I published the following diary on isc.sans.edu: “Malware Samples Compiling Their Next Stage on Premise“:
I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim’s computer. At a first point, it seems weird but, after all, it’s an interesting approach to bypass low-level detection mechanisms that look for PE files.
By reading this, many people will argue: “That’s fine, but I don’t have development tools to compile some source code on my Windows systemâ€. Indeed but Microsoft is providing tons of useful tools that can be used outside their original context. Think about tools like certutil.exe or bitsadmin.exe. I already wrote diaries about them. The new tools that I found “misused†in malware samples are: “jsc.exe” and “msbuild.exe”. They are chances that you’ve them installed on your computer because they are part of the Microsoft .Net runtime environment. This package is installed on 99.99% of the Windows systems, otherwise, many applications will simply not run. By curiosity, I checked on different corporate environments running hardened endpoints and both tools were always available… [Read more]