The Adventures of the Elusive Malvari, Part 1

With this article we begin a series of publications about the elusive Malvari. Hacking programs that do not leave an attack mark, also known as fileless (“incorporeal”, invisible, fileless), usually use PowerShell on Windows systems to secretly execute commands to search and extract valuable content. Detecting hacker activity without malicious files is a difficult task because Antiviruses and many other detection systems work on the basis of signature analysis. But the good news is that such software does exist. For example, UBA systems capable of detecting malicious activity in file systems.

When I first began to study the topic of cool hackers who do not use traditional methods of infection , but only tools and software available on the victim’s computer, I didn’t suspect that this would soon become a popular attack method. Security professionals say that this is becoming a trend, and the frightening article headlines are proof of that. Therefore, I decided to make a series of publications on this topic.

Great and terrible PowerShell

I wrote about some of these ideas earlier in the PowerShell obfuscation series , but more on the basis of a theoretical representation. Later, I came across a site for hybrid analysis , where you can find samples of Malvari “caught” in the wild. I decided to try using this site to search for fileless malware samples. And I managed it. By the way, if you want to go on your own expedition to find malware, you will have to go through a check on this site so that they know that you are doing work as a white hat specialist. As a blogger who writes about security, I passed it without question. I'm sure you can too.
')
In addition to the samples themselves on the site you can see what these programs are doing. Hybrid analysis runs malware in its own sandbox and monitors system calls, running processes and network activities, and also extracts suspicious text strings. For binaries and other executables, i.e. where you cannot even look at the actual high-level code, the hybrid analysis decides whether the software is malicious or just suspicious based on its activity at run time. And after that the sample is already estimated.

In the case of PowerShell and other sample scripts (Visual Basic, JavaScript, etc.), I was able to see the code itself. For example, I came across such a PowerShell instance:

You can also run PowerShell with base64 encoding to avoid detection. Note the use of Noninteractive and Hidden parameters.

If you read my obfuscation entries, then you know that the -e option indicates that the content is encoded in base64. By the way, hybrid analysis also helps with this, decoding everything back. If you want to try to decode base64 PowerShell (hereinafter - PS) yourself, you need to run this command:

[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText)) 

Take it deeper

I decoded our PS script using this method, below is the text of the program, albeit slightly modified by me:

Note that the creaking was tied to the date of September 4, 2017 and passed session cookies.

I wrote about this style of attack in the PS obfuscation series , in which the base64-encoded script itself downloads the missing malware from another site, using the WebClient object from the .Net Framework library to do all the hard work.

What is it for?

For security software that scans Windows event logs or a firewall, base64 encoding prevents the detection of the “WebClient” string in a simple text pattern in order to protect against the execution of such a web request. And since all the “evil” malware is then downloaded and transmitted to our PowerShell, this approach thus makes it possible to completely evade detection. Rather, I thought so at first.

It turns out that with the inclusion of advanced logging in the Windows PowerShell log (see my article), you can see the downloaded line in the event log. I (like others ) believe that Microsoft should enable this logging level by default. Therefore, with the extended logging enabled, we will see in the Windows event log a completed boot request from the PS script, as we have described above. Therefore, it makes sense to activate it, agree?

Add additional scripts

Hackers cleverly hide the PowerShell attack in Microsoft Office macros written in Visual Basic and in other scripting languages. The idea is that the victim receives a message, for example, from a delivery service, with an attached report in the .doc format. You open this document, which contains a macro, and ultimately it starts the malicious PowerShell.

Often, the Visual Basic script itself is obfuscated in such a way that it freely evades antivirus and other malware scanners. In the spirit of what has already been stated, I decided to code the above PowerShell in JavaScript as an exercise. Below are the results of my work:

Obfuscated JavaScript hiding our PowerShell. Real hackers do it once or twice.

This is another technique I’ve come across on the web: using Wscript.Shell to run coded PowerShell. By the way, JavaScript itself is a means of delivering malware. Many versions of Windows have a built-in Windows Script Host , which itself can run JS.
In our case, the malicious JS script is attached as a file with the .doc.js extension. Windows, as a rule, shows only the first suffix, so it will be displayed to the victim as a Word document.

The JS icon is displayed only in the scroll icon. Not surprisingly, many people will open this attachment, thinking that it is a Word document.

In my example, I modified the above PowerShell to download the script from my website. The remote PS script simply prints "Evil Malware". As you can see, he is not evil at all. Of course, real hackers are interested in gaining access to a laptop or server, for example, through a command shell. In the next article, I will show you how to do this using PowerShell Empire.

I hope that for the first introductory article, we are not too deeply immersed in the topic. Now I’ll let you catch your breath, and next time we’ll start to analyze real examples of attacks using fileless Malvari without unnecessary introductory words and preparation.