Security: Expected behaviour?


#1

Hello,
I am a network security analyst at a financial company and a user of Atom. Whilst reviewing some logs I noticed some strange behavior spawning from the atom.exe process.

After launching atom.exe a process called update.exe executed and then wrote and executed a powershell script: C:\Windows\Temp\jtdmzqfz.vbh.ps1

Can anyone tell me if this behavior is legitimate/expected by Atom?
I have attached screenshots!


#2

Waiting for a definitive answer from the Atom team, but I really think this is only the Atom updater that is looking for updates. It requests a web page to see if a new version is available or not, and if so downloads the update.


#4

Thanks for your response! I totally understand that it contacts a webpage, we can see that on our processes monitor but that does not explain why a powershell script is written to disk, executed and then deleted.


#5

I imagine this is because the update process will not just check the atom’s version but also packages’ one, and maybe also because this is the PowerShell script that updates Atom (a program can’t re-write itself while it is running). To be confirmed by the team, though.


#6

Lets hope that your imagination prevails to be true in this case!
For some added clarity below is another screenshot showing the Powershell process. The command line that executes it:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -ExecutionPolicy RemoteSigned -command [Console]::OutputEncoding=[System.Text.Encoding]::UTF8$output=[environment]::GetEnvironmentVariable(‘Path’,‘User’)[Console]::WriteLine($output)


#7

Here is a list of file modifications that the Powershell process makes:

|2017-12-12 16:12:21.706 GMT|filemod|First wrote to c:\users\XYZ123\appdata\roaming\microsoft\windows\recent\customdestinations\tvsnrpeayi6gsa2u2g1p.temp |
|—|---|—|
|2017-12-12 16:12:21.706 GMT|filemod|Created c:\users\XYZ123\appdata\roaming\microsoft\windows\recent\customdestinations\tvsnrpeayi6gsa2u2g1p.temp |
|2017-12-12 16:12:21.722 GMT|filemod|First wrote to c:\users\XYZ123\appdata\roaming\microsoft\windows\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms~rf2b70cf3f.tmp |
|2017-12-12 16:12:21.722 GMT|filemod|Deleted c:\users\XYZ123\appdata\roaming\microsoft\windows\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms |
|2017-12-12 16:12:21.722 GMT|filemod|Created c:\users\XYZ123\appdata\roaming\microsoft\windows\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms |
|2017-12-12 16:12:21.722 GMT|filemod|First wrote to c:\users\XYZ123\appdata\roaming\microsoft\windows\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms |
|2017-12-12 16:12:21.722 GMT|filemod|Deleted c:\users\XYZ123\appdata\roaming\microsoft\windows\recent\customdestinations\tvsnrpeayi6gsa2u2g1p.temp |
|2017-12-12 16:12:21.722 GMT|filemod|Created c:\users\XYZ123\appdata\roaming\microsoft\windows\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms~rf2b70cf3f.tmp |
|2017-12-12 16:12:21.737 GMT|filemod|Deleted c:\users\XYZ123\appdata\roaming\microsoft\windows\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms~rf2b70cf3f.tmp |
|2017-12-12 16:12:21.882 GMT|regmod|First wrote to \registry\user\s-1-5-21-94197280-668744178-145704350-103193_classes\local settings\muicache\28d\52c64b7e\languagelist |
|2017-12-12 16:12:21.975 GMT|filemod|Created c:\users\XYZ123\appdata\local\temp\hmi3gchj.fqp.ps1 |
|2017-12-12 16:12:21.975 GMT|filemod|First wrote to c:\users\XYZ123\appdata\local\temp\hmi3gchj.fqp.ps1 |
|2017-12-12 16:12:21.975 GMT|filemod|Created c:\users\XYZ123\appdata\local\temp\an1y4vqk.k2h.psm1 |
|2017-12-12 16:12:21.975 GMT|filemod|First wrote to c:\users\XYZ123\appdata\local\temp\an1y4vqk.k2h.psm1 |
|2017-12-12 16:12:21.991 GMT|filemod|Deleted c:\users\XYZ123\appdata\local\temp\hmi3gchj.fqp.ps1 |
|2017-12-12 16:12:21.991 GMT|filemod|Deleted c:\users\XYZ123\appdata\local\temp\an1y4vqk.k2h.psm1 |
|2017-12-12 16:12:22.038 GMT|filemod|Deleted c:\users\XYZ123\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive |
|2017-12-12 16:12:22.038 GMT|filemod|Created c:\users\XYZ123\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive |
|2017-12-12 16:12:22.038 GMT|filemod|First wrote to c:\users\XYZ123\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive|


#8

Is it possible for someone from Atom to reach out to me ASAP? We are very concerned about this behavior.


#9

@Cranefield with the holidays approaching it might take us until after New Years to give you an answer, but I’ve let the team know about this.


#10

It looks like the code:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -ExecutionPolicy RemoteSigned -command [Console]::OutputEncoding=[System.Text.Encoding]::UTF8$output=[environment]::GetEnvironmentVariable(‘Path’,‘User’)[Console]::WriteLine($output)

can be found in atom/win-powershell.coffee. Specifically:

This is explained to be required by:

which was to address:

I was able to find all of this through some targeted use of the GitHub search functions, mostly searching for powershell, ps1, and [environment]::GetEnvironmentVariable.

So, to answer your question, yes, it is expected for Atom to launch a PowerShell process and execute the GetEnvironmentVariable code. As for why update.exe might create a PowerShell script, you might want to look into the code of the Squirrel.Windows project since that is what we’re using for Atom’s auto-update process.

All of Atom’s source code is open source. So you don’t have to take our word for it that Atom isn’t doing something nefarious, you can check for yourself :grinning:


#11

@leedohm:
…it would have been nice to have an option to opt-in
or at least opt-out of having this type behaviour.

Is that not whatSettings -> Core -> Automatically Update is for?


@Cranefield:
What did you use for your analysis?
How about renaming / replacing the Update.exe file?


#12

Thanks for getting back to me. Hopefully we can get a definitive response this side of the new year!


#13

@danPadric We used CarbonBlack to grab this analysis. I will try out the Update.exe and post my findings.


#14

Thanks for this response @leedohm
This makes me much more comfortable, but why does this create many oddly named scripts and files on the disk? See my above comment for “Filemods” aka File modifcations.