I published the following diary on isc.sans.edu: “Malware Samples Compiling Their Next Stage on Premise“:
I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim’s computer. At a first point, it seems weird but, after all, itâ€™s an interesting approach to bypass low-level detection mechanisms that look for PE files.
By reading this, many people will argue: â€œThat’s fine, but I donâ€™t have development tools to compile some source code on my Windows systemâ€. Indeed but Microsoft is providing tons of useful tools that can be used outside their original context. Think about tools like certutil.exe or bitsadmin.exe. I already wrote diaries about them.Â The new tools that I found â€œmisusedâ€ in malware samples are: “jsc.exe” and “msbuild.exe”. They are chances that youâ€™ve them installed on your computer because they are part of the Microsoft .NetÂ runtime environment. This package is installed on 99.99% of the Windows systems, otherwise, many applications will simply not run. By curiosity, I checked on different corporate environments running hardened endpoints and both tools were always available… [Read more]