An Analyst’s View of Surging PowerShell-based Malware

Over the past couple of weeks, the Cofense™ Phishing Defence Center (PDC) has observed a rise in PowerShell-based malware. PowerShell is a very powerful scripting language that is legitimately used in many organisations. PowerShell is packed with almost endless capabilities, most of which are particularly interesting to threat actors who wish to abuse PowerShell for malicious purposes.

Here are five reasons why attackers are attracted to using PowerShell:

  • PowerShell is installed on all Windows machines
  • PowerShell logging is disabled by default
  • Can execute directly from memory allowing for file-less malware delivery
  • PowerShell is a trusted application in many organisations and is often overlooked by the security stack
  • It provides unrestricted access to Windows APIs

Below is a recent phishing campaign using PowerShell that was seen by the PDC.

As shown in figure 1, the reported email looked like an acknowledgement of an order and could have easily been mistaken for a genuine email since it included the correct name and organisation details of the victim. Additionally, the email looked well-structured and formatted and there were no obvious spelling mistakes.

Figure 1 – Reported Suspicious Email

However, a closer inspection of the email body revealed that the “Your Order 0459442 available here” link directs the victim to hxxps://batemansurvey[.]com/[.]orderdetails/0459442-confirmation, where a .zip file is automatically downloaded.

The zip file contains a non-malicious .jpg and .lnk shortcut file. Inspecting the properties of the .lnk file shows that the target is powershell.exe, as shown in figure 2.

Figure 2 – Target of the .lnk Shortcut

Extracting strings from the .lnk file reveals the PowerShell code that will be launched once the file is executed (figure 3). The code will be saved into the file mydocs.ps1 in the %USERPROFILE%\Documents directory.

Figure 3 – Extracted Strings from .lnk Shortcut

A quick glance over the code forms our hypothesis that this code is used to download a file. Let us have a closer look at what this PowerShell script is doing. The script has been adjusted for easier reading.

A randomly generated 14 character string, where 65..90 is equivalent to A-Z and 97..122 is the equivalent of a-z in Ascii. This randomly generated string is assigned to the variable $m6g and is later referenced in the script.

The UUID (Universal Unique Identifier), a 128-bit number that can be used to unique identify a computer, is generated and used to create a folder within the %APPDATA% directory, as shown below.

After the folder has been created, the script launches cmd.exe and utilises Microsoft’s bitsadmin utility to download content from sarabuschlen[.]com/low/end. Below you will see that the downloaded content is saved into a .ps1 (PowerShell) file using variable $m6g which previously generated a random string.

Yet again, cmd.exe is launched and the downloaded PowerShell script is executed.

The newly downloaded PowerShell script uses the same cmd/bitsadmin technique to retrieve two additional files from leasghler[.]eu: p2.ps1 and hostp1.txt, as shown below.  The ps2.ps1 file is saved under the name _main.txt in the earlier created UUID-named folder in the %APPDATA% directory. The hostp1.txt file is saved as _host.txt into the same folder.

The script below defines a key that is used to encrypt the file _main.txt as config.ini and _host.txt as web.ini.

To achieve persistence on the victim machine, the script creates a file run20.vbs and adds a scheduled task with the name AppLog that utilizes the run20.vbs script. The task starts at 7:00 a.m. every day and after it has been triggered, it repeats indefinitely every 3 minutes, as seen below.

To survive a restart of the system, the script below creates a file restart.vbs which is utilised by a scheduled task called OneDrive Standalone Update Task v2 sLoad.

As mentioned above, the script downloads two files, places them into _config.ini and _web.ini, and encrypts the contents. The script provides two URLs that points to the data that is placed into those two .ini files, but those files cannot be directly retrieved using a web browser or wget and the webserver responds with a 403 Forbidden (Figure 4).

Figure 4 – 403 Forbidden Message

You can solve this problem by utilising a simple PowerShell script. The following script downloads the p2.ps1 file onto the desktop. The script can then be modified to download the hostp1.txt file.

We are now able to analyse this PowerShell-based malware further to hopefully obtain information about its purpose and possible C2 servers.

Starting with the hostp1.txt file that was encrypted and saved into web.ini. Opening the file reveals two URLs:

The heart of the malware resides in ps2.ps1 aka config.in. The first interesting function that is found is called Get-ScreenCapture. Below shows a screenshot is taken and placed into the UUID directory in the %APPDATA% directory and later uploaded to the C2 server.

Below shows that the script utilises the hostp1.txt (web.ini) file, in combination with bitsadmin, to download a file from the URLs saved in that file. If the returned file contains the word “sok” then the script sleeps for 30 seconds (30000 milliseconds).

Additionally, the malware generates a list of network shares, and gathers information about the processor and operating system used by the victim.

Furthermore, the script saves the names and domain names of major UK banks into a variable, as shown below. The domain names are going to be used together with the DNS resolver cache that the malware retrieves by executing the ipconfig /displaydns command.  If the victim browsed to one of the banks mentioned in the configuration file, there is a high probability that it is stored in the DNS cache and can therefore be further used by the malware.

In addition, the script below uses the function Get-Process to lists all processes that are currently running.

The malware uses the captured data to form a HTTP request that looks similar to the one below:

It uses that HTTP request to query the C2 server. The result of this query is stored in a file called A04F4D56-564E-D804-8EF0-B3FCE5E01A07 at the %APPDATA% directory we have seen before. Depending on the contents of the file, further actions may be taken by the malware.

After 5 screenshots are captured, the malware transfers the .jpg files to the C2 server and deletes them from the victim’s system. The below script shows how this is handled by the binary.

