The malicious script described in Xavier Mertens' analysis represents something far more insidious than its technical name suggests. When security professionals talk about "ADS" in this context, they're referring to Alternate Data Streams - hidden file attributes that Windows uses to track where files originated. But here's what this actually means for your business operations: attackers are actively manipulating how Windows perceives downloaded files, making malicious scripts appear as if they were created locally on your systems. (Source: Isc)
This isn't about removing advertisements from web pages. The script systematically strips away the digital fingerprints that security teams rely on to identify suspicious files during incident response. When forensic investigators examine a compromised system, they typically search for files marked as downloaded from the internet - these carry a :Zone.Identifier tag that flags them as potentially dangerous. By removing these markers, the malware essentially launders its own presence, blending in with legitimate system files.
The business implications extend beyond simple detection evasion. Organizations that rely on Data Loss Prevention (DLP) systems or compliance monitoring tools often use these file attributes to track how sensitive information moves through their networks. When malware strips these identifiers, it creates blind spots in your security visibility. Your automated scanning tools won't flag these files as suspicious downloads, and manual investigations become significantly more time-consuming and expensive.
What makes this particularly concerning is the delivery mechanism. The script arrives through PowerShell abuse - leveraging a legitimate Windows administration tool that exists on every corporate workstation. PowerShell commands execute with the same privileges as the logged-in user, meaning if someone in accounting or HR gets infected, the malware inherits their access to sensitive systems and data. The script copies itself to %APPDATA%\Microsoft\Windows\Templates\, a location that appears benign to most security software.
The persistence mechanism ensures the infection survives system reboots. By adding a registry entry to the Windows Run key, the malware guarantees it will execute every time the computer starts. This transforms a one-time infection into an ongoing security breach that could persist for months without detection. The longer these scripts remain active, the more opportunity they have to deploy additional payloads - in this case, DonutLoader, a known malware framework used for deploying ransomware and stealing credentials.
Financial services and healthcare organizations face particular exposure here. These sectors maintain strict audit requirements for file provenance and data handling. When malware manipulates file attributes, it potentially violates compliance requirements for tracking data lineage. Auditors expect clear documentation showing where files originated and how they moved through your systems. Without these markers, proving compliance becomes nearly impossible, potentially resulting in regulatory penalties beyond the immediate security incident costs.
The sophistication lies not in complex encryption or zero-day exploits, but in understanding how security teams operate. By targeting the very markers that investigators look for, this malware exploits procedural blind spots rather than technical vulnerabilities. It's a reminder that effective attacks often succeed by subverting our assumptions about how systems should behave rather than breaking them outright.
Attack Chain: From Initial Compromise to PowerShell Exploitation
The attack unfolds through a deceptively simple mechanism that security teams often overlook. The malicious script begins its lifecycle when it copies itself to %APPDATA%\Microsoft\Windows\Templates\dwm.cmd, establishing a foothold that persists across system reboots. This location choice isn't random - the Templates directory typically contains legitimate Microsoft files, allowing the malware to blend in with normal system operations.
The persistence mechanism relies on Windows registry manipulation through a straightforward command: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". By creating an entry in this Run key, the script ensures automatic execution whenever the user logs in. This technique exploits Windows' built-in startup processes, making detection particularly challenging since legitimate applications use the same mechanism.
What makes this attack particularly sophisticated is its immediate post-copy behavior. The script executes a PowerShell command with specific flags: powershell -w h -c. The "-w h" parameter hides the PowerShell window entirely, preventing users from seeing any visual indication of script execution. This silent operation mode allows the malware to perform its Zone.Identifier removal operation without triggering user suspicion or generating visible console output.
The PowerShell component targets a specific Windows security feature that most administrators rely on for forensic analysis. The command attempts to remove the Zone.Identifier alternate data stream using Remove-Item -Path '%APPDATA%\Microsoft\Windows\Templates\dwm.cmd:Zone.Identifier'. This stream contains crucial metadata about file origin - whether it came from the internet (Zone 3), local intranet (Zone 1), or was created locally (Zone 0). By stripping this information, the malware eliminates a key indicator that incident responders use to identify downloaded threats.
The script's error handling reveals operational sophistication. The PowerShell command includes -ErrorAction SilentlyContinue wrapped in a try-catch block, ensuring that any failures during ADS removal don't generate error logs or crash the script. This defensive programming approach suggests the attackers anticipated various system configurations and security controls that might interfere with their operations.
