Threat actors have been utilizing a modified version of the SharpHide tool to create hidden registry values, significantly complicating detection and deletion efforts. [+] SharpDelete by Andrew Petrus - Tool to delete hidden registry values created by SharpHide Select a registry path to remove the hidden value: 1. SharpHide is a tool that leverages a technique documented by eWhiteHats researchers, which involves creating hidden registry keys by prepending two wide-character (wchar) nulls to the registry path. Enter a custom registry path (Administrator privileges required for HKLM and most HKCR paths) Enter your choice: 3 [+] Deleting hidden registry key in HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run [+] Key successfully deleted. SharpDelete is designed to remove hidden registry values used for persistence, handling both standard and redirected registry paths. This technique exploits Windows registry redirection, making it challenging for standard tools to identify and remove these stealthy persistence mechanisms. Threat analyst at Sophos, Andrew Petrus noted that this method effectively hides the entries from view in the Registry Editor due to its inability to handle null characters properly. When executed with administrator privileges, the malicious script creates hidden values within the WOW6432Node branch instead of the standard SOFTWARE branch. It allows users to specify custom registry locations, ensuring greater flexibility in detecting and removing stealthy persistence mechanisms. This discrepancy is due to registry redirection, where Windows automatically redirects registry writes from 32-bit processes to the WOW6432Node branch on 64-bit systems. These methods exploit vulnerabilities in how Windows handles registry entries, making detection and removal challenging.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 17 Feb 2025 07:05:09 +0000