Forfiles used in a ‘living off the land’ attack to spread ransomware

Avira Protection Labs, 3 weeks ago 3 min read

Forfiles is a utility tool commonly used by Windows system administrators. However, Avira researchers have found that it is now being leveraged by threat actors who use it as a stepping stone to stage an attack by the Locdoor ransomware (DryCry).

We’ve previously looked at how Certutil, a legitimate Windows file had been abused by attackers to spread threats. Lately, we have seen an increase ‘living off the land’ where attackers make use of tools already installed on targeted computers to run simple scripts and Shellcode directly in memory to evade detection.

In this blog, we’ll explain how Fortfiles is being used to spread ransomware and how you can protect against its malicious use.

How Attackers Use Forfiles

By: Amr Elkhawas, specialist threat researcher, Avira Protection Labs

During our analysis we observed that upon launching the excel sheet an “Amazon Web Services” image appeared with a Russian language text box translating to “Database Private Content”. This is a social engineering trick to lure the victim to enable the content and carry out malicious activity.

Further analysis of the embedded macro code revealed a small two line code snippet that automatically runs when a file is launched. This snippet creates a wscript object and executes the code present in the cell (201, 30) which translates to cell in the “AD” column, row 201.

Further analysis shows the content of this cell in the image below. It leverages forfiles with a “/c” operator that is used to run a command on a file or a set of files. The command in the mentioned snippet is “Start-Process” and the file is contained between quotation marks, the Powershell one-line downloader. It is used to download a file from a remote URL save it in the “Temp” directory.

Then Forfiles is executed as shown in the process execution tree below:

A second stage downloader is triggered in the VBS to executables which triggers the download of the rest of the payload using a stealthy Powershell instance that is set to sleep for 80000 milliseconds. The triage information can be shown in the Powershell transcript below:

Further four other instances of Powershell are spawned from this executable as seen in the hex dump below:

Then the first payload is inspected and it turns out to be a VBS script. This script pops out an error message that ‘this workbook can only be opened on the latest version of Microsoft Excel’ to distract the victim from noticing that some malicious activity has occurred in the background.

The Powershell transcript logs for each of the four instances are shown below:

First instance

The VBS script mentioned previously

Second Instance

An executable called “Usermode Font.exe” that is dropped in the Startup folder to persist between restarts

Third Instance

An executable called “Service Graphic Manager.exe” that is dropped in the Startup folder

Fourth Instance

An executable called “System Audio RHTS.exe” that is dropped in the Startup folder


Threat actors have become skilled at leveraging legitimate tools to evade security defenses. Here we’ve see how Forfiles, a utility tool that is commonly used by system administrators isleveraged by threat actors to carry out malicious activities. In this case, Forfiles is used as the stepping stone to stage the attack for the Locdoor ransomware (DryCry).

It is important to look out for uncommon process execution trees even if they involve utilities that do not have any known or documented malicious behavior.

A better solution is to use security tools with advanced scan engines that can detect and autonomously respond to anomalous code execution regardless of whether it is from a trusted source or not.

Indicators of Compromise (IoCs)

Filename Sha256 Detection name
Sliv_paroley_Vkontakte_iyul_2019.xls 0a17980d36a1781b004349a4e811770a0930167d97955806b4d8253d0c281c80 W97M/Dldr.efo
tmp27er98o9.exe f57aafb99c6f1696da2da0dd6b8e44ef57d16dcc1ca9b4fd5bb5d8e19bfc239e TR/Dldr.Agent.f57aaf
tmp458er98s.vbs 82eae744c217a389d72c9d49dd777a7a90db8972427e429319173a05b408334f VBS/Agent.jmk
Usermode Font.exe 0b1ce2c44e41074ef79fd8ab66dc29059f9e35b1bc2cfdf43e68c9eef7db09b5 TR/Crypt.TPM.Gen
Service Graphic Manager.exe c2b65b1ad477b3a5ba66304e2c2590375815546833e883803bddfdf7ea18a43c TR/Crypt.TPM.Gen
System Audio RHTS.exe f2e4e9f749418abcc17ccd1d422f4897ee8c9bfba492aff8dddca207fca0be4e TR/Dldr.Agent.f2e4e9







Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
Forfiles used in a ‘living off the land’ attack to spread ransomware

Avira Protection Labs

Protection Lab is the heart of Avira’s threat detection and protection unit. The researchers at work in the Labs are some of the most qualified and skilled anti-malware researchers in the security industry. They conduct highly advance research to provide the best detection and protection to nearly a billion people world-wide.

You might like

Expert Perspectives

Vulnerability update – May 2020

Vulnerability update – May 2020

In this report we will take a look at some of the more interesting vulnerabilities of early 2020.

2 months ago 3 min read