The Morphisec Labs team has tracked an obfuscated VBScript package in campaigns since March 2020. Initially, the malware campaign was focused on targets within Germany, but has since moved on to additional targets--excluding any IP address within Russia or North Korea.
These VBscripts started in March with delivering Zloader, as previously identified, and have since evolved into a delivery mechanism for trojans like Ursnif, Qakbot, and Dridex in addition to Zloader.
The danger here is that VBScript interpreter comes pre-loaded onto every Windows operating system, and has done since Windows 98. Interpreted languages like VBScript, Javascript, or really any text-based script will always be difficult for scans to determine whether the code is malicious or not. The reason behind this is that there is an endless number of possibilities to represent the same command or result.
The campaign that Morphisec Labs has tracked starts with a zipped obfuscated VBScript file attached to an email. The rest of the technical details follow in this blog post.
The email the target receives contains a ZIP attachment that appeared to be an invoice, specifying the amount of the transaction, date, and transaction number. The goal here, as in most of these emails with false invoices, is that the target won’t pay careful attention to the email.
Figure 1: Malspam ZIP attachment
Inside the zip file attachment is a heavily obfuscated Visual Basic Script file with a low detection rate.
The VBScript employed several techniques to evade sandboxes and make the analysis quite difficult. It has many garbage variables, comments, decoy functions, and all of the malicious functions are obfuscated.
Figure 3: Heavily obfuscated VBScript
To simplify our analysis, we wrote a short Python script that removes all the garbage code, comments, and variables. The image below illustrates what remained after we ran our Python script.
Figure 4: After the removal of garbage code, comments, and variables.
It leaves us with just the Visual Basic Script code. ExecuteGlobal commands receive a string as an argument and execute the commands in the string. In this case, the argument is in the form of an array that is being converted to a string using mathematical character manipulation. Those strings are functions that are later used by the script (lines 32-44). This obfuscation method can be easily extracted by replacing 'ExecuteGlobal' with 'Wscipt.Echo'.
The first function calls are used for anti-analysis and anti-virtual machine. If one of the following evasive checks detects that it is running under a virtual machine or analysis environment, the attacker logs the IP, deletes the script, and pops a fake error message.
Figure 5: Fake error message.
In addition to checking if the environment is a virtual machine or a sandbox, the Visual Basic Script also performs the following actions:
Figure 6: Process names evasion
In the previous campaign (April 2020, SHA-1: f4683dccf77a37dbba63c4f4088ce1bed5171ac2) the attacker created a shortcut in the temp directory to mark an infected machine.
Figure 7. First campaign infection mark.
In the latest campaign, it checks if the VBScript is running on an infected machine by checking if the artifact is there. If it detects that it is running on an infected machine it will pop a fake error message, delete the script, and exit. If not, it will create a new shortcut to mark the infected machine with the new campaign.
Figure 8: Checks if the machine is already infected
In the final phase (the last three function calls: line 42-44), the script drops a zip folder by using the same decoding technique as used for decoding the functions. The zip folder consists of one dll, which is the payload. The others are decoys to hamper analysis.
Figure 9: Dropped ZIP
Next, it unzips the folder and runs the dll using rundll32 or regsvr32.
Figure 10: Runs the script using rundll32
Simple obfuscation, or even less-simple obfuscation, of interpreted languages like VBScript are just enough for attackers to bypass scanning solutions. The simple reason is that, because these are text-based languages, the amount of possibly suspicious terms is endless.
No matter what obfuscation is used, however, Morphisec’s moving target defense technology prevents the execution of the evasive payload, such as Zloader, Ursnif, Qakbot, or Dridex, before any damage is done.
IOCs (SHA-1)
Email:
VBS:
Dll: