An Internet Storm Center diary entry from last week has described recent examples the handler had seen of malware that dynamically compiled the next payload on the infected system. While this is not a new approach to attempting to evade detection, previous instances required that development tools such as compilers were already installed on the system, significantly reducing the potential attack surface. This meant that the user of the infected machine might be a software writer. On one side, this would limit the amount of targets. On the other hand, if a software writer were to compile software that might be shared or sent to others, this would increase the likelihood of additional infections.

In this case, the samples utilize components of the Microsoft .NET runtime environment, which is installed on the vast majority of systems running Microsoft Windows. That means that any system running Windows might be vulnerable to this type of attack.

Both samples create Metasploit Meterpreter reverse shells, giving attackers backdoor access to infected systems. The first sample is a JScript script which decodes included base64 data and passes it to the JScript compiler, resulting in an executable payload. The second sample is a Microsoft Excel spreadsheet containing a malicious macro which also decodes included base64 data. This time the decoded data is passed to the msbuild.exe utility, again resulting in an executable payload.

In both of these cases the attackers are attempting to use dynamic compilation to evade detection for their second stage payloads. However, there is nothing sophisticated or novel in regards to their initial infection vectors, negating their second stage efforts.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detected the samples. Regression testing has shown the samples would have been detected up to 71 months prior to their release.