What can happen when you click on phishing link containing malicious VBS script

What can happen when you click on phishing link containing malicious VBS script

What can happen when you click on phishing link containing malicious VBS script?

Imagine the typical scenario; your employees are after multiple phishing trainings and are ready for everything. So, they get an email seemingly coming from their boss with a link to download an important file. And their boss is asking for their opinion on it ASAP! They download, unpack, and open the file and seemingly nothing happens… But in the background, through your firewalls and default windows setup, some malicious actor just gained access into their workstation. Let us take a look on what happened.

In this case, our VBS script had 37M, majority of which was just bloat meant to evade AV detection. If we were to strip all the trailing zeros at the end of the script, the “good stuff” would be just under 112kB. When we open the script to take a look on what it does, we can see that the code itself is obfuscated… But have no fear! With some tidying up and searching for valid strings, it can become readable.

Figure 1-Code before de-obfuscation

Figure 1-Code before de-obfuscation

After analyzing the code, we can start to see where the magic happens. However, it is still lightly obfuscated… We can start with running the value in CreateObject through base64 decoder “gSOho” number of times.

Figure 2- Non-gibberish parts of code

Figure 2- Non-gibberish parts of code

If we were to code extra … code into this VBS script, that would dump the value in “Uznak” function, we would get list of URLs where this script connects to download the malicious payload.

Figure 3- Function to dump de-obfuscated code into file.

Figure 3- Function to dump de-obfuscated code into file.

On running, this VBS script connects to 5 different domains and then downloads file “55555.png” – backdoor executable masquerading as PNG file. GET request to the file is domain/wp-content/themes/mapro/pump/55555.png?uid=(OS version).

this VBS script connects to 5 different domains

After trying to download the file, our script goes through registry and disables every antivirus it can find, turns on PeerDistribution service (remote access), goes through our WinSocks and just keeps being nosey.

Wscript

Moving on, the script spawns malicious svchost process which drops tIIHAB.job file in Windows\System32\Tasks folder. The .job files are used when registering scheduled tasks by Task scheduler. It contains name of the task, triggers, conditions, path to process, etc..

Figure 4- content of job file We can see it is in XML format

Figure 4- content of job file We can see it is in XML format

This task creates autorun entry that tries to execute our 55555.png file, which is now called PaintHelper.exe and resides in C:\Users\”Username”\AppData\Local\Temp\PaintHelper.exe. After PaintHelper runs, it creates backdoor connection to compromised IP, to which it sends exfiltrated data (credentials, contacts, etc …) and acts as keylogger.

Figure 5- imports loaded by PaintHelper, used for capturing user input

Figure 5- imports loaded by PaintHelper, used for capturing user input

Now that you know how people get their personal information stolen, what can we do to prevent this? You can follow the recommendations from our previous blog post on Covid related phishing. Also, if you want to add extra layer of easy-to-use security measure, you can download and use free solution such as sandboxie. Creating dedicated virtual environment through sandboxie will protect you from most of the malicious links, attachments or scripts… provided you run them inside the sandboxed window.

If we got you spooked and you want to prevent this from happening at all cost in your organization, you can go as far as to set up PGP/GPG email encryption, use password managers, and set up some email detonator/inspector. You will not secure your whole organization, but you will drastically decrease the chance of becoming a victim of phishing attacks. And as we know, more than 90% of all malware is distributed via phishing emails.

IOC’s:
filenames:
• Judgement_04212020_2313.vbs
• PaintHelper.exe
• tIIHAB

SHA256:
• 0fa2f6d322d5b1508e023e6afc26f219d1122ed011f6dbe4898f70e9c5b4c259
• d2b080b9af5d39d72af149afb065e769b1da8005edfe84237942a1b99f4fa36c
• 6fe9488b91c9b6cec14b1bf328748d41c20ecdf52e24f1743155fcdbbd0e7f3e

DNS:
• 4mco.com.pk – 116.202.49.153
• Cheshirecheetah.com – 3.86.76.211
• Cloud.wmsinfo.com.br – 191.252.185.106
• Hasumvina.nrglobal.top – 103.74.122.60
• Jeromenetpanel.ml – 104.28.2.79

IP and ports:
• 3.86.76.211 /80 – US
• 104.28.2.79 /80 – US
• 191.252.185.106 /80 – Brazil
• 116.202.49.153 / 80 – Germany
• 103.74.122.60 /80 – Vietnam

Automated Analysis:
https://www.virustotal.com/gui/file/0fa2f6d322d5b1508e023e6afc26f219d1122ed011f6dbe4898f70e9c5b4c259/detection
https://www.hybrid-analysis.com/sample/0fa2f6d322d5b1508e023e6afc26f219d1122ed011f6dbe4898f70e9c5b4c259/5ea2f98bd1c0ec314a598492
https://www.vmray.com/analyses/0fa2f6d322d5/report/overview.html
https://app.any.run/tasks/9c925df5-57c8-410e-90b0-12a9e1f03fd6