PowerDecode: a PowerShell Script Decoder Dedicated to Malware Analysis

Download paper

Details

Publication type: Conference paper
Conference: ITASEC 2021: Italian Conference on CyberSecurity
Location: Online
Online publication date: 2021-04-08

Abstract

In recent years, Powershell-based attacks have been widely employed to compromise systems’ security. Attackers can easily hide such malicious scripts in file formats (e.g., Office document macros) that can be easily delivered via large-scale spam mail campaigns. Moreover, attackers employ obfuscation techniques that make the PowerShell code able to evade the most common anti-malware protections and perform unauthorized actions that will target the confidentiality, integrity and availability of an information system. In this paper, we present PowerDecode, an open-source module for the de-obfuscation and the analysis of PowerShell scripts. In particular, this module receives a script as an input and returns its obfuscated layers, its original de-obfuscated variant and a report about possible malicious activities. We tested PowerDecode on almost 3000 malicious scripts and the attained results showed significantly improved de-obfuscation performances in comparison to state-of-the-art systems. More specifically, PowerDecode was able to resolve multiple types of obfuscation and collect important information about attacks, such as malicious URLs and IP addresses contacted by malware. Finally, PowerDecode can be easily integrated in other malware analysis systems, and can represent a precious aid to identify malicious activities.

Authors

  • Giuseppe Mario Malandrone
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    Numera Sistemi e Informatica S.p.A
    Sassari, Italy
  • Giovanni Virdis
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    Numera Sistemi e Informatica S.p.A
    Sassari, Italy
  • Giorgio Giacinto
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    University of Cagliari
    Cagliari, Italy
  • Davide Maiorca
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    University of Cagliari
    Cagliari, Italy