Obfuscated VBScript Hides Trojans
In March of 2020, Morphisec Labs had tracked an obfuscated VBScript package being used in active threat actor campaigns. Originally, the VBScript was a trojan used to deliver Zloader, a Zeus banking malware, but has since evolved to deliver other trojans such as Ursnif, Qakbot, and Dridex. The VBScript utilizes Windows native VBScript interperters wscript.exe and cscript.exe to run and infect the host.
The malicious package is delivered as a zip file email attachment disguised as a billing invoice, which is then extracted and opened by the unsuspecting target.
The VBScript utilizes some basic, but effective anti-VM and anti-analysis techniques, which also aid in a low detection rate. The VBScript file is heavily obfuscated and contains additional fake comments, functions, and variables to help hide the actual malicious code. While when the script executes, it checks several host specific attributes to detect if it is running in a virtual machine.
Some of the systems checks include:
- Physical and Logical memory
- Counting files in certain directories
- System up-time
- Number of CPU cores
- Registry keys
- Geo Location
- And the number of running processes
If any of the checks fail or analysis tools are detected in the running processes the script will launch a pop-up error message and then delete itself.
If the host system passes the previously mention checks, the script will then check to see if the system is already infected by looking for an artifact; if this artifact is not found, the script will drop a zip folder containing a DLL file which is then extracted and ran with rundll32 or regsvr32.
No specific threat actor was attributed to this attack yet, but it is clear the motive is for financial gains, as the malware being dropped are known instances of popular banking malware.
For a full list of Indicators of Compromise for this campaign, please see the attached document, ‘VBScript IOCs.pdf.’
Sources: