Hackers exploit PowerShell, a built-in scripting tool on Windows (and sometimes Linux), to launch various attacks. PowerShell scripts can download malware, bypass antivirus, steal data, and grant remote access.
The scripts are attractive to attackers because they are easy to write, difficult to detect due to obfuscation techniques (like partial name matching), and leverage legitimate system resources for malicious actions (“living off the land”) but some tools can analyze these PowerShell scripts for safe detonation and step-by-step tracing.
PowerShell scripts are a type of automation tool used on Windows systems that can be used for legitimate purposes like configuration management or for malicious purposes like installing malware.
The new PowerShell Script Tracer helps analysts understand what a PowerShell script does by providing a detailed breakdown of the script’s functions and how they connect to each other, which can help analysts identify malicious behaviour in the script more easily.
Hackers often use it to perform a variety of malicious actions, such as:
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
If you want to test all these features now with completely free access to the sandbox:
For further investigation where you can see how this tracer works, click on the specific PowerShell process in the tree, which will display a process details tab at the bottom and within this tab, click “More Info” to access the Script Tracer and gain detailed insights into the deobfuscated script’s activities.
The Advanced Details window replaces the general process information with a detailed view of what it is doing.
The Script Tracer tab focuses on PowerShell executions and shows the functions called by the process in order, from top to bottom.
This allows you to determine how the process is acting by examining the function calls and how they are executed.
A malicious program downloads data from a URL using the System.Net.WebClient class. The downloaded data are binary and encoded in Base64.
The program then decodes the data using the FromBase64String method and converts it to a Unicode string using System. Text.UnicodeEncoding.GetString.
The MZ signature in the trace indicates that the string is the actual PowerShell command that the program wants to execute, which is most likely an encoded executable file.
The provided PowerShell code exhibits several indicators of malicious intent and executes hidden, bypassing security measures (-windowstyle hidden, -executionpolicy bypass) by downloading data from image URLs ($links) and extracting a Base64-encoded command hidden within the downloaded content ($imageText.Substring).
This retrieved command is then loaded directly into memory as a.NET assembly for execution ([System.Reflection.Assembly]::Load), bypassing traditional file-based detection methods suggesting the code aims to download and execute a hidden malicious payload (hidden) within an image.
Analysis revealed the script’s malicious nature, where extracted URLs, https://uploaddeimagens[.]com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469 and https://uploaddeimagens[.]com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500, can be used as Indicators of Compromise (IOCs) for further investigation.
Analyze PowerShell Scripts in Malware in ANY.RUN - Register for Free
ANY.RUN is a renowned ally for over 400,000 cybersecurity experts globally. This interactive sandbox platform streamlines the malware analysis process for threats aimed at both Windows and Linux systems, equipping analysts with a sophisticated tool for their investigative work.
Additionally, ANY.RUN’s threat intelligence offerings, namely Lookup and Feeds, deliver precise indicators of compromise and contextual insights that enable users to detect threats and manage incident responses swiftly.
ANY.RUN enhances the speed and accuracy of threat analysis. The platform is adept at identifying common malware families using YARA and Suricata rules and can pinpoint malware behaviors through signatures when specific family detection is unfeasible.
For a closer look at how ANY.RUN can benefit your security team, contact ANY.RUN for a personalized guided tour of the platform.
Dell Technologies has released a security update for its Wyse Management Suite (WMS) to address…
The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team Assessment…
IBM has issued a security bulletin warning customers about a vulnerability in its Workload Scheduler…
Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions of…
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…