Security News > 2021 > April > From PowerShell to Payload: An Analysis of Weaponized Malware

The first function that we see defined in this PowerShell code is named sOH, which is not very descriptive.

All of these function and variable names seem to be random and obfuscated, but we can make sense of them by reading the definition of the function.

We will not do a ton of in-depth analysis with this code, explaining each and every line and variable, but this function now provides the functionality to interpret Win32 API function parameters and return values.

With these two functions in place, the code now has the primitives to freely call any Win32 API function it would like.

Now a $sC6US variable is in play, calling the GetDelegateForFunctionPointer function, with our newly defined sOH and b9MW functions.

Remember, these functions allowed the hacker to load Win32 API functions - and in this case, we can see they have pulled out the VirtualAlloc function.

News URL

https://threatpost.com/powershell-payload-analysis-malware/165188/