Authored by Preksha Saxena and Yashvi Shah

McAfee Labs has been tracking a sophisticated VBS campaign characterized by obfuscated Visual Basic Scripting (VBS). Initially delivering the AgentTesla malware, the campaign has evolved into a multi-faceted threat, employing VBS scripts as a versatile delivery mechanism. Notably, this campaign extends beyond AgentTesla, now distributing a range of malware such as Guloader, Remcos RAT, Xworm, and Lokibot.

This campaign illustrates a comprehensive infection process initiated by a VBS file delivered via email. Starting with the activation of a VBS script, it progresses through PowerShell phases, utilizing the BitsTransfer utility for fetching a second-stage PowerShell script. The decoded and executed Shellcode A conceals and loads Shellcode B. In the final phase, wab.exe downloads the encrypted Remcos RAT payload. Shellcode B decrypts and injects it into wab.exe, making it function as the Remcos RAT.

The observed campaign has been noted for targeting diverse regions worldwide. Presented below is a geographical heatmap depicting McAfee customers who have been targeted and saved over the past three months.

Figure 1: Geo Heatmap showing targeted regions.

In the featured blog post, malicious actors utilized GuLoader to deploy the Remcos RAT.

Execution Chain

Figure 2: Infection chain

The execution begins by running a VBS script. then it triggers the execution of the first-stage PowerShell. Subsequently, the BitsTransfer utility is employed to fetch a second-stage PowerShell which is base64 encoded.

The second stage PowerShell is then encoded and executed. Following this, the First Shellcode is meticulously carved out and loaded reflectively. The second Shellcode encoded within Shellcode A, undergoes decoding and is also reflectively loaded.

The final step involves a second Shellcode which is leveraged to retrieve and inject the Remcos RAT (Remote Control and Surveillance Tool) into a legitimate Windows process. In this case, wab.exe. This intricate series of actions allows for the stealthy deployment and operation of the Remcos RAT within the Windows environment.

Figure 3: Process Tree

Obfuscated VBScript Technical Overview:

Stage 1: (Deobfuscating vbs)

Attached to the email is a ZIP file seemingly labeled as “revised_quotation_for_purchase_invoice_order_design_6th_november_2023“, resembling an invoice to the user. The intent, much like similar deceptive emails, is for the recipient not to scrutinize the email closely.

Inside the zip file attachment is a heavily obfuscated VBS file. The VBS script employed several techniques to make the analysis quite difficult. It has many garbage variables, decoy functions, and unnecessary comments, and all the malicious functions are obfuscated.

Figure 4: Heavily obfuscated script

The code appears streamlined after removing redundant lines, resulting in a more concise and efficient version. After removing all the comments, the script turned out to be as follows:

Figure 5: Post-removing the junk code

In the script, there’s a frequent appending of new strings to the variable “Fu6”. This method serves to increase the complexity of the analysis. Once all the strings are concatenated and formatted, the result emerges in a more intriguing manner. As shown in the below image.

Figure 6: After deobfuscating the code

The function “Mikr9” will handle the conversion of strings, rendering them readable. We converted all the lines to a readable format, with the help of the “Fu6” function. For example, as shown in Figure 5, the string

‘DelfhAdvetFagstStatpYapp:Nona/fisk/Indh1 Sic0 Tra3parc. Mon1Gens7Vide6Eufo.Tast1Outs1Midd1afte.Dors1husg6 Hal3Beja/ Hypm RenuColonSprgdNasahToasuRafflchon.GyttpBrnefMuckbAcci ‘ became http://103.176.111[.]163/mundhul.pfb.

Likewise, the entire script is decoded, and we get the following script:

Figure 7: After applying decrypting function Mikr9()

The script conducts the following sequence of activities:

Retrieves the second-level file from “hxxp://103.176.111[.]163/mundhul.pfb” using BitsTransfer.
Save the acquired file in the Appdata folder.
Decodes the file from Base64, converting it into a string format.
Navigates to offset 229981 and extracts the subsequent 28050 units of data.
Executes the extracted data using IEX (Invoke-Expression).

