VBScript Drops a Backdoor

Date:

/01

21/01/2020

Hussain Kathawala

Suma Sowdi

Visual Basic Script (VBScript) is generally used to create programs that can help in advanced

functionalities. It can be used in malware scripts as it can perform a number of functions like

modify the registry, interact with the system’s hardware, and get executed on a victim remotely.

OVERVIEW

The intercepted sample is an encoded VBScript. This script drops an executable Trojan that communicates with a malicious server. The script has built-in encoding and decoding functions. Encoding is used to avoid

detection mechanism.

ENCODING AND DECODING

The VBScript contains encoded text defined in the variable “CC”.

Figure 1

The script uses a certain logic to decode this. The logic is defined in the function “Decrypt”.

Figure 2

It splits the “@” symbol from “CC” and defines each character set between the “@” symbols as

“i”. Each “i” is a hexadecimal character. Using “ChrW” function, it converts the hex into

decimal. The decimal value is then divided by the ‘pi’ value

“3.1415926535897932384626433832795”. The resulting value is then rounded-off and

converted into ASCII. This can be understood better with the help of the following diagram.

Figure 3

After decoding, the script splits the value in “de58yhfd” variable from the first occurring

“M”. The characters after M suggests that it is a PE file [magic bytes 4D 5A]. It then saves

the PE file with the name “57yhyh.ExE” and executes it.

Figure 4

INFECTION The VBScript decodes itself using the logic defined. It drops a PE file with the name

“57yhyh.ExE”. When this file is executed, it drops another file named “java

updater.exe”. The PE file belongs to the backdoor malware family.

Figure 5

The PE file also reads and adds registry keys.

Figure 6

314 is in Decimal and is divided by

the pi value which wil result in 99.94 rounded off to 100

NETWORK TRAFFIC ANALYSIS The PE file communicates to the domain “ahmed21018.linkpc.net” with the IP address

“173.234.155.108” over the TCP protocol and then once it connects to the AsyncRAT C&C server, it transmits data to the victim system over the TLS protocol.

Figure 7

Figure 8

MITRE ATT&CK TECHNIQUES USED

Technique ID Technique

T1059.005 Command and Scripting Interpreter: Visual Basic

T1203 Exploitation for Client Execution

T1204.002 User execution: Malicious File

T1140 Deobfuscate/Decode Files or Information

T1132.001 Data Encoding:Standard Encoding

IOC’s

f02bd913e532f0ce5cc24adc82f8d0b3

cfb2ab64e731d5649ec6c3e10a6d8a68

ahmed21018.linkpc.net

175.234.155.108

SUBEX SECURE PROTECTION

Subex Secure detects the VBScript sample as “SS_Gen_Dropper_VBS_E” and the PE sample as “SS_Gen_Backdoor_PE_B”.

OUR HONEYPOT NETWORK

This report has been prepared from the threat intelligence gathered by our honeypot network. This honeypot network is today operational in 62 cities across the world. These cities have at least one of the following attributes: ▪ Are landing centers for submarine cables ▪ Are internet traffic hotspots ▪ House multiple IoT projects with a high number of connected endpoints ▪ House multiple connected critical infrastructure projects ▪ Have academic and research centers focusing on IoT ▪ Have the potential to host multiple IoT projects across domains in the future Over 3.5 million attacks a day is being registered across this network of individual honeypots. These attacks are studied, analyzed, categorized, and marked according to a threat rank index, a priority assessment framework that we have developed within Subex. The honeypot network includes over 4000 physical and virtual devices covering over 400 device architectures and varied connectivity mediums globally. These devices are grouped based on the sectors they belong to for purposes of understanding sectoral attacks. Thus, a layered flow of threat intelligence is made possible.