Black Magic: Windows PowerShell Used Again in New Attack

The Windows PowerShell® command line is a valuable Windows administration tool designed especially for system administration. It combines the speed of the command line with the flexibility of a scripting language, making it helpful for IT professionals to automate administration of the Windows OS and its applications.

Unfortunately, threat actors have recently taken advantage of this powerful scripting language yet again. A recent attack we found originated from an email that promoted a certain “medical examination report.” The email’s sender was disguised as Duo Wei Times, a Chinese newspaper based in the United States. The email had an attached archive file, which contained a malicious .LNK or shortcut file. The .LNK attachment, which had Windows PowerShell commands in its properties, is detected as LNK_PRESHIN.JTT. This code uses the Windows PowerShell command line to download files and bypass execution policies to execute the downloaded file.

LNK_PRESHIN.JTT downloads another malware, TROJ_PRESHIN.JTT, which is another PowerShell scripting file that downloads and launches the final payload BKDR_PRESHIN.JTT.

Figure 1. The ZIP file contains a .LNK file named report20140408.doc.lnk

According to our analysis, BKDR_PRESHIN.JTT is able to steal passwords stored related to Microsoft Outlook and Internet Explorer. It is a self-extracting file that is also able to gather certain critical data from affected systems that can be used for reconnaissance purposes. The full infection chain can be seen below:

Figure 2. Full infection chain

The above-mentioned techniques ring similar to PlugX and Taidoor that both use normal .EXE files to launch their .DLL component, which is responsible for decrypting and executing the attack’s main backdoor component.

PowerShell Abuse Targets Multiple Windows Systems

During the latter part of Q1, we took notice of the CRIGENT malware family that introduced new malware techniques, such as using Windows PowerShell to target Microsoft Word and Excel files. This was a significant observation for anti-malware researchers as Windows PowerShell is only available for operating systems running on Windows 7 onwards. This means that systems running on Windows XP can also be infected if it PowerShell installed.

Windows 7 is still the one of the most used operating systems from April 2013-April 2014 followed by Windows XP. It’s no wonder cybercriminals and attackers leveraged the Windows PowerShell feature to infect as much systems as possible and consequently infiltrate a network.

Knowing that Windows XP had already ended support, abusing Windows PowerShell specifically for Windows XP systems may create a loophole for cybercriminals. Since the malware code indicates that it uses PowerShell v1.0, in theory, systems installed Windows XP SP2, Windows Server 2003 and Windows Vista are also at risk of this threat. As mentioned in our previous blog entry about the CRIGENT malware family and abuse of Windows PowerShell, IT administrators that are normally on the lookout for malicious binaries may overlook this, as this malware technique is not particularly common. Consider the abuse of Windows PowerShell a form of “black magic,” so to speak, in which malware developers have turned their focus to developing even more sophisticated threats through this very powerful Windows feature.

Trend Micro protects users and enterprises from threats leveraging Windows PowerShell via detecting the malware and blocking all related URLs.

For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

With additional analysis from Rhena Inocencio

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Black Magic: Windows PowerShell Used Again in New Attack