Stage 2:

Powershell execution

The file retrieved shows zero detection on VT, appears to be base64 encoded, and has a size of 336KB.

Figure 8: Second Powershell script

Figure 9: Content is base64 encoded

Upon decoding “mundhul.pfb,” a detailed analysis can be conducted to comprehend its functionality, enabling further examination of the malware’s execution. Once the file gets decoded, it reveals a code resembling the image provided below.

Figure 10: Base64 decoded data

As specified in the script, execute a jump to offset 229981 and retrieve the ensuing 28050 units of data. This marks the start of the second PowerShell script, which is 28050 bytes, marked as follows.

Figure 11: Start of encrypted second PowerShell

The code contains various comments, so we followed the same procedure, as we did for the first script, removed all the junk code and we got a function that seems to handle the decryption of all the strings.

</centerFigure 12: After removing the junk

The decryption process iterates multiple times to unveil the strings, and the malware employs the “Invoke” method to execute its commands. After decoding all the strings using “Bedroges02” function, we finally got the intent of the script.

Figure 13: After applying decryption logic

The PowerShell script initially loads the VirtualAlloc() function and stores the memory handle in variables named “trll3” and “Akuammin195”. These sections possess permissions for writing, reading, and executing. The latter segment of the script appears to invoke a concealed shellcode embedded within it.

The execution sequence involves copying the bytes as follows: The initial 644 bytes from the beginning of this PowerShell script constitute the first shellcode. Subsequently, starting from byte 644, the script copies the next 229337 bytes, constituting the second shellcode.

Figure 14: Constituting shellcode

Following the execution sequence, malware initiates the API call CallWindowProcA, leading subsequently to the invocation of the native function NtProtectVirtualMemory. Then the process transitions directly to initiating the first shellcode.

Stage 3: Shellcode-A execution

The shellcode-A’s primary action involves copying the shellcode B into memory, as depicted in the figure below.

Figure 15: Loop used for copying shellcode B

The shellcode B undergoes decryption via XOR operation. This operation serves to transform the code into its executable form, allowing the decrypted shellcode to execute its intended instructions within the system’s memory.

Figure 16: Decryption loop used for decrypting shellcode B

Stage 4: Shellcode-B

The shellcode is designed to establish a new process named “wab.exe” and it replicates 0x3FC4000 bytes of decrypted shellcode into its memory space. As indicated by the highlighted blue box, the content decrypted from the second shellcode (shown in Figure 15) is subsequently injected into the wab.exe process (depicted in Figure 16).

Figure 17: Injection of second shellcode

The objective of the shellcode is to fetch the Remcos RAT from the specified URL, “hxxp://103.176.111.163/lnHxQotdQb132.bin” and subsequently inject it into the “wab.exe” process. Once “wab.exe” is injected by the final payload, it undertakes all malicious activities.

Figure 18: wab.exe connecting to C2

The file obtained from the provided URL seems to be an encrypted binary. Upon decryption, it has been recognized to initiate communication with the IP address 94.156.65.197 through port 2404. An observation revealed the creation of a mutex named “Rmc-R7V4VM.” Data keylogged during its operation is stored in a file labeled “logs.dat.” Additionally, screenshots captured are saved in a directory named “Screenshots,” while the overall repository for the collected data is titled “Remcos.”

Conclusion:

This campaign outlines the comprehensive infection process initiated by a VBS file received through email. The process begins with the activation of a VBS script, initiating the initial PowerShell phase. Subsequently, the BitsTransfer utility is used to fetch a second-stage PowerShell script, encoded in base64. After decoding and execution, the first Shellcode is carefully extracted and loaded reflectively. Simultaneously, Shellcode A conceals and loads the decoded Shellcode B.

In the final phase, the injected wab.exe proceeds to download the encrypted final payload of the Remcos RAT. Shellcode B is responsible for decrypting the payload, and it is subsequently injected into wab.exe. Consequently, this particular instance of wab.exe functions as the Remcos RAT.