According to the analysis, this initial compromise serves as a staging ground for more destructive payloads. The script later invokes another PowerShell instance that deploys DonutLoader onto the victim's system. DonutLoader represents a significant escalation in capability - it's a shellcode generation framework that can execute .NET assemblies, PE files, and other payloads directly in memory without touching disk. This transition from file-based persistence to memory-resident execution demonstrates a multi-stage attack architecture designed to evade different layers of security controls.
The choice of PowerShell as the primary execution vehicle exploits Windows' own administrative tools against itself. PowerShell provides direct access to .NET Framework capabilities, Windows Management Instrumentation, and Component Object Model interfaces. These legitimate administrative features become powerful weapons when repurposed for malicious operations. The script can query system information, modify configurations, download additional payloads, and execute complex attack chains - all while appearing as normal PowerShell activity in process lists.
This living-off-the-land approach makes traditional antivirus solutions ineffective. Since PowerShell is a signed Microsoft binary, reputation-based security tools won't flag its execution as suspicious. The combination of registry persistence, ADS manipulation, and PowerShell-based payload delivery creates an attack chain that bypasses multiple security layers while maintaining operational stealth throughout the compromise lifecycle.
Detection and Hunting: Finding DonutLoader Before It Strips Your Ad Network
Your PowerShell logs hold the key to catching this malware before it completes its deceptive mission. Hunt for PowerShell commands containing Remove-Item combined with :Zone.Identifier - this specific combination rarely appears in legitimate administrative tasks. The malware's distinctive PowerShell parameters -w h -c (short for -WindowStyle hidden -Command) create a unique signature that stands out in command-line auditing.
Configure your SIEM to flag any PowerShell execution that targets files in %APPDATA%\Microsoft\Windows\Templates\ with the .cmd extension. Legitimate Windows operations rarely touch command files in this directory.
The script's registry manipulation leaves breadcrumbs you can track. Monitor for new entries added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run that point to files in the Templates folder. Set up Windows Event ID 4657 monitoring to capture registry value modifications in real-time. When you see a combination of registry persistence and Template folder activity within a short timeframe, you've likely spotted the infection chain.
File system monitoring provides another detection layer. Watch for .cmd files being created in the Templates directory, especially those preceded by copy operations from temporary or download locations. The malware's self-copying behavior generates distinctive file creation patterns - the same content appearing in multiple locations within seconds.
Memory analysis reveals the DonutLoader payload that follows the initial script execution. Search process memory for shellcode patterns commonly associated with DonutLoader variants. Look for processes spawned by cmd.exe that subsequently launch PowerShell with encoded commands - this parent-child relationship indicates the progression from initial script to payload delivery.
Network traffic analysis can catch the malware's command and control communications. DonutLoader typically establishes HTTPS connections to newly registered domains shortly after execution. Monitor for TLS connections initiated by PowerShell or its child processes, particularly those reaching out to domains less than 30 days old.
Build behavioral detection rules that trigger on the complete attack sequence: registry modification plus PowerShell execution plus file creation in Templates plus network connection - all within a five-minute window. This correlation approach reduces false positives while maintaining high detection confidence.
For immediate threat hunting, query your endpoint detection tools for any PowerShell scripts that attempted to manipulate Alternate Data Streams in the past 90 days. Focus particularly on scripts that used the -ErrorAction SilentlyContinue parameter to suppress error messages - legitimate administrators rarely need to hide PowerShell errors.
Deploy canary files with specific Zone.Identifier values in common malware staging directories. When these ADS attributes disappear, you know something is actively stripping file zone information from your systems. This early warning system gives you precious time to investigate before the DonutLoader payload activates.
Immediate Response Actions and Containment
When your security team discovers evidence of DonutLoader activity, the clock starts ticking. Every hour matters as this malware prepares to deploy its final payload while masking its presence through ADS manipulation.
Next 24 Hours: Isolate and Audit
Begin by isolating any system where you've detected registry modifications to HKCU\Software\Microsoft\Windows\CurrentVersion\Run containing references to .cmd files. These machines need immediate network segmentation - the malware hasn't revealed its full capabilities yet, and that final PowerShell invocation could trigger lateral movement attempts.
Revoke all cached credentials on affected systems using klist purge for Kerberos tickets and rundll32.exe keymgr.dll,KRShowKeyMgr to clear stored Windows credentials. The script's ability to execute with user privileges means any stored authentication tokens become potential escalation paths.
Audit your file servers for recently modified .cmd files, particularly those missing Zone.Identifier streams. Use PowerShell's Get-Item -Stream * to identify files where ADS has been stripped - legitimate administrative scripts rarely undergo this modification.
