{
	"id": "c7cb34f2-69c4-475f-8266-0bda06a33db7",
	"created_at": "2026-04-10T03:21:43.022244Z",
	"updated_at": "2026-04-10T13:11:24.657188Z",
	"deleted_at": null,
	"sha1_hash": "03d7717e972893c3991c3b8430ec349b3e4ad23d",
	"title": "Remediate “Hidden” Malware with RTR",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 848739,
	"plain_text": "Remediate “Hidden” Malware with RTR\r\nBy David Rojas and Mark Robinson\r\nArchived: 2026-04-10 02:16:35 UTC\r\nMalware remediation is not always clear-cut. In this blog post, the CrowdStrike® Falcon Complete™ and\r\nEndpoint Recovery Services teams take you behind the scenes to highlight just one of numerous challenges we\r\nface on a regular basis while remediating obfuscated or hidden malware. The steps outlined below provide Falcon\r\nanalysts with guidance on solving similar problems in their own environments. For the most part, our remediation\r\nefforts utilize Microsoft PowerShell via the Falcon Real Time Response (RTR) console or the RTR API. On\r\noccasion, we discover malware obfuscating file names using unique characters or language encodings in order to\r\nevade detection or complicate recovery efforts. In order to remediate files and folders like this with PowerShell, it\r\nsometimes requires a little more effort than simply invoking the Remove-Item PowerShell cmdlet or using the\r\nbuilt-in RTR command, rm . One example where this can be seen is with an old and familiar trojan, Andromeda,\r\nwhich uses a non-breaking space (NBSP) character in its USB spreader plugin.\r\nThreat Background and Context\r\nAndromeda is a modular trojan that was used primarily as a downloader to deliver additional malware payloads\r\nincluding banking Trojans. It is often bundled and sold with plugins that extend its functionality, including a\r\nrootkit, HTML formgrabber, keylogger and a SOCKS proxy1. Prior to its takedown on November 29th, 2017,\r\nAndromeda was one of the most popular trojans used by Russian and Eastern European cybercriminals. One\r\nvariation of the malware was found to include a USB spreader plugin that used a command-and-control (C2)\r\nprotocol constituting a Domain Generation Algorithm (DGA) to complicate takedown efforts. Despite the\r\ntakedown, we continue to see detections in customer environments on a daily basis for infected USB drives.\r\nRemediation of these drives helps reduce alert fatigue and prevent the spread of this malware to other hosts that do\r\nnot have the CrowdStrike Falcon® sensor installed.\r\nIn this blog, our focus is on an obfuscation technique that Andromeda’s USB spreader plugin uses to make sure its\r\npayload gets executed by the user.\r\nHiding in Plain Sight\r\nOnce the malware has infected the host, its goal is to move laterally and continue to worm its way to additional\r\nhosts. To accomplish this mission, a USB spreader plugin is used in conjunction with a social engineering tactic,\r\nwhere it presents the user with a malicious shortcut (.LNK file) to a hidden folder on the root of the infected USB\r\ndrive. This hidden folder contains the user’s data, which has been (unknowingly) moved by the malware. This\r\nforces the user to click through the malicious shortcut executing the hidden DLL dropper while at the same time\r\npresenting the user an Explorer session with their requested folder of data. The user is none the wiser, and the\r\npayload has been executed successfully, completing the lateral movement and infection onto additional hosts.\r\nhttps://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/\r\nPage 1 of 8\n\n2Figure 1. Malicious shortcut and hidden directory (click image to enlarge)\r\nAs previously mentioned, Andromeda’s USB spreader plugin uses a non-printable, ASCII, non-breaking space\r\ncharacter ( 0xA0 – Unicode decimal value is 160 ; see Figure 1.2) to create the obfuscated folder on the root of\r\nthe USB drive, setting both hidden and system attributes (see Figure 1). It then moves all files and directories on\r\nthe drive into this folder and creates three additional files with the following names:\r\ndesktop.ini (sets folder icon to appear as USB drive)\r\n\u003calgorithmically generated filename\u003e (DLL)\r\nIndexerVolumeGuid (contains second-stage payload)\r\nhttps://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/\r\nPage 2 of 8\n\nFigure 1.2. Identifying the Unicode decimal for the directory name (click image to enlarge)\r\nThe general purpose of the NBSP character is to prevent words from separating on separate lines as you type text\r\nin your word-processing software. While you type, if a word does not fit on the current line, it drops down to the\r\nnext line. To prevent this from happening while you write for example, “100 km” — you can use a non-breaking\r\nspace character to keep them together as one “word.”\r\nTo the user, the character simply looks like a normal \"space\" character. Consequently, parsing the file path\r\nbecomes a little more complicated via PowerShell’s command line interface.\r\nFigure 2. Contents of an Andromeda USB spreader .LNK file (NOTE: “SAMSUNG” is the name of the drive used\r\nin this example and not otherwise involved with the botnet)\r\nIf we look closely at Figure 2, we can see the character \" ÿ \" which is replacing the NBSP character in the path (a\r\nbyproduct of PowerShell attempting to interpret the character into something printable via the RTR API). The\r\nArguments property for the shortcut file is formatted in the following manner:\r\nHiddenFolder\\EncryptedDropperDLL,EntryPointFunction Within the Falcon Detections app, we would likely\r\nobserve the explorer.exe process spawning rundll32.exe when the user clicks on the shortcut to access their\r\ndata. Reviewing the command line in the screenshot from Figure 2.1, we see the DLL filename and entry point\r\ncalled in the COMMAND LINE field: --_-_-_--_-_____-_--_-_-_----____--_---_-_--__-_-_-__.{1D5906E3-DAB2-\r\n42A6-91B0-0EEF01E691AE} The entry point function is displayed as:\r\nhttps://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/\r\nPage 3 of 8\n\nFPR8puhjQK463G0E In this specific example, we also see the malware was blocked by the Falcon sensor when the\r\nrundll32.exe command was executed, effectively neutralizing the threat.\r\nFigure 2.1. Example Andromeda USB spreader detection in the Falcon UI (click image to enlarge)\r\nWe can confirm the detection is a result of an infected USB device being connected to the drive by pivoting to the\r\nEvent Search app from the detection and performing a search for USB device information (Figure 2.2) using the\r\nbuilt-in Splunk Query Language. Comparing the blocked process start time with the\r\nDcUsbDeviceConnected/RemoveableMediaVolumeMounted event timestamps, we want to determine whether the\r\ndrive was connected just prior to the blocked process start time. This usually indicates the malware attempted to\r\nrun just after the drive was connected to the computer.\r\nFigure 2.2 USB device information query via Event Search App (click image to enlarge)\r\nNext, Figure 3 shows the output of listing files and folders on the root of the infected drive. We can see the\r\n“Name” object appears blank. NOTE: The RTR-native “ ls ” command reveals hidden and System files by\r\ndefault. This is why the Andromeda-created, obfuscated directory is shown.\r\nhttps://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/\r\nPage 4 of 8\n\nFigure 3. Directory listing at the root of the USB drive (click image to enlarge)\r\nOur next screenshot (Figure 4) demonstrates an attempt to list the contents of the obfuscated directory using A) a\r\nregular space as the name, resulting in an error, and B) the NBSP character itself passed through by typing\r\noption+space on macOS OR Ctrl+Alt+Space/Ctrl+Space on Windows — resulting in a list of all of the files in\r\nthe folder, including the Andromeda malware. This is done using the native “ ls ” command in RTR.\r\nFigure 4. A) List files using a “space,” and B) list files using the “NBSP” character (click image to enlarge)\r\nWe can achieve the same results using the NBSP character via the Edit \u0026 Run Scripts console by using the\r\nfollowing command (Figure 5): Get-ChildItem ‘E:\\ \\’ -Force | Out-String NOTE: Due to the way the Edit\r\n\u0026 Run Scripts console works (and the RTR API), we need to pipe the cmdlet to Out-String for readability in the\r\nconsole or API output.\r\nhttps://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/\r\nPage 5 of 8\n\nFigure 5. List files in obfuscated directory via Edit \u0026 Run Scripts (click image to enlarge)\r\nAlthough using the keyboard shortcut to input the interpreted NBSP character will work in the RTR console, our\r\npreferred method is to use the UTF-8 encoded character equivalent along with the -LiteralPath parameter to\r\nforce PowerShell to interpret our input properly. This reduces the risk of the NBSP character dropping from the\r\ncommand during copying and pasting of code or other similar actions. Get-ChildItem -LiteralPath E:\\$(0xA0)\\\r\n-Force | Out-String NOTE: The trailing backslash in the path is necessary, otherwise the command will return\r\nthe directory listing from the root of the drive.