Friday, July 5, 2019

PowerShell Reverse Meterpreter Script Analysis


While perusing Pastebin (& not researching in my lab like I had planned) for malicious PowerShell scripts, I came upon an interesting script.



The script for now can be found at hxxps://pastebin.com/er2chrz2 .  Not to my surprise, @ScumBots had already identified and tweeted out the paste.  A big shout-out to @pmelson and his @ScumBots bot for the work he does.

Not to be deterred, I wanted to conduct some quick analysis of the script which would allow me to put some Python to use.

Not much to see with the script, the usual obfuscated mess most likely base64 encoded.

Figure 1

 I decided to open up a Jupyter Notebook and start decoding the script.  No need to do anything to advanced, import base64 and see what we get.

Figure 2

Our decoded script starts off with an if statement that checks for the version of PowerShell, either four or falling back to v1.  Version five introduced scriptblock logging which would provide us with the entire decoded script (much to the chagrin of many attackers).

A few items to point out in this script, that may be rare to some.  First, notice the 'System.IO.Compression.GzipStream', The GzipStream class utilizes gzip (duh!) to compress data, thus adding another step to our analysis.

Additionally, just after the gzip class, we see a 'FromBase64String' method that you guessed it, encodes another string within the payload. Back to our notebook.
Figure 3

With our newly found base64 string considered a bytes-like object, we can utilize io.BytesIO and as well as b64decode to give us the decoded portion of the script.  Next, the script will use gzip and display the now decompressed data.

A good portion of the decompressed data seems to "borrow" from PowerSploit's Invoke-Shellcode.ps1 script found at: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1

You may have already guessed it, but we have another string to base64 decode. Same code as used before.

Figure 4



There are few different paths we could take from here.  We could take the displayed shellcode, convert it to hex and use CyberChef to give us some assembly code.  Another option is disassembling the shellcode using an application of your choice. Our last option, and the most helpful for me was to find a Python module to assist me in converting shellcode to assembly.

To accomplish this task, I utilized the Capstone module (https://www.capstone-engine.org/lang_python.html) 

Figure 5

We now have readable assembly language to start looking over in hopes we can find some juicy info.  Some may not be comfortable with using or reading assembly via Python, so the below image displays the same code output from CyberChef.

Figure 6

After pouring over the assembly output, I noticed there were a number of similarities to different Metasploit reverse shell scripts. Additionally, I was able to pull out an IP address likely serving as a C2. The instruction 'PUSH 0x844ba8c0' gives us 192.168[.]75.132.

Looking back to Paul's Twitter bot post and checking VirusTotal, it appears we are on track with a possible C2 of 192.168[.]75.132:4444.  I believe this is also the default port in Metasploit when setting up a meterpreter listening port.

There is still more research to conduct, but I believe we have a good bit of information to work with for now. This was a great lesson in not only Python, but also getting back to assembly language and malicious PowerShell scripts.

I will try and add the Jupyter Notebook file to my github as soon as possible if anyone is interested.

Thanks for reading!

Easy Wins for All…Slowing Attacks With the Basics

Disclaimer: The below was conducted in my home lab, configurations may/may not scale to an enterprise network. A good bit of work still ne...