Note that this PowerShell executes with the RemoteSigned parameter although the second stage executes with the Bypass parameter. Once the second stage is downloaded, the script executes it and saves it under. The second stage PowerShell is downloaded from top4top.io, an Egpytian file hosting service. InBvCzAsKlOpIgHbCzAquJHyt.RUn QwErUnBcZsAyOpLmHg & PlMbCdQwwTyHbZaHNbVfTH, 0 PlMbCdQwwTyHbZaHNbVfTH = cHr ( 73 ) 'Deducted, decodes to PowerShell script in decimal Set InBvCzAsKlOpIgHbCzAquJHyt = CreateObject (WSC) WSC = cHr ( 119 ) 'Deducted, decodes to wSCrIpT.sHELl QwErUnBcZsAyOpLmHg = "POWERSHELL -EXECUTIONPOLICY REMOTESIGNED -COMMAND " This version initially decodes a PowerShell script that is executed in order to download, save, and execute the second stage PowerShell script. The main difference between the 11 sub-versions is the type of obfuscation that each uses.Īn interesting and unique technique here is that the script executes the PowerShell script with a -RemoteSigned parameter along with the script as a command. We’ve identified four versions containing 11 sub-versions in this initial loader stage, with the main difference between the four being the second-stage PowerShell loading mechanism. The first stage of the attack chain is a VB Script that’s designed to load and then move the execution to the second-stage PowerShell script. The related variant’s first submissions on VirusTotal demonstrate its evasive nature, as few security solutions were able to detect it. This Crypter activity was first observed in the wild on February 4, 2021, and still ongoing. We classified this Crypter activity based on the following execution flow shown in Figure 1. We have named the Snip3 Crypter based on the common denominator username taken from the PDB indicator we found in an earlier variant.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |