Cracking the Shell
Christopher D. Del Fierro & John Angelo V. Lipata, G Data
From the early months of 2018, cyber-threat actors took advantage of the approaching Winter Olympics event and incorporated this hype to promote their social engineering emails [1]. What’s most interesting here is the usage of a PowerShell command Invoke-PSImage – that was quite new that time – which allows attackers to hide malicious PowerShell scripts inside otherwise benign-looking image files (a method known as steganography[2]).
To make matters worse – with the introduction of Invoke-Obfuscation[3] (a PowerShell script obfuscator) by Daniel Bohannon – analyzing and making sense of obfuscated PowerShell scripts is just plain torture. In addition to this, cyber-threat actors don’t just easily hand-over PowerShell scripts for us to analyze. Instead, we must manually carve it out from files such as Windows Executables, Word Office Documents, Excel Sheets, Javascripts, VBscripts, or even inside an HTML Application (HTA), etc. – making it time consuming.
This proof-of-concept sandbox inspired tool aims to help cut-down the analysis time of PowerShell attacks. Defeating obfuscation and embedding techniques – users can submit either a .ps1 script, Word Document, executable or any file that invokes PowerShell as input to this PoC. The submitted file will execute in an isolated Windows environment where all PowerShell activities will be collected, processed and analyzed. Unlike any other automated sandboxes – that only extracts command-line arguments from each running processes and output it to the user – this PoC makes use of PowerShell’s advanced logging features such as: Module Logging, Script Block Logging and Transcription, producing complete and accurate logs on the behavior of the submitted sample. The output is a report that contains layers of executed script blocks, definition of invoked PowerShell commands and suspicious keywords (e.g. download URL strings, shellcodes, etc.) – for detailed and easy to read analysis.
For future applications, this PoC can be extended as a module to other automated malware analysis systems aiding malware determination.
REFERENCES
- hxxps://blog.barkly.com/2018-winter-olympics-malware-campaign-invoke-psimage
- hxxps://en.wikipedia.org/wiki/Steganography#Techniques
- hxxps://github.com/danielbohannon/Invoke-Obfuscation
Christopher Del Fierro
Christopher D. Del Fierro “Topet” is a Sr. Virus Analyst in G DATA AV Lab Inc, Philippines with more than 13 years of experience in Information Security Industry specializing in malware tracing and analysis. He is currently teaching Reverse Engineering and Threat Analysis Training Program for aspiring Associate Virus Analyst for G Data AV Lab. Topet also had the chance to be part of promoting Cybersecurity Awareness to Universities and G DATA partners in the Philippines.
When not dissecting malware, he also likes to play basketball, online games and deduction/bluffing board games like Avalon with his friends.
John Angelo Lipata
Jelo has over 6 year of experience in cybersecurity and was the first Virus Analyst to join G Data AV Lab Inc PH. He specializes in analyzing threat and creating solutions. Aside from this, he is currently involve in other projects such as malware sample collection . He is also enthusiastic in sharing his tech expertise to his colleagues by creating modules and conducting trainings. For his free time, he loves playing basketball, board games (such as Resistance and Avalon) and video games.