Disclaimer

Wednesday, October 24, 2018

CommandLine Escape Character Technique! STILL PREVALENT! STILL EFFECTIVE!

cmd.exe and powershell.exe are known to be abused by malware author to execute their malicious code. This technique is really common in macro malware that execute '.bat', '.ps1', '.vbs', '.js' or etc... to bypassed detection from AV through script obfuscation, encryption, encoding and many more.

It might be this approach is not  new but still effective and very good example to hide the code from file based detection or even behavioral detection that checks specific pattern in the Command Line (like sysmon) without using encryption algorithm or obfuscation engine to hide its main code.

So lets start!

The Macro Code:

As usual the macro code is obfuscated to make the static analysis difficult and to bypassed heuristic file based detection.

fig. 1 - obfuscated macro code

The Malicious CMD script:

at first look to the extracted batch script in fig. 2 it seems like the code is none sense or encrypted, but actually it was not. The script is only in reverse form fill with escaped character "^".

fig. 2 - obfuscated batch script

 

if you see the first code of the batch script it uses the '/V' that may enable "delayed environment variable expansion" and "/C"  that give us a hint that the remainder of the command line is processed as an immediate command in the new shell. usually separated by "&" or "&&" characters.



fig. 3 - the loop that reverse the string.


so by using python script, we can normalized this quickly.

fig. 4 - python script to normalized the obfuscated batch script



fig. 5 - output of python script

after reversing the malicious script you can quite read the code, especially after we removed the escape character "^" . But the actual interesting stuff here is this script will only reverse the portion of its code then execute it without removing the escape character, why? because the CMD can still execute this script even it contains those escape character  ("^" means that the character follows it will be treated literally).


fig. 6 - cmd example

Conclusion:

The technique above show how malware author really use all available stuff within windows system to bypassed detection (example string detection) . ML classifier detection that use this characteristics as features, behavioral detection, sysmon (regex and character existence count) and other detection approach can still be use to detect this code. :)

IOC:

Sha1: f66b9c59f96f4c8a49698f192563cf6c77a7153d
sha256: 7ff1c508dd92f7fd48ede84e34cd64b3d8ea909351ea212a567353d1ae1d8ebb
md5:a4e116f0550b853f22b1d1e1b5ed22ac

"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...