Within One Week: Deploy Detection Infrastructure
Configure your EDR solution to trigger on PowerShell executions containing the parameter combination -ErrorAction SilentlyContinue when paired with file deletion operations. This specific error suppression technique appears consistently in DonutLoader deployment chains.
Review Windows Event ID 4688 (Process Creation) logs for cmd.exe spawning PowerShell processes with hidden window styles. The malware's reliance on -w h parameters creates a distinctive process tree that legitimate administrative tasks rarely replicate.
Implement file integrity monitoring on the %APPDATA%\Microsoft\Windows\Templates\ directory. Any new .cmd or .bat files appearing here warrant immediate investigation - Windows doesn't naturally populate this location with executable scripts.
Long-term Hardening: Breaking the Attack Chain
Deploy AppLocker or Windows Defender Application Control policies that restrict PowerShell execution to signed scripts only. The malware's dependence on unsigned PowerShell one-liners makes this control particularly effective.
Enable PowerShell Script Block Logging through Group Policy (Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell). This captures the full text of scripts even when they're obfuscated or executed through encoded commands.
Segment systems that handle sensitive file operations from general workstations. The malware's file manipulation capabilities suggest attackers are targeting systems with elevated file system permissions - isolating these reduces blast radius.
Configure Windows Defender to scan alternate data streams by enabling the registry key HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection set to 0. This ensures ADS manipulation attempts trigger real-time protection alerts.
Most critically, implement a file creation monitoring rule for any process writing to startup locations immediately followed by PowerShell executions. This sequence - copy, then strip ADS - represents the malware's core operational pattern and rarely occurs in legitimate software deployment.
Key Insight: Most critically, implement a file creation monitoring rule for any process writing to startup locations immediately followed by PowerShell executions.
Why Ad Networks Are Prime Targets and the Business Risk Beyond Malware
The technical analysis of ADS manipulation reveals something more troubling than malware persistence - it exposes why advertising technology infrastructure has become a goldmine for cybercriminals. When attackers develop scripts specifically designed to manipulate file attributes and hide their origins, they're not just evading detection; they're positioning themselves to exploit the complex financial flows that power digital advertising.
Consider the economics at play here. A single compromised ad server can redirect millions of impressions per day, each worth fractions of a cent that accumulate into substantial revenue streams. Attackers who successfully embed themselves in advertising infrastructure gain access to automated payment systems that process transactions continuously, often with minimal human oversight.
The financial incentive structure makes ad networks particularly attractive targets. Unlike ransomware that demands one-time payments, ad fraud generates passive income streams that can run for months before detection. Cybercriminals have discovered they can earn more through sustained ad manipulation than through traditional data theft or system disruption.
Your advertising partners represent a critical vulnerability that most security assessments overlook. When malware strips identifying markers from files - as demonstrated in the ADS removal technique - it creates plausible deniability for fraudulent traffic. Advertisers struggle to distinguish between legitimate impressions and bot-generated clicks when the underlying infrastructure appears clean.
Key Insight: Your advertising partners represent a critical vulnerability that most security assessments overlook.
The reconciliation nightmare begins when monthly billing cycles reveal discrepancies. Marketing departments report campaign metrics that don't align with actual conversions. Finance teams discover payments for traffic that never reached real users. Legal departments face contract disputes with advertisers demanding refunds for fraudulent impressions they unknowingly purchased.
Regulatory exposure compounds these operational challenges. The Federal Trade Commission has intensified scrutiny of digital advertising practices, particularly around transparency and fraud prevention. Companies that fail to detect compromised ad infrastructure face potential investigations, not as victims but as negligent participants in fraud schemes.
The liability cascade extends beyond direct financial losses. When your systems serve malicious advertisements or redirect traffic to competitor sites, brand reputation suffers immediate and lasting damage. Partners question the integrity of your entire technology stack. Customers lose trust in your ability to protect their browsing experience.
Insurance complications arise when determining coverage for ad fraud losses. Many cyber policies exclude "voluntary" payments - and automated ad transactions often fall into gray areas of coverage. Insurers argue that companies should have detected anomalous traffic patterns before processing payments, shifting liability back to the victim organization.
The competitive intelligence angle adds another dimension to the threat. Sophisticated attackers don't just steal ad revenue; they harvest campaign data, pricing strategies, and customer targeting parameters. This intelligence enables competitors - whether legitimate businesses or criminal enterprises - to undercut pricing and poach customers with surgical precision.
Supply chain risks multiply when considering programmatic advertising networks. Your organization might maintain robust security, but if upstream ad exchanges or downstream publishers suffer compromise, fraudulent traffic flows through legitimate channels. The interconnected nature of modern advertising technology means a breach anywhere becomes a breach everywhere.
