VBScript Drops a Backdoor
Date:
/01
21/01/2020
Hussain Kathawala
Suma Sowdi
Visual Basic Script (VBScript) is generally used to create programs that can help in advanced
functionalities. It can be used in malware scripts as it can perform a number of functions like
modify the registry, interact with the system’s hardware, and get executed on a victim remotely.
OVERVIEW
The intercepted sample is an encoded VBScript. This script drops an executable Trojan that communicates with a malicious server. The script has built-in encoding and decoding functions. Encoding is used to avoid
detection mechanism.
ENCODING AND DECODING
The VBScript contains encoded text defined in the variable “CC”.
Figure 1
The script uses a certain logic to decode this. The logic is defined in the function “Decrypt”.
Figure 2
It splits the “@” symbol from “CC” and defines each character set between the “@” symbols as
“i”. Each “i” is a hexadecimal character. Using “ChrW” function, it converts the hex into
decimal. The decimal value is then divided by the ‘pi’ value
“3.1415926535897932384626433832795”. The resulting value is then rounded-off and
converted into ASCII. This can be understood better with the help of the following diagram.
Figure 3
After decoding, the script splits the value in “de58yhfd” variable from the first occurring
“M”. The characters after M suggests that it is a PE file [magic bytes 4D 5A]. It then saves
the PE file with the name “57yhyh.ExE” and executes it.
Figure 4
INFECTION The VBScript decodes itself using the logic defined. It drops a PE file with the name
“57yhyh.ExE”. When this file is executed, it drops another file named “java
updater.exe”. The PE file belongs to the backdoor malware family.
Figure 5
The PE file also reads and adds registry keys.
Figure 6
314 is in Decimal and is divided by
the pi value which wil result in 99.94 rounded off to 100
NETWORK TRAFFIC ANALYSIS The PE file communicates to the domain “ahmed21018.linkpc.net” with the IP address
“173.234.155.108” over the TCP protocol and then once it connects to the AsyncRAT C&C server, it transmits data to the victim system over the TLS protocol.
Figure 7
Figure 8
MITRE ATT&CK TECHNIQUES USED
Technique ID Technique
T1059.005 Command and Scripting Interpreter: Visual Basic
T1203 Exploitation for Client Execution
T1204.002 User execution: Malicious File
T1140 Deobfuscate/Decode Files or Information
T1132.001 Data Encoding:Standard Encoding
IOC’s
f02bd913e532f0ce5cc24adc82f8d0b3
cfb2ab64e731d5649ec6c3e10a6d8a68
ahmed21018.linkpc.net
175.234.155.108
SUBEX SECURE PROTECTION
Subex Secure detects the VBScript sample as “SS_Gen_Dropper_VBS_E” and the PE sample as “SS_Gen_Backdoor_PE_B”.
OUR HONEYPOT NETWORK
This report has been prepared from the threat intelligence gathered by our honeypot network. This honeypot network is today operational in 62 cities across the world. These cities have at least one of the following attributes: ▪ Are landing centers for submarine cables ▪ Are internet traffic hotspots ▪ House multiple IoT projects with a high number of connected endpoints ▪ House multiple connected critical infrastructure projects ▪ Have academic and research centers focusing on IoT ▪ Have the potential to host multiple IoT projects across domains in the future Over 3.5 million attacks a day is being registered across this network of individual honeypots. These attacks are studied, analyzed, categorized, and marked according to a threat rank index, a priority assessment framework that we have developed within Subex. The honeypot network includes over 4000 physical and virtual devices covering over 400 device architectures and varied connectivity mediums globally. These devices are grouped based on the sectors they belong to for purposes of understanding sectoral attacks. Thus, a layered flow of threat intelligence is made possible.