Security Icon Microsoft

Security researchers have discovered a new malware strain that exploits Microsoft’s PowerShell service within Windows. The malicious content uses a rarely used obfuscation process that is highly potent. Indeed, analysts from security firm Cylance point out the tactic can successfully bypass most antivirus software.

The malware was discovered while the team at Cylance was studying malicious scripts that were rarely detected by antivirus. A malware file using PowerShell was using a obfuscation method to hide the scripts from detection tools.

Cylance describes the file in question as a ZIP with a PDF document and VBS script embedded. Through testing, the company found the malware was discovered by just three antivirus products.

In terms of delivery, the package is quite standard and matches familiar obfuscation techniques, such as compressing the malware and encrypting it within code:

  • Packers, which compress or “pack” a malware program
  • Crypters, which encrypt a malware program (or portions thereof)
  • Other obfuscators, which mutate – but do not neuter – the malware program in a variety of ways, thus changing the overall number of bytes in the program

Once loaded, the malware has a different signature and hash, making it hard to be found by antivirus solutions:

“These techniques change the overall structure of a piece of malware without altering its function,” explained Cylance. “Often, this has the overall result of creating layers which act to bury the ultimate payload, like the nested figures in a Russian doll.”

Exploiting PowerShell

Malware uses PowerShell as a legitimacy shield. The VBS script uses a simple enough Base64 encoding to confuse at the first instance. Using Microsoft PowerShell, the VBS script downloads a DAT file undetected. Among the techniques used to achieve this include variable assignment and tick marks to confuse antivirus programs.

“The cat-and-mouse game of detection and response isn’t new,” Kevin Livelli, director of threat intelligence at Cylance, told Threatpost. “Attackers, whether they’re advanced groups or common criminals, are astute observers of target defenses and adapt accordingly. Malware doesn’t have to be especially complicated or even new to be effective. Obfuscation gives attackers a simple and cheap way to get the job done until the industry adapts and attackers move on to the next technique.”