Top

Published in:

2019 | OriginalPaper | Chapter

PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware

Authors : Denis Ugarte, Davide Maiorca, Fabrizio Cara, Giorgio Giacinto

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter On Deception-Based Protection Against Cryptographic Ransomware

next chapter Memory Categorization: Separating Attacker-Controlled Data

Anckaert, B., Madou, M., Sutter, B.D., Bus, B.D., Bosschere, K.D., Preneel, B.: Program obfuscation: a quantitative approach. In: Proceedings of the 2007 ACM Workshop on Quality of Protection, QoP 2007, pp. 15–20. ACM, New York (2007)

Bichsel, B., Raychev, V., Tsankov, P., Vechev, M.: Statistical deobfuscation of android applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 343–355. ACM, New York (2016)

Bohannon, D.: Invoke-obfuscation. https://github.com/danielbohannon/Invoke-Obfuscation

Bohannon, D., Holmes, L.: Revoke-obfuscation (2017). https://github.com/danielbohannon/Revoke-Obfuscation

Bohannon, D., Holmes, L.: Revoke-obfuscation: powershell obfuscation detection using science (2017). https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf

Security Boulevard. Following a trail of confusion: PowerShell in malicious office documents (2018). https://www.bromium.com/powershell-malicious-office-documents/

Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report 148, Department of Computer Sciences, The University of Auckland, July 1997

Coogan, K., Lu, G., Debray, S.K.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 275–284. ACM, New York (2011)

ESET. VBA dynamic hook (2016). https://github.com/eset/vba-dynamic-hook

10.

FireEye. Malicious PowerShell detection via machine learning, July 2018. https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html

11.

O’Reilly, U.-M., Rusak, G., Al-Dujaili, A.: Poster: AST-based deep learning for detecting malicious PowerShell. CoRR, abs/1810.09230 (2018)

12.

Google. Virustotal. https://www.virustotal.com

13.

Grant, D.: Deobfuscating PowerShell: putting The toothpaste back in the tube, October 2018. https://www.endgame.com/blog/technical-blog/deobfuscating-powershell-putting-toothpaste-back-tube

14.

Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ASIACCS 2018, pp. 187–197. ACM, New York (2018)

15.

Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13, p. 18. USENIX Association, Berkeley (2004)

16.

Malwarebytes. State of Malware Report (2019). https://resources.malwarebytes.com/files/2019/01/Malwarebytes-Labs-2019-State-of-Malware-Report-2.pdf

17.

McAfee. Fileless malware execution with PowerShell is easier than you may realize (2017). https://www.mcafee.com/enterprise/en-us/assets/solution-briefs/sb-fileless-malware-execution.pdf

18.

McAfee. Labs Threats Report, September 2018. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sep-2018.pdf

19.

Microsoft Corporation. PowerShell. https://docs.microsoft.com/en-us/powershell/scripting/powershell-scripting?view=powershell-6

20.

PaloAlto. Pulling back the curtains on encoded command PowerShell attacks (2017). https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/

21.

PDQ. Powershell Commands List. https://www.pdq.com/powershell/

22.

R3RUM. Psdecode (2018). https://github.com/R3MRUM/PSDecode

23.

Rapid7. Metasploit. https://www.metasploit.com

24.

Rousseau, A.: Hijacking.net to defend PowerShell. CoRR, abs/1709.07508 (2017)

25.

Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 94–109, May 2009

26.

Sophos. SophosLabs 2019 Threat Report (2018). https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-2019-threat-report.pdf

27.

Symantec. Internet Security Threat Report, March 2018. https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

28.

Trustedsec. Social engineering toolkit. https://github.com/trustedsec/social-engineer-toolkit

29.

Udupa, S.K., Debray, S.K., Madou, M.: Deobfuscation: reverse engineering obfuscated code. In: 12th Working Conference on Reverse Engineering (WCRE 2005), 10 pp.-54, November 2005

30.

Ugarte, D.: Powerdrive (2019). https://github.com/denisugarte/PowerDrive

31.

Wong, M.Y., Lie, D.: Tackling runtime-based obfuscation in android with TIRO. In: Proceedings of the 27th USENIX Conference on Security Symposium, SEC 2018, pp. 1247–1262. USENIX Association, Berkeley (2018)

32.

Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.K.: A generic approach to automatic deobfuscation of executable code. In: 2015 IEEE Symposium on Security and Privacy, pp. 674–691, May 2015

Title: PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware
Authors: Denis Ugarte
Davide Maiorca
Fabrizio Cara
Giorgio Giacinto
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_12

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner