The Morphisec Labs team has tracked an obfuscated VBScript package in campaigns since March 2020. Initially, the malware campaign was focused on targets within Germany, but has since moved on to additional targets--excluding any IP address within Russia or North Korea.
These VBscripts started in March with delivering Zloader, as previously identified, and have since evolved into a delivery mechanism for trojans like Ursnif, Qakbot, and Dridex in addition to Zloader.
The campaign that Morphisec Labs has tracked starts with a zipped obfuscated VBScript file attached to an email. The rest of the technical details follow in this blog post.
Obfuscated VBScript Technical Overview
The email the target receives contains a ZIP attachment that appeared to be an invoice, specifying the amount of the transaction, date, and transaction number. The goal here, as in most of these emails with false invoices, is that the target won’t pay careful attention to the email.
Figure 1: Malspam ZIP attachment
Inside the zip file attachment is a heavily obfuscated Visual Basic Script file with a low detection rate.
Figure 2: VirusTotal low detection rate
The VBScript employed several techniques to evade sandboxes and make the analysis quite difficult. It has many garbage variables, comments, decoy functions, and all of the malicious functions are obfuscated.
Figure 3: Heavily obfuscated VBScript
To simplify our analysis, we wrote a short Python script that removes all the garbage code, comments, and variables. The image below illustrates what remained after we ran our Python script.
Figure 4: After the removal of garbage code, comments, and variables.
It leaves us with just the Visual Basic Script code. ExecuteGlobal commands receive a string as an argument and execute the commands in the string. In this case, the argument is in the form of an array that is being converted to a string using mathematical character manipulation. Those strings are functions that are later used by the script (lines 32-44). This obfuscation method can be easily extracted by replacing 'ExecuteGlobal' with 'Wscipt.Echo'.
Anti-VM and Anti-Analysis
The first function calls are used for anti-analysis and anti-virtual machine. If one of the following evasive checks detects that it is running under a virtual machine or analysis environment, the attacker logs the IP, deletes the script, and pops a fake error message.
Figure 5: Fake error message.
In addition to checking if the environment is a virtual machine or a sandbox, the Visual Basic Script also performs the following actions:
- Checks if the amount of physical memory is lower than 1030MB.
- Checks if the amount of logical memory is lower than 60GB
- Checks if the number of files in the download folder is lower than 3. This same check is done for the temp folder.
- Checks if the last boot up time was lower than 10 minutes (some samples use 20 minutes as the time they check for).
- Checks if the number of cores is lower than 3.
- Checks if the video adapter memory is less than 1500MB.
- Extracts the geographical location identifier from the registry path "HKEY_CURRENT_USER\Control Panel\International\Geo\Nation" and checks against the excluded GEOID list. Germany was targeted in the previous campaign, and more recent ones have excluded Russia and North Korea.
- Checks if one of the processes from the list is running on the system (the list changes between versions). Also, it checks if the number of running processes is lower than 28.
Figure 6: Process names evasion
In the previous campaign (April 2020, SHA-1: f4683dccf77a37dbba63c4f4088ce1bed5171ac2) the attacker created a shortcut in the temp directory to mark an infected machine.
Figure 7. First campaign infection mark.
In the latest campaign, it checks if the VBScript is running on an infected machine by checking if the artifact is there. If it detects that it is running on an infected machine it will pop a fake error message, delete the script, and exit. If not, it will create a new shortcut to mark the infected machine with the new campaign.
Figure 8: Checks if the machine is already infected
In the final phase (the last three function calls: line 42-44), the script drops a zip folder by using the same decoding technique as used for decoding the functions. The zip folder consists of one dll, which is the payload. The others are decoys to hamper analysis.
Figure 9: Dropped ZIP
Next, it unzips the folder and runs the dll using rundll32 or regsvr32.
Figure 10: Runs the script using rundll32
Simple obfuscation, or even less-simple obfuscation, of interpreted languages like VBScript are just enough for attackers to bypass scanning solutions. The simple reason is that, because these are text-based languages, the amount of possibly suspicious terms is endless.
No matter what obfuscation is used, however, Morphisec’s moving target defense technology prevents the execution of the evasive payload, such as Zloader, Ursnif, Qakbot, or Dridex, before any damage is done.