Researching new and emerging cyber threats is common practice for the Binary Defense Threat Hunting team. Recently, the threat hunters came across an interesting multi-stage vbs downloader, which was used to distribute RevengeRAT and WSHRAT. This infection starts from an MHT file contained in a zip document sent over email, which communicates back to the following open directory server: http://newdocreviewonline.3utilities[.]com/
Decoding the characters shows an html file with some VBScript code inside of it that essentially creates a new script called A6p.vbs (stored in AppData/Local) which it then uses to pull down and execute the stage2, a new script called Microsoft.vbs. This stage2 is downloaded from:
https://scisolinc[.]com/wp-includes/Text/microsoft.vbs and is heavily obfuscated.
Digging into the Stage2
As seen in the above image, there’s a large buffer of Base64 encoded text, and a replace call. The replace call replaces “(!” in the Base64 buffer with “A”, which allows the buffer to be decoded successfully. Decoding the Base64 buffer shows a more informative script, along with large blocks of junk code:
Example of junk code
Since the de-obfuscation work is still not done, it is necessary to strip out the junk code so that the script can be easily read. In doing so, the file size is reduced from 113KB to 75KB, which is a fairly large amount of junk code:
Looking at the now readable stage2, two things jump out. First, a Base64 encoded PE file is seen (evident by the TVqQAAMAAAA), which is the RevengeRAT executable. Next, a second large Base64 encoded string is noticed. This string is interesting and will be discussed later.
An initial glance may have overlooked the readable stage2, but the Base64 encoded portable executable (PE) file is still obfuscated. Scattered around the Base64 string are @ symbols, which need to be replaced with “0” in order for the PE to be decoded properly. However, it doesn’t do this immediately.
In order to maintain persistence, the script first copies Microsoft.vbs from AppData/Local/Temp to Appdata/Roaming, and then saves a run key called “microsoft” with the value set to “C:User%USER%AppdataRoamingmicrosoft.vbs”
Screenshot from Binary Defense MDR after it detected the installation
This allows the vbs to run at startup. Next, the script saves the obfuscated PE file into HKCU:SoftwareMicrosoftmicrosoft as a string. The script then reads the previously saved key into memory and de-obfuscates the PE file before finally executing the file. This allows RevengeRAT to run in memory and not drop any files onto the system—a technique known as “fileless.”
See bottom of analysis for IOCs:
Digging into the “Interesting” Base64 String
Circling back around to the other Base64 string contained in the stage2 reveals a few things. First, unlike all other Base64 encountered so far, this string is not obfuscated. Additionally, the stage2 decodes the Base64 before saving the now decoded Base64 string to a file in Appdata/Roaming called GXxdZDvzyH.vbs, which it then executes with wscript /b. The /b flag specifies batch mode, which does not result in errors or input prompts.
Decoding the Base64 string gives us a file that strongly resembles the original obfuscated stage2:
De-obfuscating the Base64 string contained in GXxdZDvzyH.vbs, reveals WSHRat.
Out of all samples discussed in this analysis, the WSHRAT drop was the most surprising. WSHRAT is a relatively new stealer written entirely in VBScript. This RAT is fairly modular, but in its base state can steal computer information like computer name and antivirus provider. It can also steal passwords from popular web browsers like Chrome, Internet Explorer, and Firefox. Additionally, besides installing as a Run key, the malware also seems to have the ability to create lnk files that pose as legitimate shortcuts but in reality, also execute the malware before executing the specified file.
If the malware detects that it is running as admin, it will also attempt to disable UAC so that it can always escalate to admin without prompting the user.