During our analysis, it was found that the connections to the C2 server are made through svchost.exe (Figure 5).  Svchost is a legitimate Windows process used for services that run from DLL libraries.

Figure 5 – C2 communication in tcplogview

A look at ProcessHacker confirms that the malicious PowerShell script is running as a child process of wscript.exe, which in turn, runs a child process of svchost (Figure 6).

Figure 6 – ProcessHacker Process List

The PowerShell-based malware analysed here provides an excellent overview of what is possible with a few simple scripts. The Cofense Phishing Defence Center has certainly noticed an increase in phishing attacks that utilise PowerShell over the past months. The ease of use bundled with unrestricted access to Windows APIs, as well as the possibility to provide file less malware has awakened the interest of many attackers. While many organisations utilise PowerShell legitimately, the malicious power should not be underestimated.

Here are three tips to minimize the risk of infection through PowerShell-based malware:

  • Update PowerShell: Ensure that the newest version of the Windows Management Framework is running on all machines
  • Enable and Configure PowerShell Logging: By default, PowerShell logging is disabled. Configure the systems to log any PowerShell command that is being executed and incorporate these logs into your security workflow
  • Deploy Policies: Only allow tested, pre-approved scripts to be used in your environment

And most importantly, act when you see something suspicious!

For a look forward and a look back at major malware trends, view the 2018 Cofense Malware Review.

Quick Summary

Infection Vector: .lnk

Script-Invoking Parent: cmd.exe

Obfuscation: Mixed upper and lower-case letters, concatenation, encryption of config files

Persistence: Two scheduled tasks

Capabilities: Capture screenshots, query DNS resolver cache, query running processes, identify network shares, identify operating system and computer name, gather CPU details

 

Indicators of Compromise

Infection URL:

hxxps://batemansurvey[.]com/[.]orderdetails/0459442-confirmation

 

Associated IP:

91[.]218[.]127[.]156

 

Downloaded ZIP file:

File Name: 0459442-confirmation.zip

MD5: 0459442-confirmation.zip

SHA256: e873a1092fe54af1181d12d15fdabdd153454dc0ea4ca4dbd297c19ff1918c16

File Size: 15,842 bytes

 

.lnk file:

File Name: 0459442-confirmation.lnk

MD5: c6065e1605f06babba9f6490cb19282e

SHA256: 668828e1381c9c5771da98f080154d68f5bceb333b0f8aba930ff1ebeeabbab4

File Size: 1,468 bytes

 

Infection Files:

File Name: {14RandomCharacters}.ps1

MD5: 69171d1754e2c62415dca60e00ff22f8

SHA256: 659776f78f265094f1ebd9776f27ecbaadb4584e768df3e30c5fc2f0268217dd

File Size: 3,883 bytes

 

File Name: run20.vbs

MD5: 5dc897b18751fa1400839ad5f6956a24

SHA256: 2f245667f065b58798803c3eaaeed4b77da2524c36f64555756706d94283f8d7

File Size: 934 bytes

 

File Name:  ps2.ps1

MD5: f98eaa0793c82ed61d9f2901673eba55

SHA256: 2133fdb23092bee2c743ea2dfe8ff9778e321c4c89509880fb92d82ea1ca1c5c

File Size: 8,104 bytes

 

File Name: config.ini

MD5: bc47e80e8cca465ce1841acd301761d6

SHA256: b6af9b606bd2f0e43fa95dd260c6ee0f5a37417c09321ad7263123ac78f3d4ff

File Size: 177,878 bytes

 

File Name: web.ini

MD5: 0b6b5a306065338f0aafe012918144ed

SHA256: ca28e152b7a2e307a122d785e5bd20b2f395bdac8609a117e7f3e6abfcccab19

File Size: 1,414 bytes

 

File Name: {7RandomCharacters}.ps1

MD5: a7330e5067ac2789c32f25413fb6c5ee

SHA256: e69f5911c06661e17b11bdfb2a05cae529adde627bb396731d3c7a3d6c5c6db4

File Size: 940 bytes

 

File Name: hostp1.txt

MD5: 4a2c2f3a8af286f2e78d4f88df6a84aa

SHA256: bcc4189cfdf1740d3e6190b0e7d435c8e81bc8074aacb0427bfbcabf85245faf

File Size: 53 bytes

 

File Name: mydocs.ps1

MD5: 4d9303772a7ec32676cb90cbef7ecfae

SHA256: 946e1da518d31cec48ab61eb48c8afe305ed14ea84bae3516d3457c216f9053e

File Size: 4,096 bytes

 

File Name: restart.vbs

MD5: 5af2a2fa8af5d8b9278ae223473663c1

SHA256: 199ec6c926ac1b5e9e681181529df3eb2f30170f4be4476c660e72cb328579eb

File Size: 1,232 bytes

 

 

Payload URL:

hxxps://sarabuschlen[.]com/low/end

hxxps://leasghler[.]eu/sload/2[.]0/p2[.]ps1

hxxps://leasghler[.]eu/sload/2[.]0/hostp1[.]txt

hxxps://xabueraar[.]eu/sload/2[.]0/r1[.]ps1

 

Associated IP:

185[.]103[.]97[.]197

194[.]32[.]76[.]121

 

Command and Control:

hxxps://qasarer[.]eu/sload

hxxps://leasghler[.]eu/sload

 

Associated IP:

194[.]32[.]76[.]30

194[.]32[.]76[.]121

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

How to Get Internal Buy-In for Your Phishing Simulation and Awareness Training Programs
Why a phishing-specific SOAR? Because phishing is STILL the #1 cause of breaches.

Leave a Reply