Malware actors very rarely stick to the same script for extended periods of time. They constantly modify and update their attack methods. Recently we have observed malware that uses server-side polymorphism to hide its payload, which consists of a backdoor fully written in PowerShell.
Last year, we blogged about the Rozena malware and how this backdoor incorporated PowerShell to execute its shellcode. However, malware authors are not sticking to the same script, constantly modifying and updating their attack methods. This time we’ve observed a new malware that used server-side polymorphism to hide its payload, which is a backdoor that is fully written in PowerShell.
The sample was obtained as a malicious Visual Basic Script (VBS) attachment from an email, with the file named as “INAIL_Comunica_133113944054522074634191697732.vbs”. By the looks of its filename, it claims to be a notice from an Italian organization for workplace safety insurance called the Istituto Nazionale Assicurazione Infortuni sul Lavoro (INAIL).
Upon execution, this malicious VBS will invoke a downloader written in PowerShell that downloads two files from its command and control (CNC) servers:
hxxp://adm.esurf.info/api?wead (SkypeApp64.exe) hxxp://space.4fallingstar.info/12.php?vid=pec5 (SearchI32.js)
The file SearchI32.js is an obfuscated JS that invokes another PowerShell downloader that will again download two files, which are both saved in the default Windows temporary folder %temp%:
hxxp://green.4107irishivy.info/cryptbody2.php (SearchI32.txt) hxxp://green.4107irishivy.info/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php (SearchI32.js)
SearchI32.js downloads and executes a new version of itself as a form of persistence. At first glance, the file SearchI32.txt looks like junk. However, it is decrypted and executed by the JS file, and is the main PowerShell backdoor.To skip several deobfuscation stages for unveiling the backdoor, we used the PowerShell Extractor Analyzer (PEA), a publicly-available tool developed within G DATA to analyze SearchI32.js.
The first part of the code consists of evasion techniques. The backdoor will first try to check if the infected system’s language is Russian, Ukrainian, Belarusian, or Chinese, and if the system is running under VirtualBox or VMWare (suggensting it is analyzed in a virtual environment - a technique often employed by malware analysts), terminating the execution if either check is matched:
As part of its persistence, it also adds a shortcut file on the startup folder. The shortcut links to the downloaded SearchI32.js, with a description of “Windows Indexing Service” to throw off the user from its malicious behavior. The command-line script host cscript.exe is then used to execute the Searchi32.js.
The backdoor will then create a System.Net.CredentialCache object to store the obtained information from the user. This object will be used as for downloading commands from the CNC server and at the same time posting the victim’s information. The collected information is comprised of:
The backdoor will use the DownloadString method to obtain the body of the CNC server site, parsing the content for its backdoor commands. The CNC server site body is expected to contain the commands in this form:
[command]|[URL for the malicious PowerShell script]
The backdoor will repeatedly access its CNC server and wait for one of the following the commands:
For the m1 and m commands, the URL being downloaded will contain the PowerShell script to be executed for its malicious activity.
We encountered the backdoor updating several times through its commands, like
The latter of which was the latest URL as of writing, where the JS decryptor/loader and PowerShell backdoor scripts were completely updated. The CNC server domains were updated during analysis (e.g. hxxp://green.4107irishivy.info/ to hxxp://green.4107irishivy.info/), making this campaign difficult to detect.
The updated version of the backdoor is still similar on how it receives its commands from the CNC server, but had some several updates in its script:
Since this malware uses email attachments as the initial attack vector like many other types of malware, it always pays to be safe by validating the source of any emails sent to you that contains attachments or links to downloads. Never open attachments or links from unvalidated email addresses. Always keep your anti-virus and operating systems up to date, to ensure your systems are protected against these new types of malware.
If you are interested to know more of the in-depth analysis of this backdoor campaign, you may visit the following link: