I published the following diary on isc.sans.edu: “Malware Samples Compiling Their Next Stage on Premise“:
I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim’s computer. At a first point, it seems weird but, after all, it’s an interesting approach to bypass low-level detection mechanisms that look for PE files.
By reading this, many people will argue: “That’s fine, but I don’t have development tools to compile some source code on my Windows system”. Indeed but Microsoft is providing tons of useful tools that can be used outside their original context. Think about tools like certutil.exe or bitsadmin.exe. I already wrote diaries about them. The new tools that I found “misused” in malware samples are: “jsc.exe” and “msbuild.exe”. They are chances that you’ve them installed on your computer because they are part of the Microsoft .Net runtime environment. This package is installed on 99.99% of the Windows systems, otherwise, many applications will simply not run. By curiosity, I checked on different corporate environments running hardened endpoints and both tools were always available… [Read more]