Persistent malware

[LuciphronNaxtel]

ok so I have been fighting this alware for months. Best I can tell it has some kind of rootkit and possibly bioskit as well. it started with the lag , I had read of crypto mining etc. anyway it infected my pc and other non network. At first I thought was a siple rootkit , but this thing is way beyond that. Originally I got scans an cleaned no  big deal. but it kept coming back and at the time I couldn't figure out why. research lead me to the conclusion of what appeared to be a SUBVIRT root attack. With a layer between my OS and the hardware. I was running on old bios still so made sense, even more when I tried to address as it had a fake shutdown function that would try and prevent bios bootup. On my pc this was ok , I adin passworded pulled the plug and battery and rebooted and could get to bios. on y laptop it ws a bit harder, but in order to achieve an actual reboot I needed to pull bettery, and even then sometimes it wouldn't stick. best way to get out of the virtual cage I found was to power off, completely, then power on and goto bios but I used the pw as a hang, and would then pull power at password screen. anyway chuncked the laptop , and eventually managed to get full UEFI running on my pc. My build is an old hybrid.

                    So since then and some during , the symptoms exhibited have been several and honestly I am in awe. I'll begin with the internet, I have noticed large amounts of Java injections and site redirects, as well as altered downloads, altered web pages and searches. Edge seems to be a common thing it likes to mask behind, though it does chrome as well, but not like edge, chrome it will "piggy back off" as a parent process I guess for lack of better terminology, using the chrome.exe process to hide behind , I know chrome has multiples and not even odifying windows can realy get it down like u can other software, but trust e , they are there. I have been tracing the string and dll maping (best I can, I have no formal education). As for edge, it starts good , but eventually it owns the dang thing (again for lack of better wording) I can literally go in and manually remove all traces of edge and it will be there, but edge is not. Currently that's just the background though. The javascripts injected im not sure what they are doing but I don't have signs of significant downloads in cache, yet network traffic will often say otherwise. well beyond normal web traffic I feel.

                     It monitors, and by that I mean monitors for you as a user searching for it. I saw logs at first , and thought was odd but after format and wipe multiple ties now , its basically confirmed that it has a function quite like that of romberskit in that if you poke it too much it will acknowledge the user is aware, and where as before it would hide, too much and it goes rombers on you and jacks ur whole system up. It seems to hide on scans and actually infiltrate and take over antivirus either by means of corrupting, or more commonly it seems to add additional code to the AV software by means of applying extensions etc. And so far has rendered the following either able to avoid detection, compromised, or fully take over Malwarebytes, Malwarebytes chameleon, Avast antivirus, Comodo Antivirus, Bitfender, Notron, Kaspesky , Sophos, spyhunter5 , AVG, Mcafee, ClamAV, HunterRK, SFC, MSERT and a few others. It also applies techniques like swp file in order to achieve, though I have had WSL both off and on during the course of this, that doesn't seem to stop the SWP. When it thinks it is being detected, at first i'd say it will try to wipe or jump related files to another folder , either leaving nothing, or ore coonly a 0kb empty file where the item was. This is hard to notice in the normal vastness of windows, however I did a test and the function can be seen very well if you can manage to infect a mini-xp then boot it up. In such a small file system I got to watch it in action jumping and even creating directories to avoid the view of the interactive window I was on. lol hell when I went kicked it over to hirens DOS it was literally overwriting file infront of me as I went through the menu, always using familiar wording. like something I have recently typed, or files I have accessed.I personally find this behavior odd as it seems to have an extensive fileless presence, i'm not sure if these files actually are anything at all or just a decoy mechanism though.

