Windows Server 2025 is the most secure and performant release yet! Download the evaluation now!
Looking to migrate from VMware to Windows Server 2025? Contact your Microsoft account team!
The 2024 Windows Server Summit was held in March and broughtย three days of demos, technical sessions, and Q&A, led by Microsoft engineers, guest experts from Intelยฎ, and our MVP community.ย For more videos from this yearโs Windows Server Summit, please find the full session list here.
ย
This article focuses on whatโs new and whatโs coming in Windows Server 2025.
ย
What's new in Windows Server 2025
Get a closer look at Windows Server 2025. Explore improvements, enhancements, and new capabilities. We'll walk you through the big picture and offer a guide to which Windows Server Summit sessions will help you learn more.
ย
Whatโs ahead for Windows Server
Whatโs in it for you? Get a summary of the most important features coming in Windows Server 2025 that will make your life easier and your work more impactful. In this fireside chat, Hari Pulapaka, Windows Server GM and Jeff Woolsey, Principal PM manager, provide an overview of whatโs next, and provide their thoughts on how Windows Server can help you stay ahead.
Research of this malware family began when I found a malicious task starting powershell code directly from a registry key within our user base.ย I wasnโt expecting the surprise Iโd arrived at when I began tracking its origins. Living in a smaller country, Czech Republic, it is a rare sight to see someone exclusively targeting the local Czech/Slovakaudience. The threat actor seems to have been creating malware since 2015 and appears to be from Slovakia. The bad actorโs repertoire contains a few RATs, some packers for cryptominers and, almost obligatorily, ransomware, and I have named the malware family Certishell. This personโs malware is spread with illegal copies of songs and movies and with alleged cracks and keygens of games and common tools (GTA SA, Mafia, Avast, Microsoft Office) that were hosted on one of the most popular Czech and Slovak file-sharing services uloz.to.
The Ceritshell family can be split into three different parts.ย
RAT with a C&C server sivpici.php5[.]sk (Czech/Slovak slang for โyou are fucked upโ), which has AutoIT, C++ and Go versions.
Miner downloaded from hacked websites and started with the script que.vbs from the task.ย
Miner or ransomware downloaded from hacked websites and launched from a powershell command hidden in registry keys. The command from the registry key is started with the task from the picture above.
The map above shows the risk ratio of users around who were at risk of encountering one of the malware families
Sivpici.php5.sk (2015-2018)
The oldest part of the family is a simple RAT with sivpici.php5[.]sk as the C&C server. It places all the needed files in the folder .win inside of the user folder.ย
The malware installer comes disguised as one of the following:
Cracked software, such as FixmyPC,
Fraud apps, like SteamCDKeys that share Steam keys,
Music CD unpackers with names like Extractor.exe or Heslo.exe (Heslo means password in Czech/Slovak) that come with a password protected archive with music files.
The malicious executable downloads an executable named UnRAR.exe and a malicious archive that contains a simple RAT written in C++, AutoIT or Go.
Installer
Every executable installing this malware family contains a script similar to the one in the following picture optionally with curl.exe. This script usually shows the password to archive or start another application. The malicious part downloads a legitimate RAR extractor UnRAR.exe and a malicious archive that can be password protected and unpacks it into the %UserProfile%\.win\folder. In the end it registers one of the unpacked files as a service, starts it and allows one of the binaries in the firewall.
I found six different methods used to pack the script into executable binary:
Bat2exe
Quick Batch File Compiler
Compiled AutoIT version
Compiled AutoIT version with obfuscated script
Compiled AutoIT version with obfuscated script and packed with PELock
Compiled AutoIT version with obfuscated script packed with VMProtect
RAT
There are three main variants of this RAT.ย All of them use the same C&C sivpici.php5[.]sk and similar communication protocol. The most advanced is a compiled AutoIT script. This script comes in 10 different main versions. The second one is written in C++ and we found only one main version and the last one is written in Go also with one main version.ย
The first time it is run, it generates a random alphanumeric string that works as an identificator for the C&C. This identificator is saved into file gen.gen for next start. The communication uses the HTTP protocol. Infected machines send the following back the C&C:ย
pc = ComputerName,
os = content of SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName,
uniq = generated identifier, saved in \.win\gen.gen
with the GET method to start.php.
