Windows PowerShell, the Microsoft scripting language, has made the headlines recently due to malware authors leveraging it for malicious purposes. Symantec has identified more PowerShell scripts being used for nefarious purposes in attacks. Unlike other PowerShell scripts that we have identified previously, the new script, which Symantec detects as Backdoor.Trojan, has different layers of obfuscation and is able to inject malicious code into “rundll32.exe” so that it can hide itself in the computer while still running and acting like a back door.
Figure 1. The original Microsoft Windows PowerShell script
As seen from the previous image, the script is obfuscated to prevent users from seeing the clear text. However, the attacker has used the parameter “-EncodedCommand” in order to encode the entire script in base64. Once decoded, the script is still obfuscated and it looks like the following:
Figure 2. PowerShell script’s first layer of decryption
After this, the script will again decode a portion of itself from base64 to plain text and the decoded part of the script is passed through a decompression function. The decompressed data is the latest stage of the deobfuscated PowerShell script, which will be executed through the “Invoke-Expression” command.
Figure 3. A deobfuscated PowerShell script
The attacker uses the command “CompileAssemblyFromSource” so that they can compile and execute on-the-fly embedded code which hides itself on the computer. The compiled code will then try to execute “rundll32.exe” in a suspended state, inject malicious code into the newly created process and restart the “rundll32” thread. This method is used to prevent detection on the computer.
The injected code will then try to connect to a remote computer and it then waits to receive a buffer of instructions. The code will subsequently store these instructions with EXECUTE_READWRITE permissions, so that they can be executed in a stealthy way.
The following picture shows how the injected code allocates the memory and receives the instructions that are later executed.
Figure 4. Malicious code injected into rundll32.exe
Symantec customers are currently protected from this attack with the detection Backdoor.Trojan. To avoid being infected, we recommend that customers should use the latest Symantec technologies and update their virus definitions. Users should avoid running unknown PowerShell scripts and should not lower PowerShell’s default execution settings in order to prevent potential malicious scripts from executing.