware artifacts (folders) in Downloads folder"
    description: "Check for folders associated with PureHVNC malware in Downloads folder."
    remediation: "Delete the Python and Print folders from the Downloads folder."
    condition: all
    rules:
      - 'not d:C:\Users\<USERNAME>\Downloads\Python'
      - 'not d:C:\Users\<USERNAME>\Downloads\Print'

Note: Replace <USERNAME> with the username of the logged-in user.

4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following configuration within the <sca> block:

<policies>
  <policy>C:\Program Files (x86)\sca_policies\purehvnc_malware_check.yml</policy>
</policies>

5. Restart the Wazuh agent for the changes to take effect:

> Restart-Service -Name WazuhSvc

Visualizing the scan results

Navigate to the Configuration Assessment page on the Wazuh dashboard. Select the monitored Windows endpoint, then select PureHVNC malware Windows OS check to view the scan results.

A Failed result indicates that the PureHVNC malware artifacts were detected on the endpoint. Conversely, a Passed result indicates that the PureHVNC malware artifacts were not detected and that the endpoint meets the SCA policy criteria.

The screenshot below shows the SCA alerts generated on the Wazuh dashboard when the Wazuh SCA detects artifacts associated with PureHVNC malware.

Conclusion

This blog post demonstrates how to detect PureHVNC malware using Wazuh. We illustrated how to use Sysmon integration with custom detection rules and the Wazuh SCA module to detect PureHVNC malware and its malicious activities.

Wazuh is a free and open source security platform with several capabilities to monitor and secure your infrastructure against malicious activities. You can also join our Slack community of professionals and users if you have any questions on this blog post or Wazuh in general.

References

PureHVNC Deployed via Python Multi-stage Loader

Detecting PureHVNC malware with Wazuh

PureHVNC malware behavior

Analyzed IOC

Detection with Wazuh

Detection rules

Windows endpoint

Wazuh server

Detection results

Security configuration assessment (SCA)

Windows endpoint

Visualizing the scan results

Related content

CHAVECLOAK malware detection and response with Wazuh

Detecting AsyncRAT with Wazuh

Detecting keyloggers (T1056.001) on Linux endpoints

Detecting Amadey malware with Wazuh

Use cases

Malware Detection

Threat Hunting