Follow 
Summary
A potentially unwanted application signed by Dragon Boss Solutions abused a legitimate update workflow to quietly download and run MSI and PowerShell payloads that disabled antivirus protections and established persistence through WMI event subscriptions and scheduled tasks. Because the updater communicated with unregistered domains that could be claimed by anyone, the software effectively created a supply-chain opportunity for arbitrary code delivery. Researchers observed more than 25,000 endpoints reaching out to this infrastructure, including systems in several high-value sectors.
Investigation
Huntress uncovered WMI-based persistence artifacts and a spike in scheduled task creation, then traced the activity back to a signed executable named RaceCarTwo.exe that launched an MSI installer. The installer extracted a PowerShell script called ClockRemoval.ps1, which terminated antivirus processes, blocked access to AV update domains, added Microsoft Defender exclusions, and repeatedly reinstalled itself to maintain foothold. Investigators also found that unregistered domains, including chromsterabrowser.com, were being used as the primary update source, meaning any outside party could register those domains and deliver their own payloads.
Mitigation
To stop further abuse, the research team registered the exposed domains and sinkholed them, effectively cutting off the malicious update path. They also documented the related WMI event subscriptions, scheduled tasks, and registry changes so defenders could identify and remove affected components. Organizations should block the known domains and monitor for the specific task names and WMI consumer activity associated with this campaign to reduce the risk of continued compromise.
Response
Security teams should detect the creation of scheduled tasks such as ClockSetupWmiAtBoot, DisableClockServicesFirst, DisableClockAtStartup, RemoveClockAtLogon, and RemoveClockPeriodic. Alerts should also trigger on WMI event subscriptions containing MbRemoval or MbSetup. Defenders should monitor executables signed by Dragon Boss Solutions, look for the presence of ClockRemoval.ps1 in WMILoad directories, review hosts files for entries that block antivirus vendor domains, and investigate unexpected Windows Defender exclusions across impacted systems.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef process fill:#ffeb99 classDef file fill:#c0ffc0 classDef technique fill:#dddddd %% Technique nodes tech_t1210["<b>Technique</b> – T1210 Exploitation of Remote Services<br/><b>Description</b>: A custom update mechanism contacts remote URLs to download and install malicious MSI payloads."]:::technique tech_t1218_007["<b>Technique</b> – T1218.007 System Binary Proxy Execution: Msiexec<br/><b>Description</b>: Msiexec.exe is leveraged to silently install a malicious MSI package."]:::technique tech_t1059_001["<b>Technique</b> – T1059.001 Command and Scripting Interpreter: PowerShell<br/><b>Description</b>: PowerShell is used to run the ClockRemoval script that disables security products and modifies system settings."]:::technique tech_t1546_003["<b>Technique</b> – T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription<br/><b>Description</b>: Persistent WMI event subscriptions trigger malicious PowerShell scripts when new processes start."]:::technique tech_t1053["<b>Technique</b> – T1053 Scheduled Task/Job<br/><b>Description</b>: Scheduled tasks are created for boot, startup, logon and periodic execution to maintain persistence."]:::technique tech_t1489["<b>Technique</b> – T1489 Service Stop<br/><b>Description</b>: Security product services are stopped and disabled to prevent protection."]:::technique tech_t1562["<b>Technique</b> – T1562 Impair Defenses<br/><b>Description</b>: The payload actively kills security processes, blocks update domains and removes registry entries."]:::technique tech_t1564_012["<b>Technique</b> – T1564.012 Hide Artifacts: File/Path Exclusions<br/><b>Description</b>: Hosts file is edited and Windows Defender exclusions are added to hide malicious activity."]:::technique tech_t1070_004["<b>Technique</b> – T1070.004 Indicator Removal: File Deletion<br/><b>Description</b>: Leftover AV files and registry keys are deleted to erase evidence."]:::technique %% Action and artifact nodes action_contact_domain["<b>Action</b> – Contact unregistered domain<br/><b>Domain</b>: worldwidewebframework3.com"]:::action file_malicious_msi["<b>File</b> – Malicious MSI payload"]:::file tool_msiexec["<b>Tool</b> – Msiexec.exe"]:::tool script_clockremoval["<b>Process</b> – ClockRemoval.ps1 (PowerShell)"]:::process persistence_wmi["<b>Action</b> – Create