Attackers using PowerShell obfuscation tools to smuggle malware past scan tools

News by Rene Millman

Attackers are increasingly turning to advanced obfuscation techniques, including tools in the PowerShell library, to evade security software, researchers say.

Hackers are turning to obfuscation techniques to evade security software, according to a new report.

According to a blog post by security researchers Cylance, hackers are increasingly reaching their targets not with exotic, custom payloads but with so-called commodity malware – off-the-shelf programs you can find online, either for free or else for a nominal fee. They said that while commodity malware should be immediately recognisable to antivirus scanners, the hackers were using obfuscation to hide them.

The researchers said that cyber-criminals carry out this attack for two main reasons: first, if found, off-the-shelf malware is harder to attribute; second, employing various obfuscation techniques increases the likelihood that malware will bypass antivirus products and hit its target.

They added that one innovative technique Cylance recently observed leverages PowerShell, a feature built into Windows, to obfuscate a common malware payload. At the time, Cylance first observed it while less than a handful of antivirus products caught it.

"The sample appeared to use several techniques described by Daniel Bohannon. The file we analysed was a ZIP file containing both a PDF document and VBS script," said the researchers. They said that the VBS script used rudimentary Base64 encoding to obfuscate the first layer.  

This VBS script downloads and executes the file "http://ravigel[dot]com/1cr.dat" via PowerShell with the following switches, "PowersheLl -windowstyle hidden -noexit -executionpolicy bypass".

"Numerous techniques, like string splitting through concatenation and variable assignment, as well as the use of tick marks and random letter capitalisations, are used to split up words or signatures that antivirus companies commonly rely upon for malicious PowerShell identification," they said.

The researchers said that a file named "1cr.dat" was of interest as it used a method of string encryption inherent in C# called SecureString or more specifically "Marshal.SecureStringToGlobalAllocAnsi".  This is commonly used to encrypt sensitive strings within applications using Microsoft’s built-in DPAPI.

When decoded, there is an attempt to defeat automated sandbox solutions.

"The payload was only detected by two products when first deployed by the criminals, but at the time we came across it, 18 products detected the payload," said researchers. They added that this was a simple espionage tool widely known to the security community and considered commodity malware.

The researchers said that while use of those tools is concerning and should be monitored, attention should not be completely divested from those threat actors – including advanced threat actors – who are succeeding right now at bypassing antivirus products with tools that are not "zero-day" but "every day".

Rob Shapland, a security consultant at Falanx Group, told SC Magazine UK that there are many hacking tools available to obfuscate malware. It requires a good level of technical knowledge, but a skilled hacker can bypass most anti-malware tools. The hackers are always one step ahead in the arms race, coming up with new innovative methods of bypassing protection. Longer term, some of the AI-based detection tools may be able to stop these attacks, but the technology can still be bypassed at present.

"The best approach to protecting against these attacks is having multiple layers of defence. The hacker still needs to deliver the malware to the organisation in some way, usually via phishing. Effective awareness training can help to stop the initial infection point, as can email protection software," he said.

Nicholas Griffin, senior cyber-security specialist at Performanta, told SC Magazine UK that it is trivially easy to bypass traditional anti-virus scanners and has been for many years now.

"AV solutions identify malware by matching their characteristics against the ‘known bad’, so when something doesn’t fall into this bucket it is not caught. Modern machine learning helps with this detection gap to an extent, but even machine learning models are typically trained on the ‘known bad’. Ultimately, relying on static detection of malware files means we’ll always be one step behind the attacker," he said.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews