In this article

Powershell Obfuscation Demystified Series Chapter 3: Gootkit


September 10, 2020
Last Updated: January 15, 2024
Share on:

Introduction

In this article we discuss a known obfuscation malware called Gootkit and perform a deep dive into the malicious PowerShell code. We also disassemble the obfuscation command and check for IOC (Network, IPs, Domains, and files). We identify the obfuscation technique and extract all the relevant strings and variables and we clean out all of the “junk code”.

Today we deal with an operator that replaces text in the string to hide the malicious context of the PowerShell command. The replacement operator works in the same way as the match operator, by replacing the string syntax in the following way:

  • -replace ‘StringToReplace’,’TheNewString’

In this case, the malicious command that we are investigating is related to the Gootkit Banking Trojan.

The Gootkit Banking Trojan is directly related to campaigns that target European customer environments where it aims to gain remote control and use the compromised environment for malicious purposes.

The attacker’s goals are to perform reconnaissance and steal/exfiltrate sensitive information from the compromised host. The attack starts with distributing itself through spam and phishing email that contains malicious attachments that lure users to download and execute the malicious code using social engineering techniques.

The attacker created a scheduled task that executed a malicious script. This kind of attack is known as “File-less” attack, and uses WMIC, CMD, and PowerShell.


This is part of an extensive series of guides about Network Attacks

Get our Complete Guide

How to Build a Security Framework

  • Key frameworks for IT security programs
  • Managing risk associated with security controls
  • Addressing cyber insurance, cloud security, zero trust

PowerShell Command Analysis

1. PowerShell Arguments

To understand the PowerShell command, we must clean the junk strings and divide them into pieces.

The command starts by executing a PowerShell instance that executes with the following arguments:

  • Window Style Hidden
    • Hides the PowerShell window
  • Command
    • Executes commands for a given file

2. Culture Check

After the PowerShell arguments, there is an ‘If’ statement that checks for culture regions by executing the “Get – UICulture” command, which receives the current UI culture settings in the operating system.

For example:

The reason for the ‘If’ statement is to check whether the UI culture of the victim machine is not one of the following regions:

  • RU- Russian
  • UA- Ukraine
  • BY- Belarus
  • CN- China

If one of the above cultures (RU- Russian, UA- Ukraine, BY- Belarus, or CN- China) matches, then the command immediately exits and terminates the PowerShell instance.

These three lines of the PowerShell command provide us with a hint that the attacker can be from the above-mentioned countries, or they may be associated with APT groups that are related to one of those countries.

3. Variables with Random Names

After the cultural check, there are a few variables with random names:

The commands/variables that we want to investigate to better understand the functionality of the command are:

  • iex $jgsxbu;
  • Start-Process $iwcsez;
  • iex $yehaseb;
  • Start-Process $yycye;
  • -replace ‘WuyRS9x’, ”;
  • -replace ‘azWR9yy’, ”;

In line 4, the first variable $uzdhh holds the temp directory by using the GetTempPath() method

This can lead us to the malicious file that is stored in the temp directory.

Line 5 contains the $yycye variable that stores the name of the malicious file and the temp folder in which it is placed.

Lines 6, and 8-14 will be discussed in a moment, but first we jump to line 7 where we can see another variable $iwcsez that stores a JavaScript file in the temp directory.

The full path builds by the Join-Path cmdlet by combining a path and a child path into a single path.

These are the two full path variables:

Now, we can go back to lines 6-7 which contain variables $wfggwa and $yttceb that hold the malicious URLs:

  • “’http://cloud.chachobills[.]com/501?iidcguf’;”

  • “’http://ami.regroups[.]net/loadercrypt_823EF8A810513A4071485C36DDAD4CC3[.]php?vid=pecdoc’;”

These are the malicious URLs where the files mentioned above are downloaded to the temp directory.

A note of interest—when we tried to find the above variables, we could find them by searching.

This means that the attacker has hidden them using obfuscation commands, and we can guess that these variables are hidden inside the junk strings.

Now, we would like to figure two interesting variables that appear to be obfuscated—$jgsxbu and $yehaseb.

4. Replacement Operator

This is the interesting part where the attacker tried to hide the malicious commands. The attacker used a replace operator to clean the junk strings that added to the PowerShell command to hide the real command.

  • -replace ‘WuyRS9x’, ”;
  • -replace ‘azWR9yy’, ”;

The replace operator performs a replacement of ‘WuyRS9x’ and ‘azWR9yy’ with an empty string that means nothing (the above strings are just deleted after the replacement).

To clarify, we can use the PowerShell ISE and ask it to replace the junk strings for us.

The above screenshot shows the hidden commands after the replacement.

Now, we know that these two commands perform the downloading action by using the Download File method (downloads the resource with the specified URI to a local file) from the malicious URLs. If we now try to search again for the URL variables, we can find them after cleaning the junk strings.

The two-second variables $iwcsez and $yycye related to the malicious file directories are:

In lines 10 and 13 we have the IEX cmdlet that invokes the expression of the two variables, which are related to the downloading action that we covered earlier.

It enables us to download the malicious files for the two URLs.

The final two lines are 11 and 14:

These lines perform the execution of the downloaded malicious files by the Start-Process cmdlet and starts one or more processes on the local computer.

The fully de-obfuscation PowerShell script is:

How would you rate this article?

In this article

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: