Share this page!

Paul Melson Profile picture
Twitter logo
30 Mar, 6 tweets, 2 min read
THREAD
Let's analyze a malicious VBA macro payload. On visual inspection, we can easily see that the macro performs string concatenation and then uses Shell() to execute a PowerShell script. It declares AutoOpen() & Workbook_Open() in order to execute when the document is opened.
Once we decode the base64 script from the macro, we can see that it further obfuscates its intention with more base64 encoding and gzip compression.
When we decode & decompress the long string, we get the final PowerShell payload. This script creates a byte array containing shellcode from another base64 encoded string, which it will then reflectively load into kernel32.dll running in memory.
When we load the shellcode in a debugger, we can see that it calls user32.dll!MessageBox to display the message "Hello, from MSF!" which is the default message from this Metasploit payload module: github.com/rapid7/metaspl…
From a detection perspective, the process parent/child hierarchy here would have been a dead giveaway:

Excel.exe
↪️powershell.exe
↪️C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe

Sysmon EventID:1 logs, folks. No excuses.
At first you might write this off as Red Team / pentest tactics, but if you replace the pop-up message payload with one of the Metasploit stager payloads, you're looking at an exact set of TTPs used on-and-off by TA505 over the past several years to drop Dridex and other trojans.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Paul Melson

Paul Melson Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @pmelson

Paul Melson Profile picture
16 Jan
THREAD
Let's talk about detection philosophy a little bit. There are 2 main competing approaches; 1) Define Normal, Detect Abnormal, and 2) Find Evil. 1/7
First, let's acknowledge this is a false choice. You can do both. The key is to know which approach is superior in which context. In general, I prefer Find Evil. Let me tell you why. 2/7
To make Find Evil work, you need to think of attackers as groups with motivations and goals, then frame that in the context of a process, lifecycle, or even a cyber kill chain. Seriously, this is key. 3/7
Read 7 tweets
Paul Melson Profile picture
21 May 20
THREAD for beginning malware/SOC analysts
When analyzing interpreted languages like PowerShell, JavaScript, VBA/VBS, there are some handy shortcuts to dealing with obfuscated code. (NOTE: Always do this kind of analysis in a sandbox VM off of your corporate network.)
Let's use this PowerShell script as an example (raw code on the right). The code is triggered with an obfuscated 'IEX' command that is reconstructed from a predictable PowerShell environment variable, $PSHome.
To de-obfuscate the rest of of the script, replace 'IEX' with 'Write-Host'. This general approach, replacing an execution command with a print/write command, works in basically all interpreted languages. In this case, the output is more obfuscated PowerShell.
Read 7 tweets
Paul Melson Profile picture
21 Aug 18
THREAD
A quick walk-through of analyzing a PowerShell backdoor using Python.
Here's the backdoor if you want to play along at home: pastebin.com/JbYwq9WJ
1. Looking at the raw payload, we can see powershell.exe is invoked and a base64-encoded script is passed for execution.
2. Open Python, import the base64 module, create a string of the original encoded script, and another string (step1) of the decoded script.
Read 8 tweets
Paul Melson Profile picture
23 Jul 17
This thread got me thinking about DefCon, hacker culture, and insecurity. 1/
My first con of any kind was DC6 in 1998. At the time, I worked for a school, fixing Macs and LaserJets, resetting passwords, etc 2/
I knew some folks from IRC, but approaching them IRL seemed hard. I was really intimidated. So I hung with the local BBSers I came with. 3/
Read 22 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @pmelson has new unrolls!

Check out other threads from @pmelson!

Read all threads by @pmelson