A Surge in Powershell Malware Infections Through Phishing Campaign

Published: Monday 29th October 2018

Last week Secrutiny Analysts investigated suspicious emails sent to multiple employees within an organisation. The phishing emails could easily have been mistaken for genuine emails since it included the correct name and details of the victims. However, upon closer inspection, the emails were found to not be targeted at the organisation but part of an ongoing campaign using PowerShell.

What Is PowerShell?

PowerShell is a robust scripting language with innumerable capabilities. It is legitimately used by many organisations, including Secrutiny (to collect evidence in our Cyber Risk Audits and Forensic Investigations). Here are five reasons why attackers are attracted to abusing PowerShell for malicious purposes:

  • It is installed on all Windows machines.
  • Logging is disabled by default.
  • It can execute directly from memory allowing for file-less malware delivery.
  • It is a trusted application in many organisations and is often overlooked by the security stack.
  • It provides unrestricted access to Windows APIs.

Technical Analysis

  • Initial Infection

The reported email looked like an acknowledgement of an order and could have easily been mistaken for a genuine email since it included the correct name and details of the victim. Additionally, the email looked well-structured and formatted and there were no obvious spelling mistakes.

On closer inspection, the ‘Your Order 0BT118 available here’ resolved to ”[https:]//avila-ventures.[com]/.customer-area/0BT118-pack-status”. When the link is visited, a .zip file is automatically downloaded. Within the .zip file are two .jpg files and a shortcut .Ink file.

  • Introducing PowerShell

When looking through the properties of the .lnk file, it is a nested Powershell command which invokes a search function that pulls out lines of text from .lnk files within the C:\\users\\* path and executes them as PowerShell scripts. This allows attackers to hide lines of code within the .Ink file itself.

The most notable of these lines of code is able to detect whether software relating to malware analysis is currently running on the machine and if so, stops the execution of the PowerShell script. It then utilises bitsadmin to download two further files _main.txt and _hosts.txt which are then encrypted and saved as config.ini and web.ini respectively. It also closes programs if it can.

A Look into the Scripts Functionality

The scripts contain the following functionality:

  • Creates scheduled tasks for persistence.
  • Encrypts the PowerShell scripts and Command and Control domains located on the device.
  • Employs anti-analysis techniques.
  • Gathers information about processes running on the device.
  • Gathers information about the operating system.
  • Query DNS cache and compare against hard-encoded list of banking domains.
  • Takes screen captures from all monitors connected to the device and uploads them to the C2 addresses.

Persistence Mechanism

Identifies network shares connected to the device. To achieve persistence on the victim machine, the script creates a .vbs file and adds a scheduled task utilizes the .vbs script. The task starts at 7:00 a.m. every day and after it has been triggered, it repeats indefinitely every 3 minutes, as seen below. This acts to call another Powershell script, which decrypts the previously encrypted config.ini and web.ini files and executes them.

Screen Capture
The first interesting function that is found is called Get-ScreenCapture which takes a screen capture of all screens connected to the device. A screenshot is taken of all screens connected to the victim device and placed into the folder created in the %APPDATA% directory and later uploaded to the C2 server.

Information Gathering
Additionally, the malware generates a list of network shares and gathers information about the processor and operating system used by the victim.

Query DNS Cache
Furthermore, the script saves the names and domain names of major UK banks into a variable, as shown below. The domain names are used together with the DNS resolver cache that the malware retrieves by executing the ipconfig /displaydns command. If the victim browsed to one of the banks mentioned in the configuration file, there is a high probability that it is stored in the DNS cache and can, therefore, be further used by the malware.

  • “nwolb.com”
  • “bankline”
  • “bankofscotland.co.uk”
  • “bankofscotland.co.uk”#
  • “secure.lloydsbank.co.uk”
  • “secure.halifax-online.co.uk”
  • “hsbc.co.uk”
  • “rbsdigital.com”
  • “barclays.co.uk”
  • “onlinebusiness.lloydsbank”
  • “tsb.co.uk”
  • “retail.santander.co.uk”
  • “business.santander.co.uk”
  • “onlinebanking.nationwide.co.uk”

Further Actions

The malware uses the captured data to form a HTTP request to query the C2 server. The result of this query is stored in a file at the %APPDATA% directory. Depending on the contents of the file, further actions may be taken by the malware. After 5 screenshots are captured, the malware transfers the .jpg files to the C2 server and deletes them from the victim’s system.

How Can Organisations Minimise the Risk of Infection from PowerShell-Based Malware?

  • Enable and Configure PowerShell Logging: By default, PowerShell logging is disabled. Configure the systems to log any PowerShell command that is being executed and incorporate these logs into your security workflow.
  • Deploy Policies: Only allow tested, pre-approved scripts to be used in your environment.
  • Implement Next-Generation Anti-virus: Some technologies can detect malicious script behaviour and alert on/block it.