PoweShell a Microsoft scrip language is a new technique in use by hackers nowadays. Symantec has identified a new script that works as a “Backdoor.Trojan” in a mysterious way, and is capable of injecting malicious code into “rundll32.exe”. By doing so, it can hide itself as a backdoor file.
If we see the image, it shows complicated script that averts users from realizing the clear text. However, this script used a parameter named “EncodedCommand” to encode the whole script in base64. When you decode the script, it still looks complicated.
The script again tries to decode itself from base64 into plain text and uses decompression task for the decoded script. This decompressed data will be functioned via the “Invoke Expression” command.
The attacker then uses “CompileAssemblyFromSource” command to assemble and perform embedded code. Then, the assembled code will execute “rundll32.exe” in a debarred state, add malicious code in the recently created process, and resume the “rundll32.exe”. Therefore, it can hide itself on the computer.
The injected code tries to find a remote computer for connection and waits for further instructions. The code will store these instructions with EXECUTE_READWRITE permissions to work in a silent way.
The below image shows how the injected code assigns the memory and gets the instructions.
Symantec has recommended some useful steps like update the virus software on time, avoid unknown PowerShell scripts from execution, and make a strong restriction in PowerShell default execution setting, so that potential malicious scripts will not work.
The script again tries to decode itself from base64 into plain text and uses decompression task for the decoded script. This decompressed data will be functioned via the “Invoke Expression” command.
The attacker then uses “CompileAssemblyFromSource” command to assemble and perform embedded code. Then, the assembled code will execute “rundll32.exe” in a debarred state, add malicious code in the recently created process, and resume the “rundll32.exe”. Therefore, it can hide itself on the computer.
The injected code tries to find a remote computer for connection and waits for further instructions. The code will store these instructions with EXECUTE_READWRITE permissions to work in a silent way.
The below image shows how the injected code assigns the memory and gets the instructions.
Symantec has recommended some useful steps like update the virus software on time, avoid unknown PowerShell scripts from execution, and make a strong restriction in PowerShell default execution setting, so that potential malicious scripts will not work.