Last night Matt Graeber of @mattifestation published a tweet that quickly gained my interest:
Woot! More PowerShell (albeit lame) found in the wild. http://t.co/jQk1kL6TRD
— Matt Graeber (@mattifestation) March 28, 2014
Matt was commenting on a TrendMicro post, Word and Excel Files Infected Using Windows PowerShell, in regards to another (in Matt’s words, “lame”,) discovery of PowerShell Malware. TrendMicro discovered two pieces of malware W97M_CRIGENT.A and X97M_CRIGENT.A, which really in the big picture are quite unremarkable pieces of malware.
There are however, some functions/features of this malware that will be interesting to anyone who saw my presentation.
Firstly, the malware enters via an infected Word or Excel document, much like the initial entry during my presentation. The malware that TrendMicro discovered is significantly more complex than mine is, making use of some interesting DNS queries and cloud storage provides for hosting things like Tor and Polipo. The use of DNS TXT records I find incredibly interesting.
One thing I thought was left out of the TrendMicro post is, why Polipo? Well the answer is extremely obvious to someone who has spent a significant amount of time developing PowerShell or even .Net code! The answer is, and I say this without seeing the code, they (the malware author) wanted to use the Net.WebClient object, which does not support SOCKS proxies. The author wanted to route the traffic via Tor, and needed Polipo to provide a HTTP proxy to route the WebClient traffic via Tor. How do I know this, well, I have deployed an extremely similar configuration for another project I was working on.
Once the malware has Tor and Polipo locally, it connects to the C&C server via the Tor network. The malware uploads a chunk of information to the C&C server, including:
- IP Address
- Country code
- Country name
- Region code
- Region name
- City
- Zipcode
- Latitude
- User account privilege
- OS version
- OS architecture
- Domain
- OS Language
- Microsoft Office applications
- Microsoft Office versions
Most of this are easily gathered with PowerShell, I pretty much included most of these in my presentation, if you remember:
An excerpt from my PowerShell Shenanigan’s code, found here.
Whilst I do not have all of the information there, it is extremely easy to extend what I had.
The malware seems to be a throw back from 90s, running off and infecting Word and Excel documents as a mechanism for propagation.
Whilst the use of PowerShell really did not seem to why TrendMicro thought it was blog worthy, they seemed to focus on the use of Tor; I think it is a wholly interesting piece of code.
I would love to look at the samples, as would Carlos Perez (@Carlos_Perez). I would love to see how well developed the PowerShell is! If anyone has seen the samples, please contact me!