- Aug 17, 2014
- 11,093
New Jupyter Infostealer Version Emerges with Sophisticated Stealth Tactics
- Thread starter silversurfer
- Start date
- Dec 23, 2014
- 8,510
PowerShell mostly blocks such attacks in Constrained Language Mode (CLM).
In this example, the malware connects with C2 server by using the methods blocked by CLM:
[Text.Encoding]::UTF8.GetString()
[IO.File]::ReadAllBytes()
Next, the malware decodes the Infostealer payload (from .dat file) by using other methods blocked by CLM:
[Convert]::FromBase64String()
New-Object System.Security.Cryptography.AesCryptoServiceProvider
Finally, it loads the DLL payload in-memory (Infostealer) by using another method blocked by CLM
[Reflection.Assembly]::Load()
Edit.
One can confirm that CLM blocks these methods by executing them in the PowerShell console. The execution will end with error:
"Cannot invoke method. Method invocation is supported only on core types in this language mode."
In this example, the malware connects with C2 server by using the methods blocked by CLM:
[Text.Encoding]::UTF8.GetString()
[IO.File]::ReadAllBytes()
Next, the malware decodes the Infostealer payload (from .dat file) by using other methods blocked by CLM:
[Convert]::FromBase64String()
New-Object System.Security.Cryptography.AesCryptoServiceProvider
Finally, it loads the DLL payload in-memory (Infostealer) by using another method blocked by CLM
[Reflection.Assembly]::Load()
Edit.
One can confirm that CLM blocks these methods by executing them in the PowerShell console. The execution will end with error:
"Cannot invoke method. Method invocation is supported only on core types in this language mode."
- Dec 23, 2014
- 8,510
Another example of using PowerShell in the attack started by the initial EXE/MSI files is LummaC2 stealer analyzed also by VMware Carbon Black (in October 2023):
It uses another set of popular methods (blocked by Constrained Language Mode) to download a payload:
[Net.Webrequest]::Create()
New-Object Net.WebClient
Edit.
As in the previous article about Jupyter Infostealer, the authors from VMware Security Blog claim that Carbon Black can be efficient for the detection, prevention, and containment of such malware. We should take it with a grain of salt. Other AVs can use similar ATP methods. For example, Bitdefender can often block the PowerShell process spawned by an EXE file.
It uses another set of popular methods (blocked by Constrained Language Mode) to download a payload:
[Net.Webrequest]::Create()
New-Object Net.WebClient
Edit.
As in the previous article about Jupyter Infostealer, the authors from VMware Security Blog claim that Carbon Black can be efficient for the detection, prevention, and containment of such malware. We should take it with a grain of salt. Other AVs can use similar ATP methods. For example, Bitdefender can often block the PowerShell process spawned by an EXE file.
- Dec 23, 2014
- 8,510
Another fresh example:
malwaretips.com
securityintelligence.com
In this article, the GootBot payload uses a PowerShell script with methods blocked by CLM:
[Convert]::FromBase64String()
[Scriptblock]:: ("create")()
Malware News - New GootLoader Malware Variant Evades Detection and Spreads Rapidly
A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection. "The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using...
malwaretips.com
GootBot - Gootloader's new approach to post-exploitation
IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant. Learn more about this and how to combat it.
securityintelligence.com
In this article, the GootBot payload uses a PowerShell script with methods blocked by CLM:
[Convert]::FromBase64String()
[Scriptblock]:: ("create")()
Similar threads
