This embedded key differs between each script.ĭim z, i, Position, cptZahl, orgZahl, keyZahl, cptString The following string is decoded by an XOR function with an embedded key. This version contains the second stage PowerShell embedded as a string within the VBS.
These sub-versions differ in their obfuscation technique (the following example is one of them). This greatly decreases the efficiency of the technique further, the bypass is no longer used starting from version 2.Īdditionally, we have observed a couple of different sub-versions for this script. Note that this PowerShell executes with the RemoteSigned parameter although the second stage executes with the Bypass parameter. Once the second stage is downloaded, the script executes it and saves it under. The second stage PowerShell is downloaded from top4top.io, an Egpytian file hosting service. InBvCzAsKlOpIgHbCzAquJHyt.RUn QwErUnBcZsAyOpLmHg & PlMbCdQwwTyHbZaHNbVfTH, 0 PlMbCdQwwTyHbZaHNbVfTH = cHr ( 73 ) 'Deducted, decodes to PowerShell script in decimal Set InBvCzAsKlOpIgHbCzAquJHyt = CreateObject (WSC) WSC = cHr ( 119 ) 'Deducted, decodes to wSCrIpT.sHELl QwErUnBcZsAyOpLmHg = "POWERSHELL -EXECUTIONPOLICY REMOTESIGNED -COMMAND " This version initially decodes a PowerShell script that is executed in order to download, save, and execute the second stage PowerShell script. The main difference between the 11 sub-versions is the type of obfuscation that each uses.Īn interesting and unique technique here is that the script executes the PowerShell script with a -RemoteSigned parameter along with the script as a command. We’ve identified four versions containing 11 sub-versions in this initial loader stage, with the main difference between the four being the second-stage PowerShell loading mechanism. The first stage of the attack chain is a VB Script that’s designed to load and then move the execution to the second-stage PowerShell script.
The related variant’s first submissions on VirusTotal demonstrate its evasive nature, as few security solutions were able to detect it. This Crypter activity was first observed in the wild on February 4, 2021, and still ongoing. We classified this Crypter activity based on the following execution flow shown in Figure 1. We have named the Snip3 Crypter based on the common denominator username taken from the PDB indicator we found in an earlier variant. Compiling RunPE loaders on the endpoint in runtime.Validating the existence of Windows Sandbox and VMWare virtualization.
X CRYPTER 2.0 CODE
Executing PowerShell code with the ‘remotesigned’ parameter.This Crypter implements several advanced techniques to bypass detection, such as:
X CRYPTER 2.0 INSTALL
In some cases, however, the attack chain starts with a large install file, such as an Adobe installer, which bundles the next stage.
X CRYPTER 2.0 DOWNLOAD
The Crypter is most commonly delivered through phishing emails, which lead to the download of a visual basic file. Morphisec has recently monitored a highly sophisticated Crypter-as-a-Service that delivers numerous RAT families onto target machines.
0 kommentar(er)
