bitnuts.de logo   Downloads About Contact

cmd.exe shell code obfuscation using ^-characters

A while ago, I stumbled over some Word- and Excel-files containing malicious macros, which forced to download and execute ransomware via the cmd.exe shell. Well, nothing really new, the fact that made me curious was that the cyber crooks utilized the command shell in a tricky way:

obfuscated cmd.exe shell

Instead of executing the commands in plain text, they used the ^-symbol to obfuscate their call to the powershell interpreter. If you remove the ^-symbol you quickly identify a well known HTTP downloading technique often used by cyber criminals and seen in many malicious campaigns.