VBScript in the Windows Environment: A Security Perspective

VBScript, introduced by Microsoft in 1996, was crucial in the Windows environment as a scripting language for task automation, tightly integrated with Internet Explorer, and a key component of technologies like Windows Script Host, Active Server Pages, and Office automation. It provided a simple scripting solution for system tasks, web development, and server-side logic. Microsoft is deprecating VBScript, and it will be available as a feature on-demand before eventual removal from Windows, said the company. This decision aligns with a broader strategy to reduce malware campaigns exploiting Windows and Office features. VBScript, disabled by default in Internet Explorer 11 since 2019, has been used by malicious actors for distributing malware, and Microsoft aims to enhance security by eliminating this infection vector. Attackers exploit vulnerabilities in phased-out technologies due to lingering use in legacy systems, slow adoption of updates, custom applications, stringent industry requirements, and user resistance to change. To mitigate risks, proactive measures such as prompt updates, security education, and staying informed about software lifecycles are crucial.

Mitigation:

Avoiding falling victim to email phishing involves adopting a vigilant and cautious approach. Here are some common practices to help prevent falling prey to email phishing:

Verify Sender Information
Think Before Clicking
Check for Spelling and Grammar
Be Cautious with Email Content
Verify Unusual Requests
Implement Email Filters
Check for Secure Connections
Report Suspicious Emails
Keep the software up-to-date
Align with security patches

IOCs

VBS file
6fdd246520eebb59e37a7cd544477567b405a11e118b7754ff0d4a89c01251e4

Second PowerShell
5d21216a92ffea5b8ba70f48f9bcbb8a530a9b272423ae3ba519dbf74a905a65

Final payload
7d947df412e78a595029121ecaf9d8a88e69175cffd1f2d75d31e3ca8995c978

URL1
hxxp://103.176.111[.]163/mundhul.pfb

URL2
hxxp://103.176.111[.]163/lnHxQotdQb132.bin

IP address
103.176.111[.]163

IP address
94.156.65[.]197

Mutex
Rmc-R7V4VM

The post From Email to RAT: Deciphering a VBS Script-Driven Campaign appeared first on McAfee Blog.

Read More

Kaspersky also noted smart home device popularity and malicious apps as threats to children in 2024

Read More

The rapper and social media personality Punchmade Dev is perhaps best known for his flashy videos singing the praises of a cybercrime lifestyle. With memorable hits such as “Internet Swiping” and “Million Dollar Criminal” earning millions of views, Punchmade has leveraged his considerable following to peddle tutorials on how to commit financial crimes online. But until recently, there wasn’t much to support a conclusion that Punchmade was actually doing the cybercrime things he promotes in his songs.

Punchmade Dev’s most controversial mix — a rap called “Wire Fraud Tutorial” — was taken down by Youtube last summer for violating the site’s rules. Punchmade shared on social media that the video’s removal was prompted by YouTube receiving a legal process request from law enforcement officials.

The 24-year-old rapper told reporters he wasn’t instructing people how to conduct wire fraud, but instead informing his fans on how to avoid being victims of wire fraud. However, this is difficult to discern from listening to the song, which sounds very much like a step-by-step tutorial on how to commit wire fraud.

“Listen up, I’m finna show y’all how to hit a bank,” Wire Fraud Tutorial begins. “Just pay attention, this is a quick way to jug in any state. First you wanna get a bank log from a trusted site. Do your research because the information must be right.”

And even though we’re talking about an individual who regularly appears in videos wearing a half-million dollars worth of custom jewelry draped around his arm and neck (including the functional diamond-encrusted payment card skimming device pictured above), there’s never been much evidence that Punchmade was actually involved in committing cybercrimes himself. Even his most vocal critics acknowledged that the whole persona could just be savvy marketing.

That changed recently when Punchmade’s various video and social media accounts began promoting a new web shop that is selling stolen payment cards and identity data, as well as hacked financial accounts and software for producing counterfeit checks.

