AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Windows powershell malware11/13/2023 ![]() wIndOwsTY HiddeN, shortened syntax for - WindowStyle Hidden. ![]() NOpROFI, shortened syntax for -NoProfile. Hides the copyright banner when PowerShell is executed. It is often combined with -WindowStyle Hidden to hide any script execution. It is used to prevent showing an interactive prompt to the user. noniNtE, shortened syntax for -NonInteractive. The upper part boxed in red consists of PowerShell parameters and some obfuscation functions. ![]() Rozena chooses to use Microsoft Word Icon, but it is a Windows executable file as shown in Figure 3 for Rozena’s file header. Since the default Windows’ feature is not to show the file extension, it is easier for the malware author to bait the user to execute the file as shown in Figure 2. One of the common techniques used to lure users in executing files from unknown sender or unknown downloads is to make them look harmless. It is like opening a door to the thieves that makes them take and do whatever they want to the house, and can go beyond in reaching all its neighbors. This injected shellcode will create a reverse TCP connection to a remote server that will give an access to the malware author. The decoded script will yield the injector script that will injects shellcode to PowerShell.exe. The decoder script is to decrypt the content of Hi6kI7hcxZwU and execute it. The creator script is responsible in spawning the decoder script. In this case, we name these scripts as CREATOR script, DECODER script and INJECTOR script for easier tagging in the In-Depth Analysis. Then the exeutable file will launch obfuscated and encoded PowerShell commands with specific order and purpose. Upon execution, it will create a text file named Hi6kI7hcxZwU in %temp% folder. ![]() Rozena is an executable file that masks itself as a Microsoft Word file. It may also arrive as an attachment on a crafted spam email. This file may arrive on a system as a dropped file by another malware or as a downloaded file when visiting malicious sites. This could be the probable reason why malware authors are now following the fileless trail.įigure 1: Steps of Rozena's infection routine A survey done by Barkly and the Ponemon Institute, which polled 665 IT and security leaders, found out that fileless attack are 10 times more likely to succeed than those of file-based attacks. The old and new Rozena malware still targets Microsoft Windows operating systems, but what made the difference is the new one’s adaption to the fileless technique which uses PowerShell scripts to execute its malicious intent. This was first seen in 2015 and made a comeback on March 2018. A successful connection to the malware author yields numerous security concerns not only to the affected machine, but also to other computers connected on its network. Rozena is a backdoor-type malware capable of opening a remote shell connection leading back to the malware author. These malwares aim to be more effective in terms of infecting machines and avoiding detection like Rozena. There are even old malwares that changed its technique and now uses fileless attack. One known malware family that uses PowerShell to download and execute malicious files is the Emotet downloader. ![]() Legitimate system tools such as PowerShell and Windows Management Instrumentation are being abused for malicious activities, since these are all built-in tools that run in Windows operating system. In 2017 alone, 13% of the gathered malware uses PowerShell to compromise the system. These techniques can be in the form of exploits and code injections to execute malicious code directly in memory, storing scripts in registry, and executing commands via legitimate tools. Once executed, it may still save a file on disk and later use fileless techniques to gather information on the system and spread the infection throughout the network. However, the term "fileless" can also be a misnomer as there are attacks that may involve presence of files on the computer, such as opening an attachment from spam emails. ![]()
0 Comments
Read More
Leave a Reply. |