WMI event subscription"]:::action persistence_schtask["<b>Action</b> – Register scheduled tasks"]:::action action_service_stop["<b>Action</b> – Stop and disable security services"]:::action action_impair_defenses["<b>Action</b> – Impair defenses broadly"]:::action action_host_modification["<b>Action</b> – Modify hosts file and add Defender exclusions"]:::action action_file_deletion["<b>Action</b> – Delete AV files and registry keys"]:::action %% Connections showing flow action_contact_domain –>|downloads| file_malicious_msi file_malicious_msi –>|installed via| tool_msiexec tool_msiexec –>|executes| script_clockremoval script_clockremoval –>|creates| persistence_wmi script_clockremoval –>|creates| persistence_schtask script_clockremoval –>|stops| action_service_stop script_clockremoval –>|impairs| action_impair_defenses script_clockremoval –>|modifies| action_host_modification script_clockremoval –>|deletes| action_file_deletion %% Linking actions to techniques action_contact_domain –>|uses| tech_t1210 tool_msiexec –>|uses| tech_t1218_007 script_clockremoval –>|uses| tech_t1059_001 persistence_wmi –>|uses| tech_t1546_003 persistence_schtask –>|uses| tech_t1053 action_service_stop –>|uses| tech_t1489 action_impair_defenses –>|uses| tech_t1562 action_host_modification –>|uses| tech_t1564_012 action_file_deletion –>|uses| tech_t1070_004 %% Class assignments class action_contact_domain action class file_malicious_msi file class tool_msiexec tool class script_clockremoval process class persistence_wmi action class persistence_schtask action class action_service_stop action class action_impair_defenses action class action_host_modification action class action_file_deletion action "
Attack Flow
Detections
Suspicious Taskkill Execution (via cmdline)
View
Powershell Executing File In Suspicious Directory Using Bypass Execution Policy (via cmdline)
View
LOLBAS Schtasks (via cmdline)
View
LOLBAS MsiExec Spawn Shell (via cmdline)
View
IOCs (HashSha256) to detect: When PUPs Grow Fangs: Dragon Boss Solutions Left an Open Door on 25,000+ Endpoints
View
Dragon Boss Solutions PowerShell Execution Policy Modification [Windows Powershell]
View
Detection of Malicious Executions from Dragon Boss Solutions LLC [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary has obtained the legitimate RaceCarTwo.exe signed by Dragon Boss Solutions LLC. They leverage the binary’s trusted status to bypass application whitelisting. First, they deploy a malicious MSI (Setup.msi) that drops a privileged service and installs a scheduled task to achieve T1546.016. Next, they execute a PowerShell script (ClockRemoval.ps1) that disables or uninstalls the endpoint AV product, reflecting T1059.001. Both actions are performed from the same process, ensuring the detection rule sees the exact command‑line patterns.-
Deploy malicious MSI:
Start-Process -FilePath "C:Program FilesDragonBossRaceCarTwo.exe" ` -ArgumentList "Setup.msi" ` -Wait -
Execute AV‑disable PowerShell script:
Start-Process -FilePath "C:Program FilesDragonBossRaceCarTwo.exe" ` -ArgumentList "ClockRemoval.ps1" ` -Wait
-
-
Regression Test Script:
The script below automates the two steps in a single run, reproducing the exact telemetry the Sigma rule expects.# ------------------------------------------------- # Simulation of DragonBoss malicious execution chain # ------------------------------------------------- $binaryPath = "C:Program FilesDragonBossRaceCarTwo.exe" # 1. Install malicious MSI Write-Host "[*] Deploying malicious MSI (Setup.msi)…" Start-Process -FilePath $binaryPath -ArgumentList "Setup.msi" -Wait # 2. Run AV‑disable PowerShell script Write-Host "[*] Executing ClockRemoval.ps1 via the same binary…" Start-Process -FilePath $binaryPath -ArgumentList "ClockRemoval.ps1" -Wait Write-Host "[+] Simulation complete. Verify alerts in the SIEM." -
Cleanup Commands:
Remove any artifacts created during the simulation to restore the host to its pre‑test state.# ------------------------------------------------- # Cleanup for DragonBoss simulation # ------------------------------------------------- # Remove the installed MSI product (replace ProductCode with actual GUID) $productCode = "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" try { Write-Host "[*] Uninstalling malicious MSI..." msiexec /x $productCode /quiet /norestart } catch { Write-Warning "MSI uninstall failed or product not present." } # Delete the PowerShell script if it was written to disk by the MSI $scriptPath = "$env:ProgramDataClockRemoval.ps1" if (Test-Path $scriptPath) { Write-Host "[*] Removing ClockRemoval.ps1..." Remove-Item $scriptPath -Force } Write-Host "[+] Cleanup complete."