 

                       COMPATABILITY, ok now this is a new one for me. now I am still getting back up to speed with all of windows 10 new drivers etc, and I understand that, but at a certain point its overkill or it aint Microsoft. From what I have seen, it basically generates a driver for almost everything. I imagine this has other purposes ( and will get to those later) but these things dig in. They override OEM drivers of the devices, and are really freakin hard to uproot after that. For example my keyboard driver it caused some issue with disabling it at one point during all of this, I was able to get it back right by rolling back windows to a restore point after drivers and registry options failed. What  I did take note of was how It gained access to the windows troubleshooting feature. Admin propt ofcourse comes up when you run , but unlike normal, if you "view details" you would see a cmd extension pat that of diaging keyboard, literally stating to skip , the result of is if left with no details windows will say unable to fix, with details however it will advise there is an issue with drivers in details but bypass all options to even look for updates and proceed to tell you the sae "functioning and latest update installed. I have noticed it is Linux capable, (like I expected at that point) enabling Linux subsystems only seemed to grant it more authority and capability. I have also noticed that while operating in WSL , while I haven't confirmed, I feel like I was getting a lot of extra packages during downloads that were not selected, ore than usual. To add to the compatability I might add that we have also seen similar signs and syptoms in both google and iphones that we connected to the device , though not near as bad, the battery drain , net browsing, and unusual items popping up in places like the contacts along with constant requests for re-sign in present. I have not verified though , and iPhone is now toast as battery went out.

 

                        NETWORKING,. I don't have enough knowledge to tell for sure, but I believe it might be capable of LAN infection, I have noticed spikes in data randomly when there is no known source to justify. I have replaced routers incase, though my scans don't show much (not that experienced on them.) I did notice an abnormal amount of listening ports open on main pc , and also have a sucspicion about the Vivant home hub installed though probably nothing. I don't know enough to see more but an nmap scan on the LAN showed the device to be equipped with OPENWRT Chaos Linux, looking into it , that device did not show up on the compatible devices list for that firmware though.

                         Credentials and elevated ACCESS, on this I have noticed many things , for windows users it seems to add a plethora of users, best I can tell it starts with an anon or default user. Regardless how tight I lock down, short of full lockdown all bells and whistles with ne win defender , (which makes it a pain to do anything, down to saving a text file lol) It always seems to gain elevated access. This was done on both windows 10 home and PRO. Now 10 ight have done away with gpedit , but the version I was running was before the patch that blocked side loading of the feature, changing of these credentials did help at firt but I found shortly after the all changed , and not even back to what they were. During this event my user was added to an additional group that then was denied all from root up , and due to deny superseding permission well yeah...…. upon that I went to the admin CMD I had open already and started to try and bypass, which is when I found my user path had been moved to an entirely diffent partition, explorer.exe failing after and I was literally locked out of my own pc, and resorted to pulling the plug. I am not sure how it is gaining the access but what I looked into leans towards the powershell scripts i found that to the best of my understanding would create a loop in access request that would then replicate key and reinsert to gain access. also web and program root credential i think were being generated throught the self cert script on silent after gaining said credentials. I have tried to combat with group poilicies and even additional separate net user admins active , as well as windows admin and WDAGUtility account set active and passworded with lowering y credentials to that of normal user. But even still by the time i need to utilize said credentials even through a runas etc, i come to find it has already compromised those accounts and altered the password. Sae goes for Linux subsystem  root user and sudo, though Linux i found was easier to bypass. So far though everything  i have tried to block elevation fails, and it seems to always find another way.  For this i have adjusted the powershell executionpolicy scope so that users, current user, processes, and system cannot execute scripts without interactive admin prompt. Don't think its fully working like i wanted but does a pretty good job for now.  

 

                              I/O - I am sure there are some legit things that use the reference to Null, but i' fairly If i had to guess this seems a favorite of the thing. Because I've read this is a strong indicator of zero day exploitation. I removed and locked out SMB1 via powershell due to this. now i'm way out of my knowledge base on most this , but i really am off base here, not sure how all that works , but if i had to take a whack at it  i thin it i using the null reference to point and direct down to the shell device drivers, what it does from their i have now clue, but i did notice whatever its doing I/O wise it is a lot. When i was able to get keyboard back up and clear some of the masked drivers i rolled back system, afterward i was pushng upward of 98% CPU in system interrupts alone. wondering if that has anything to do with possible bioskit function.

