Trojan:PowerShell/Metasploit!MSR

The infection begins with the launch of a malicious PowerShell script (.ps1), often launched through powershell.exe with obfuscated command-line parameters to hide its true intent. This script functions as a downloader, using built-in PowerShell cmdlets like Invoke-WebRequest or the .NET WebClient class to fetch the next-stage payload from a remote server controlled by the threat actor. 

A defining characteristic of this attack is its fileless nature. The core payload is not written to the device’s storage. Instead, the PowerShell script directly injects the malicious code into the memory space of a legitimate process, such as the PowerShell host itself (powershell.exe) or another system process it spawns. This technique allows the malware to operate without leaving a static binary for antivirus software to detect. 

To establish a remote-control channel, the payload initiates outbound TCP connections to its command-and-control (C2) servers. Documented investigations of related attacks show connections to IP addresses including 179[.]60.147[.]4 on port 58731 and 108[.]62.118[.]160 on common Metasploit ports like 4444 and 1337. Communication with the server is structured using an efficient Type-Length-Value (TLV) protocol, which allows the threat actor to dynamically load extensions and run complex commands. 

To ensure it survives a Windows reboot, the Metasploit trojan makes concrete changes to the Windows operating system. Common persistence mechanisms include creating a new Windows Scheduled Task configured to re-run the malicious PowerShell script at system startup or user logon. It also modifies the Windows Registry, adding a new entry to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to automatically launch the script. In more sophisticated attacks, the malware may leverage Windows Management Instrumentation (WMI) event subscriptions for a stealthier, fileless persistence method.