\r\nRemediation\r\nSo far we’ve covered a couple of different methods of getting around Andromeda’s attempts to obfuscate the\r\nmalware in a hidden directory. Empowered with this knowledge, we’ll demonstrate how to easily remove the\r\nmalware and recover the user’s data back to the root of the drive.\r\nhttps://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/\r\nPage 6 of 8\n\nFigure 6. Remove malware artifacts from the drive (click to enlarge)\r\nUsing PowerShell’s Remove-Item cmdlet (Figure 6), we can now delete each of the malicious artifacts. Using the\r\n-Force parameter, we override any Read Only attribute that may be present.\r\nLine 1 removes the malicious shortcut that points to the DLL binary with all of the dashes and underscores\r\nin the filename (on Line 2).\r\nLine 2 removes the DLL payload.\r\nLine 3 removes the .ini file that configured the folder icon to display as a USB drive.\r\nLine 4 removes the second-stage payload.\r\nRecovery\r\nAlthough removing each of the aforementioned artifacts leaves us with a clean USB drive (Figure 7), to the end\r\nuser, it may look like the drive no longer contains any data due to the hidden and obfuscated directory.\r\nTo recover the user’s data back to the root of the drive, we can now use the following command: Get-ChildItem\r\n-LiteralPath E:\\$(0xA0)\\ -Force -Recurse | Move-Item -Destination E:\\ And the final step is to remove the\r\nhidden folder: Remove-Item -LiteralPath E:\\$(0xA0)\\ -Force\r\nFigure 7. Remediated and recovered USB drive (click image to enlarge)\r\nhttps://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/\r\nPage 7 of 8\n\nWith those final steps completed, we can look again at the directory listing for the USB drive and see that only the\r\noriginal data remains (Figure 7). The user can now safely continue to use the USB device without spreading the\r\nAndromeda malware to any other computer system.\r\nConclusion\r\nThe CrowdStrike Falcon® Complete and Endpoint Recovery Services teams take remediation action on malware\r\nof all types and complexities on a daily basis. In this blog post, we demonstrated an example of identifying an\r\nobfuscation technique used by Andromeda’s USB spreader plugin, and how we use PowerShell via the Real Time\r\nResponse platform to remove the malware without having to escalate and have the drive formatted — all while\r\nnot impacting the user’s operations at any point. By scripting these steps, malware can be removed very quickly\r\nwhen a user connects an infected drive to a computer system. The Falcon sensor will block the malware (provided\r\nPreventions are enabled), and the analyst can remove it completely. This kind of automation effectively reduces\r\nfuture alert fatigue for the Falcon analyst and helps prevent the spread of malware from computer to computer and\r\nfrom network to network.\r\nFinally, this raises awareness that USB infections are a valid entry point into your environment, and such devices\r\nshould be tracked and monitored. You can utilize CrowdStrike Falcon® Device Control to help minimize the risk\r\nof unauthorized USB devices being used and therefore reduce your attack surface.\r\n1. CrowdStrike Intel Subscribers: CrowdStrike Tipper CSIT-1605 Andromeda Trojan with DGA-Based USB\r\nSpreader Plugin (pg. 1) 2. “SAMSUNG” is the name of the drive used in this example. Samsung is not in any way\r\ninvolved with the botnet.\r\nAdditional Resources\r\nLearn how any size organization can achieve optimal security with Falcon Complete by visiting the\r\nproduct webpage.\r\nFind out how CrowdStrike can help your organization answer its most important security questions: Visit\r\nthe CrowdStrike Services webpage.\r\nLearn more about CROWDSTRIKE FALCON® INTELLIGENCE™ threat intelligence by visiting the\r\nwebpage.\r\nLearn about CrowdStrike’s comprehensive next-gen endpoint protection platform by visiting the Falcon\r\nproducts webpage.\r\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™.\r\nSource: https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/\r\nhttps://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/"
	],
	"report_names": [
		"how-to-remediate-hidden-malware-real-time-response"
	],
	"threat_actors": [],
	"ts_created_at": 1775791303,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/03d7717e972893c3991c3b8430ec349b3e4ad23d.pdf",
		"text": "https://archive.orkl.eu/03d7717e972893c3991c3b8430ec349b3e4ad23d.txt",
		"img": "https://archive.orkl.eu/03d7717e972893c3991c3b8430ec349b3e4ad23d.jpg"
	}
}