 

                               Injection - , think for short "ALL" , seems to be able to inject and modify network and web traffic, as for files you would think it does all in background and seems a lot would be there , i noticed it doesn tamper with user created files though unless its executing the boberskit like function , or if the file is either on your desktop, or in a window you have up in explorer. Have witnessed it alter files being oved or copied as they hit their destination.and like i said im speculating on most of this and don't have the knowledge, but almost seems like it injects anything performed by windows/trusted installer. The installs after a certain point look to have been modified with extentions and additional configs, with timestamp alterations. usually , and what i find odd , is say i install something, uninstall it , and reinstall later. The modified date stamp shows first install date even when reinstalled, even though the file creation date is for right then in the moment.

 

                         Virtualization- SUBVIRT issue aside as uefi seems to have resolved that aspect. There are multiple ghost drives popping up here and there then gone again, as well as what appears to be docker containers. Now unfortunately this isn't as straight forward as it used to be, being windows and software companies are utilizing these tools more and more. I'm sure some of these are normal functionality , but have a suspicions  some are not if that's possible, heck with everything else, i'm surprised the thing aint come to have a drink and debate politics with me lol.

                        Noted deficiencies- Not many noticed here honestly lmfao. things like written by motzart far as i can tell. I did notice that the file injections are unable to access a .RAR file, ISO also unless mounted. And y largest asset now , that in the beginning was unknowingly compromised and my biggest enemy at the time is windows defender. With Malwarebytes etc that have core isolation and protected folder etc it works for a time but even with them on all 3rd party programs thus far appear to fall and be overtaken. windows defender sees to hold strong once properly updated and all settings i place. By that i mean i literally have (even if redundant) most all folders as protected folders across the drives, Core isolation and device guard enabled, with firewall and antivrus random scans and real time. Still have to watch when i need to do something that requires letting protected folders down though as new items will populate in the exceptions list with override permissions. Core isolation also seems to keep it from ramping up for a tie, but i think (again not exp enough) soe is already getting through with what i have seen.

 

                           ATTEPTS: this is what i have tried , and for the most part failed. i got it useable i guess lol. Antivirus and malware scanners don't pick up. kaspesky did at first, but then was compromised, Malware bytes hasn't caught anything though it often blocks outbound connections from malware but doesn't catch or kill the source, and eventually it also gets comproised, but is the most resilient to it so far. Windows defender don't catch a thing but block ALOT from progressing, but it blocks me too is the problem. all others aint done a thing really. I've formatted all drives multiple times from basic formats to clean and re-partition with secure overwrites and format. I've wiped MBR's , converted to UEFI, reset bios to default, popped battery , de-energiced and cleared RAM and board chips. I tried doing all that simultaneously and using a USB to work the disk drives rather than sata to see if that might alter transferal. I've tried to manually hunt with sysinternals , hirens, nirsoft, and a archive of tools, but don't know how to use properly yet. even monitored and hunted using VM from outside in.

Only thing I can think of I haven't tried is this and full bios flash/update. I did try the flash though , but cant get it to work at all, always has one error or another. I've been lead back to this site countless times in y research , and am hoping maybe there's a reason and someone can help.

 

 It has been months and I just want my pc back lol...…..can anyone PLEASE HELP ME?

 

[AdvancedSetup]

Hello @LuciphronNaxtel

Unless you're on the NSA enemy of the State list type thing then no one is going to spend the hundreds of thousands of dollars to keep an ongoing persistent threat into your system. Without some type of monetary or political gain there is no reason to spend the time and resources of multiple analysts attacking and spying on your system. We'll do some basic checks to see if we can find anything wrong but I won't spend forever going down the tinfoil hat rabbit hole of conspiracy theories.

Let's start by having you run the following please.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan Now.
• When finished, please click Clean & Repair.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks