What can happen when you click on phishing link containing malicious VBS script?
Imagine the typical scenario; your employees are after multiple phishing trainings and are ready for everything. So, they get an email seemingly coming from their boss with a link to download an important file. And their boss is asking for their opinion on it ASAP! They download, unpack, and open the file and seemingly nothing happens… But in the background, through your firewalls and default windows setup, some malicious actor just gained access into their workstation. Let us take a look on what happened.
In this case, our VBS script had 37M, majority of which was just bloat meant to evade AV detection. If we were to strip all the trailing zeros at the end of the script, the “good stuff” would be just under 112kB. When we open the script to take a look on what it does, we can see that the code itself is obfuscated… But have no fear! With some tidying up and searching for valid strings, it can become readable.
After analyzing the code, we can start to see where the magic happens. However, it is still lightly obfuscated… We can start with running the value in CreateObject through base64 decoder “gSOho” number of times.
If we were to code extra … code into this VBS script, that would dump the value in “Uznak” function, we would get list of URLs where this script connects to download the malicious payload.
On running, this VBS script connects to 5 different domains and then downloads file “55555.png” – backdoor executable masquerading as PNG file. GET request to the file is domain/wp-content/themes/mapro/pump/55555.png?uid=(OS version).
After trying to download the file, our script goes through registry and disables every antivirus it can find, turns on PeerDistribution service (remote access), goes through our WinSocks and just keeps being nosey.
Moving on, the script spawns malicious svchost process which drops tIIHAB.job file in Windows\System32\Tasks folder. The .job files are used when registering scheduled tasks by Task scheduler. It contains name of the task, triggers, conditions, path to process, etc..
This task creates autorun entry that tries to execute our 55555.png file, which is now called PaintHelper.exe and resides in C:\Users\”Username”\AppData\Local\Temp\PaintHelper.exe. After PaintHelper runs, it creates backdoor connection to compromised IP, to which it sends exfiltrated data (credentials, contacts, etc …) and acts as keylogger.
Now that you know how people get their personal information stolen, what can we do to prevent this? You can follow the recommendations from our previous blog post on Covid related phishing. Also, if you want to add extra layer of easy-to-use security measure, you can download and use free solution such as sandboxie. Creating dedicated virtual environment through sandboxie will protect you from most of the malicious links, attachments or scripts… provided you run them inside the sandboxed window.
If we got you spooked and you want to prevent this from happening at all cost in your organization, you can go as far as to set up PGP/GPG email encryption, use password managers, and set up some email detonator/inspector. You will not secure your whole organization, but you will drastically decrease the chance of becoming a victim of phishing attacks. And as we know, more than 90% of all malware is distributed via phishing emails.
• 4mco.com.pk – 126.96.36.199
• Cheshirecheetah.com – 188.8.131.52
• Cloud.wmsinfo.com.br – 184.108.40.206
• Hasumvina.nrglobal.top – 220.127.116.11
• Jeromenetpanel.ml – 18.104.22.168
IP and ports:
• 22.214.171.124 /80 – US
• 126.96.36.199 /80 – US
• 188.8.131.52 /80 – Brazil
• 184.108.40.206 / 80 – Germany
• 220.127.116.11 /80 – Vietnam