Hackers exploit PowerShell, a built-in scripting tool on Windows (and sometimes Linux), to launch various attacks. PowerShell scripts can download malware, bypass antivirus, steal data, and grant remote access.
The scripts are attractive to attackers because they are easy to write, difficult to detect due to obfuscation techniques (like partial name matching), and leverage legitimate system resources for malicious actions (“living off the land”) but some tools can analyze these PowerShell scripts for safe detonation and step-by-step tracing.
PowerShell scripts are a type of automation tool used on Windows systems that can be used for legitimate purposes like configuration management or for malicious purposes like installing malware.
The new PowerShell Script Tracer helps analysts understand what a PowerShell script does by providing a detailed breakdown of the script’s functions and how they connect to each other, which can help analysts identify malicious behaviour in the script more easily.
Hackers often use it to perform a variety of malicious actions, such as:
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
If you want to test all these features now with completely free access to the sandbox:
For further investigation where you can see how this tracer works, click on the specific PowerShell process in the tree, which will display a process details tab at the bottom and within this tab, click “More Info” to access the Script Tracer and gain detailed insights into the deobfuscated script’s activities.
The Advanced Details window replaces the general process information with a detailed view of what it is doing.
The Script Tracer tab focuses on PowerShell executions and shows the functions called by the process in order, from top to bottom.
This allows you to determine how the process is acting by examining the function calls and how they are executed.
A malicious program downloads data from a URL using the System.Net.WebClient class. The downloaded data are binary and encoded in Base64.
The program then decodes the data using the FromBase64String method and converts it to a Unicode string using System. Text.UnicodeEncoding.GetString.
The MZ signature in the trace indicates that the string is the actual PowerShell command that the program wants to execute, which is most likely an encoded executable file.
The provided PowerShell code exhibits several indicators of malicious intent and executes hidden, bypassing security measures (-windowstyle hidden, -executionpolicy bypass) by downloading data from image URLs ($links) and extracting a Base64-encoded command hidden within the downloaded content ($imageText.Substring).
This retrieved command is then loaded directly into memory as a.NET assembly for execution ([System.Reflection.Assembly]::Load), bypassing traditional file-based detection methods suggesting the code aims to download and execute a hidden malicious payload (hidden) within an image.
Analysis revealed the script’s malicious nature, where extracted URLs, https://uploaddeimagens[.]com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469 and https://uploaddeimagens[.]com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500, can be used as Indicators of Compromise (IOCs) for further investigation.
Analyze PowerShell Scripts in Malware in ANY.RUN - Register for Free
ANY.RUN is a renowned ally for over 400,000 cybersecurity experts globally. This interactive sandbox platform streamlines the malware analysis process for threats aimed at both Windows and Linux systems, equipping analysts with a sophisticated tool for their investigative work.
Additionally, ANY.RUN’s threat intelligence offerings, namely Lookup and Feeds, deliver precise indicators of compromise and contextual insights that enable users to detect threats and manage incident responses swiftly.
ANY.RUN enhances the speed and accuracy of threat analysis. The platform is adept at identifying common malware families using YARA and Suricata rules and can pinpoint malware behaviors through signatures when specific family detection is unfeasible.
For a closer look at how ANY.RUN can benefit your security team, contact ANY.RUN for a personalized guided tour of the platform.
The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…
Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…
The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…
Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…
A security researcher discovered a vulnerability in Windows theme files in the previous year, which…
The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…