Researching new and emerging cyber threats is common practice for the Binary Defense Threat Hunting team. Recently, the threat hunters came across an interesting multi-stage vbs downloader, which was used to distribute RevengeRAT and WSHRAT. This infection starts from an MHT file contained in a zip document sent over email, which communicates back to the following open directory server: http://newdocreviewonline.3utilities[.]com/
Decoding the characters shows an html file with some VBScript code inside of it that essentially creates a new script called A6p.vbs (stored in AppData/Local) which it then uses to pull down and execute the stage2, a new script called Microsoft.vbs. This stage2 is downloaded from:
https://scisolinc[.]com/wp-includes/Text/microsoft.vbs and is heavily obfuscated.
Digging into the Stage2
As seen in the above image, there’s a large buffer of Base64 encoded text, and a replace call. The replace call replaces “(!” in the Base64 buffer with “A”, which allows the buffer to be decoded successfully. Decoding the Base64 buffer shows a more informative script, along with large blocks of junk code:
Example of junk code
Since the de-obfuscation work is still not done, it is necessary to strip out the junk code so that the script can be easily read. In doing so, the file size is reduced from 113KB to 75KB, which is a fairly large amount of junk code:
Looking at the now readable stage2, two things jump out. First, a Base64 encoded PE file is seen (evident by the TVqQAAMAAAA), which is the RevengeRAT executable. Next, a second large Base64 encoded string is noticed. This string is interesting and will be discussed later.
An initial glance may have overlooked the readable stage2, but the Base64 encoded portable executable (PE) file is still obfuscated. Scattered around the Base64 string are @ symbols, which need to be replaced with “0” in order for the PE to be decoded properly. However, it doesn’t do this immediately.
In order to maintain persistence, the script first copies Microsoft.vbs from AppData/Local/Temp to Appdata/Roaming, and then saves a run key called “microsoft” with the value set to “C:\User\%USER%\Appdata\Roaming\microsoft.vbs”
Screenshot from Binary Defense MDR after it detected the installation
This allows the vbs to run at startup. Next, the script saves the obfuscated PE file into HKCU:\Software\Microsoft\microsoft as a string. The script then reads the previously saved key into memory and de-obfuscates the PE file before finally executing the file. This allows RevengeRAT to run in memory and not drop any files onto the system—a technique known as “fileless.”
See bottom of analysis for IOCs:
Digging into the “Interesting” Base64 String
Circling back around to the other Base64 string contained in the stage2 reveals a few things. First, unlike all other Base64 encountered so far, this string is not obfuscated. Additionally, the stage2 decodes the Base64 before saving the now decoded Base64 string to a file in Appdata/Roaming called GXxdZDvzyH.vbs, which it then executes with wscript /b. The /b flag specifies batch mode, which does not result in errors or input prompts.
Decoding the Base64 string gives us a file that strongly resembles the original obfuscated stage2:
De-obfuscating the Base64 string contained in GXxdZDvzyH.vbs, reveals WSHRat.
Out of all samples discussed in this analysis, the WSHRAT drop was the most surprising. WSHRAT is a relatively new stealer written entirely in VBScript. This RAT is fairly modular, but in its base state can steal computer information like computer name and antivirus provider. It can also steal passwords from popular web browsers like Chrome, Internet Explorer, and Firefox. Additionally, besides installing as a Run key, the malware also seems to have the ability to create lnk files that pose as legitimate shortcuts but in reality, also execute the malware before executing the specified file.
If the malware detects that it is running as admin, it will also attempt to disable UAC so that it can always escalate to admin without prompting the user.
|disconnect||Closes the malware|
|reboot||Reboots the computer|
|shutdown||Shuts the computer off|
|exececute||Executes whatever command/file is specified in the supplied parameter|
|install-sdk||Download the wshsdk.zip file from C2, consists of a standalone python installation|
|get-pass||Grab password from specified file|
|get-pass-offline||Grab passwords from browsers along with specified file|
|update||Update the malware|
|uninstall||Uninstall the malware|
|up-n-exec||Download and update the malware|
|bring-log||Send wshlogs\ to the C2|
|down-n-exec||Download and execute new malware|
|filemanager||File manager plugin using “fm-plugin.exe”|
|rdp||RDP plugin using “rd-plugin.exe”|
|keylogger||Keylogger plugin using “kl-plugin.exe”|
|offline-keylogger||Keylogger plugin using “kl-plugin.exe”|
|browse-logs||Browse logs generated by the rat|
|cmd-shell||Open a CMD shell|
|get-processes||List all processes|
|disable-uac||Disable UAC checks|
|check-eligible||Check eligibility for supplied file|
|force-eligible||Force eligibility for supplied file|
|elevate||Elevate to admin|
|if-elevate||Check elevation status|
|kill-process||Kill specified process|
|sleep||Sleep for specified amount of time|
Unfortunately, as this file is resident in the registry, full removal is a bit more challenging than just removing a file. The first thing that should be removed are the two files stored in %APPDATA%, which are microsoft.vbs and GXxdZDvzyH.vbs. This will stop the malware from executing. If any errors are received during deletion, the computer will need to be restarted in safe mode to try to delete those files again—and stay in safe mode—so that the registry can be edited without worrying about the malware executing.
In the registry, locate the Run key (HKEY_LOCAL_MACHINE:Software\Microsoft\Windows\CurrentVersion\Run) and delete the value “microsoft” as well as the value “GXxdZDvzyH”. Additionally, navigate to HKCU:Software\Microsoft\, find the value “microsoft” (should consist of the Base64 encoded PE file), and delete that value.
After following these steps, the computer should be safe to reboot in normal mode.
Registry Location: HKCU:Software\Microsoft\microsoft
C2(s): 18.104.22.168:5478, 22.214.171.124:5478
WSHRAT IOCs (pulled from config, mainly)
Registry Location: HKEY_LOCAL_MACHINE:Software\Microsoft\Windows\CurrentVersion\Run\ GXxdZDvzyH
Hash (microsoft.vbs): c229c614c9bd2b347fd24ad12e3c157c686eb86bc0a02df1c7080cf40b659e10
Hash (GXxdZDvzyH.vbs): ced8be6a20b38f5f4d5af0f031bd69863a60be53b9d6434deea943bf668ac8d8
Real People Detecting Real Threats in Real Time. The above article covers risks related to information security. This threat has been witnessed, monitored, and analyzed by the cybersecurity specialists at Binary Defense. Those who currently subscribe to our SOC-as-a-Service offerings including SIEM monitoring, Managed Detection & Response, and / or Counterintelligence services are already being actively protected against the threat(s). To learn more about how we can protect you from new and emerging cyberattacks, please contact us.