After a random period of time, the malware starts asking for commands using the GET method with the parameter uniq. The response is a number that has fixed meanings throughout all the versions. Commands โ1โ โ โ7โ are implemented as follows:
The RAT downloads a URL from /urlg.php using uniq, from this URL it downloads a file, packed.rar, then the RAT starts run.bat from the installation phase to UnRaR the package to the \.win\Lambda folder and restart the RAT. This allows the RAT to update itself and also download any other file necessary.
Create a screenshot and send it with the POST method to the up.php.
Send all file names from all drives to up.php.
DDoS attack to a chosen IP through UDP/HTTP/PING.
Get a list of all installed apps from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall saves it to /.win/installed.txt and send them to up.php.
Get a list of all running processes, save it to /.win/processes.txt and send them to up.php.
Collect log from keylogger, save it to \.win\log.txt and send it to up.php.
The RAT in the form of compiled AutoIT script has the name Winhost.exe.ย
There is a comparison of different versions (versioning by the author of the RAT) in the following table.
Version
Commands
Notes
debugging
1
Command 2 opens a message box with text 222222
4
1 โ 3
Registration of PC happens only once on reg.php and on connection it sends only the uniq and the version of the RAT to updaver.php
6
1 โ 4
Opens /ad.php in a hidden Internet Explorer window once when the user is not interacting with the PC for at least 5 seconds and closes it after 30 seconds.
Version 9 adds coloring of keys, mouse movements and clipboard in the keylogger.
The C++ RAT is named dwms.exe. It uses LibCURL to communicate with the C&C. The communication protocol is the same. The uniq identifier is saved in the fr.fr file instead of gen.gen for the AutoIT version, it also starts communication by accessing connect.php instead of start.php.
Iโve managed to find a debugging version that only has the first command implemented and returns only โCommand 2โ and โCommand 3โ to the standard output for the second and third command. After every command it answers the C&C by sending uniq and verzia (โversionโ in English) with GET method to online.php.
The โproductionโ version is labeled as version A. The code is divided into two functions:ย
LLLoad downloads the URL address of the C&C server from the pastebin and tests it by downloading /exists.txt.
RRRun that contains the first two commands as described above. It also uses /connect/ path for register.php, load.php, online.php and verzia.php.
To download newer versions it uses curl called from the command line.
Another difference is that screenshots taken are sent via FTP to a different domain: freetips.php5[.]sk/public_html/SHOT.bmp with the username sivpici and password A1B2C3D4.ย
The RAT written in Go only has the first command implemented, but it downloads /cnct/ad.txt and it opens URLs contained on victims computer, thus we speculate it could also work as adware.ย
IECache, bitly, pastebin (2016-2018)
The installation of this coinminer is similar to the RAT in the previous section. Installations use the same folder and the scripts have the same name. It usually comes as an unpacker of illegal copies of music and movies downloaded from uloz.to. It uses powershell to download and execute scripts from a bit.ly shortened address. The final stage is coinminer IECache.exe, which is usually XMRig.
Heslo.txt.exe, Crack.exeโฆ
There is a huge variety of programs that download bit.ly-shortened Czech and Slovak sites and execute them. These programs include: GTA SA crack, Mafia, Microsoft Office, Sims, Lego Star Wars, and unpackers for music and movies. These programs usually print a message to the victim and run a malicious script in a hidden window.
The unpackers use UnRAR to unpack the archive and show the victim the password of that archive.ย
Unpacker of a music album written in Python and packed with Pyinstaller. It tries to use UnRAR.exe to unpack the music, if unsuccessful, it shows password โ1234โ.
The cracks on the other hand just show an error message.
Result of Patcher for Counter-Strike Global Offensive. After downloading and installing the malware from Sourceforge it shows an error from the picture above.
All the installation files execute the following command with some bitly shortened site:
There are VBA scripts calling it, basic programs possibly written in C, .Net, AutoIT scripts, Golang programs, Rust programs, Redlang programs, different packers of python and batches, some of them use UPX, MPRESS, VMprotect and PELock.ย
Red languageAutoITPyinstallerBat obfuscatorRust
Downloaded script
There are at least two new scripts created by the script from the site hidden behind the bit.ly shortened URL, que.vbs and run.bat.
The script also creates one of two services named Winmgr and Winservice that start que.vbs. Que.vbs only starts run.bat which downloads whats.txt contains a script downloading and starting coinminer IECache.exe.
In this case the pastebin contains two lines (the second line is splitted for better readability)
content of pastebin
The miner
The miner is saved as IECache.exe or ctfmon.exe.
The first miner (from June, 2018) is just XMRig that includes all command line options inside the binary.ย
Most of the miners of this type I found are packed with VMProtect or Themida/Winlicense.
The more interesting one (from Jun-Jul 2018) is a compiled AutoIT script packed with VMProtect. Here again, we see that author speaks Slovak:
This script contains the XMRig as (in some cases LZMA compressed) Base64 encoded string inside a variable. The miner is decoded and started in memory.
ODBASUJ64A is โdecode base64โ and ODLZMUJA is โLZMA decompressโ.ย
In some versions, the script checks user activity and it starts different miners with different options to maximize profit with lower risk of being caught.
_PUSTITAM is executes an binary in memory
Newer samples (Since August, 2018) use sRDI or XOR encryption in memory and injection to a suspended process to hide from antivirus software.
Interesting files
Sourceforge and Github
Some of the samples used Sourceforge and Github to download malicious content, instead of small, possibly hacked websites.
It downloaded content from a repository WEB of user W33v3ly on Github and from user Dieworld on Sourceforge. On Github, the attacker once made a mistake and pushed Systemcall.exe and TestDLL.bin to the wrong repository.
The Systemcall.exe is a PE file without โMZโ in the beginning and Test.dll contains some random bytes before the PE file. The dll contains XMRig encrypted with TEA and the Systemcall.exe uses sRDI to load and run the Test.dll.ย
Steam Giver
This small application written in .Net shows some hacked Steam accounts.
The malicious part downloads and installs the following scripts and downloads UnRAR and begin.rar
Install.vbs creates a task named WinD2 that starts inv.vbs upon every PC startup. Inv.vbs starts runner.bat, which starts %temp%/Microsoft/NisSrve.exe that is unpacked from begin.rar with UnRAR.exe.
Free bet tips
Betters are also targeted. We found a malicious file with the following readme file:ย
The binary included only starts a cmd with the script as an argument.
All from registry keys since 2018
After 2018, I observed an updated version of the malware family. There is no need for any script file if you can have a command as a scheduled task and save enough data into registry keys.ย
The infection vector is the same as in the previous case. The victim downloads and runs an executable that downloads a powershell script from a hacked website whose URL is shortened with bit.ly. This time the script is different, it creates the following task:
This task reads the value of the registry key Shell placed in HKLM\Software\a and executes its content. The script also creates the Registry key.ย
Letโs focus on the value of the registry key Shell. In the following picture you will find the value I found on an infected machine.
After decoding and decompression we get an obfuscated script:
Under two layers of string formatting and replacing we get another compressed base64 encoded script:
Inside the base64 string is malicious code that tests the connection and executes code directly from the internet.
In total, I found about 40 different values of the Shell key in the wild that contain similar code with different URLs and they are obfuscated in the same way or less.
Some of the pastebins were alive. For example, one of them contains the following scripts that sends information about graphic cards to the C&C server, which can decide what to install on an infected computer. I have not found any C&C server alive.
Ransomware
Another final stage that runs from the registry keys is ransomware Athos.exe. At first it checks some tactics from https://blog.sevagas.com/IMG/pdf/BypassAVDynamics.pdf to check if it runs in the sandbox. On the sixth start it injects ransomware into another process that gets the id and encryption key from the web page googleprovider[.]ru. Then it encrypts all the files with AES-CFB and shows the following message saved on imgur (https://i.imgur[.]com/cKkSBSI.jpg).ย
Translation: Your files are encrypted. If you want them back, you need your ID that you can find in Athos_ID.txt on the desktop. Keep your ID secure, if you lose it, your files canโt be recovered!!! You can recover your files with the help of the website www.gโฆ
We also found AutoIT ransomware King Ouroboros translated to Slovak. The malware was edited to use Windows usersโ GUID as encryption key and to download additional content from a different server than the original King Ouroboros.
Most of the methods described in this article are not new, in some cases I was able to find their source. The most interesting method is hiding the powershell script to the registry keys.ย
As I found out, the author is a Slovak speaker, this corresponds with the fact that the infected files were published only on Uloz.to, therefore the victims are only from the Czech Republic and Slovakia.ย
The variation of the final payload is huge. I found three different RATs, a few different packers of coinminers and ransomware that were created by the author and many more that were โavailableโ on the internet. The initial installer, which function was to call only one command, was also created with a huge variety of tools, some of them quite obscure.
To protect against this type of threat, it is enough to download software only from trustworthy sources and use security software, like Avast Antivirus, which will act as a safety net in case you should come across a threat.