The official Punchmadedev account on Instagram links to many of the aforementioned rap videos and tutorials on cybercriming, as well as to Punchmadedev’s other profiles and websites. Among them is mainpage[.]me/punchmade, which includes the following information for “Punchmade Empire ®”

-212,961 subscribers

#1 source on Telegram

Contact: @whopunchmade

24/7 shop: https://punchmade[.]atshop[.]io

Visiting that @whopunchmade Telegram channel shows this user is promoting punchmade[.]atshop[.]io, which is currently selling hacked bank accounts and payment cards with high balances.

Clicking “purchase” on the C@sh App offering, for example, shows that for $80 the buyer will receive logins to Cash App accounts with balances between $3,000 and $5,000. “If you buy this item you’ll get my full support on discord/telegram if there is a problem!,” the site promises. Purchases can be made in cryptocurrencies, and checking out prompts one to continue payment at Coinbase.com.

Another item for sale, “Fullz + Linkable CC,” promises “ID Front + Back, SSN with 700+ Credit Score, and Linkable CC” or credit card. That also can be had for $80 in crypto.

WHO IS PUNCHMADE DEV?

Punchmade has fashioned his public persona around a collection of custom-made, diamond-covered necklaces that are as outlandish and gaudy as they are revelatory. My favorite shot from one of Punchmade’s videos features at least three of these monstrosities: One appears to be a boring old diamond and gold covered bitcoin, but the other two necklaces tell us something about where Punchmade is from:

One of them includes the logo and mascot of the University of Kentucky. The other, an enormous diamond studded skyline, appears to have been designed based on the skyline in Lexington, Ky:

The “About” page on Punchmade Dev’s Spotify profile describes him as “an American artist, rapper, musician, producer, director, entrepreneur, actor and investor.” “Punchmade Dev is best known for his creative ways to use technology, video gaming, and social media to build a fan base,” the profile continues.

The profile explains that he launched his own record label in 2021 called Punchmade Records, where he produces his own instrumentals and edits his own music videos.

A search on companies that include the name “punchmade” at the website of the Kentucky Secretary of State brings up just one record: OBN Group LLC, in Lexington, Ky. This November 2021 record includes a Certificate of Assumed Name, which shows that Punchmade LLC is the assumed name of OBN Group LLC.

The president of OBN Group LLC is listed as Devon Turner. A search on the Secretary of State website for other businesses tied to Devon Turner reveals just one other record: A now-defunct entity called DevTakeFlightBeats Inc.

The breach tracking service Constella Intelligence finds that Devon Turner from Lexington, Ky. used the email address obndevpayments@gmail.com. A lookup on this email at DomainTools.com shows it was used to register the domain foreverpunchmade[.]com, which is registered to a Devon Turner in Lexington, Ky. A copy of this site at archive.org indicates it once sold Punchmade Dev-branded t-shirts and other merchandise.

Mr. Turner did not respond to multiple requests for comment.

Searching online for Devon Turner and “Punchmade” brings up a video from @brainjuiceofficial, a YouTube channel that focuses on social media celebrities. @Brainjuiceofficial says Turner was born in October 2000, the oldest child of a single mother of five whose husband was not in the picture.

The video says the six-foot five Turner played basketball, track and football in high school, but that he gradually became obsessed with playing the video game NBA 2K17 and building a following of people watching him play the game competitively online.

According to this brief documentary, Turner previously streamed his NBA 2K17 videos on a YouTube channel called DevTakeFlight, although he originally went by the nickname OBN Dev.

“Things may eventually catch up to Devon if he isn’t careful,” @Brainjuiceofficial observed, noting that Turner has been shot at before, and also robbed at an ATM while flexing a bunch of cash for a picture and wearing $500k in jewelry. “Although you have a lot of people that are into what you do, there are a lot of people waiting for you to slip up.”

Read More

Abnormal Security also noted a 71% surge in BEC attacks against the same sector

Read More