PS1

PS1 is a type of malware, similar to a VBS file, that communicates with a remote server. However, unlike the VBS file, the PS1 file uses DNS instead of HTTP to establish this communication. This malicious software is designed to run PowerShell commands via a PS1 file and retrieve output. The malware is capable of exploiting and damaging computer systems or devices, often through suspicious downloads, emails, or websites. Once infiltrated, it can steal personal information, disrupt operations, or even hold data for ransom. There are slight differences between the dns, fireeye, and komisova PS1 variants as discussed in our previous OilRig blog post. A notable concern is that meterpreter payloads seem incompatible with CVE-2021-42847, making it unlikely that the ps1 script can be automatically removed. Therefore, manual cleanup is necessary, especially for the ps1 script from /alert_scripts/ in the ManageEngine ADAudit Plus install directory. Furthermore, an array of files with different extensions including but not limited to .ndoc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der, .dat are being attacked. The PS1 malware employs two strong encryption algorithms, Salsa20 and a key randomly generated using RtlRandomEx. It begins its attack by repairing gaming consoles such as the Dreamcast, Xbox, and PS1, then learning how to mod them. On the computer side, it starts with learning about CD burners and gradually infiltrates deeper into the system. The malware ignores certain file extensions during its operation, including but not limited to .386, .adv, .ani, .bat, .bin, .cab, .cmd, .com, .cpl, .cur, .deskthemepack, .diagcab, .diagcfg, .diagpkg, .dll, .drv,