![]() This batch file, in turn, executes a PowerShell script called 'Office.ps1'. The first script, "Office.vbs," is executed by the Stage 2 PowerShell and invokes WScript to execute a batch file called "Office.bat" to continue the infection process. Stage 3 is responsible for the majority of malicious activities performed on infected systems. The following files are created in this manner:Īll of these scripts are stored in the previously created directory.įinally, the Stage 2 PowerShell executes "Office.vbs" to begin the next step of the infection process. The script then creates several additional scripts, writing content into each of them using a format similar to the following example. This folder is used as the working directory for the malware and stores all the components used throughout the rest of the infection process. If it doesn't already exist, the directory is created. It is mainly responsible for creating a series of scripts that are executed and carry out various tasks needed for the malware to function.Īcross various samples analyzed, the directory locations and file names vary, but are functionally equivalent.įirst, the script checks for the existence of a directory at the following location:Ĭ:\ProgramData\Facebook\System32\Microsoft\SystemData Once deobfuscated, the VBS execution is straightforward: It retrieves and executes the next stage from an attacker-controlled server.Īs expected, the retrieved content is a PowerShell script passed to the Invoke-Expression (IEX) cmdlet and executed to continue the infection process. The VBS contains junk data and uses string replacement to attempt to obfuscate the executed code. ![]() The file naming convention for the ISO and the VBS match and typically follow a convention consistent with the following: The infection process begins with an ISO that contains a malicious VBScript that, when executed, initiates a multi-stage infection process. These RATs feature various functionality that enables them to be used to gain access to systems and exfiltrate sensitive information from victims. Based on analysis of the embedded configuration stored within the samples associated with these campaigns, we have identified that the same operator is likely distributing a variety of commodity RATs, such as AsyncRAT and LimeRAT. The threat actor(s) behind these campaigns have been using 3LOSH to generate the obfuscated code responsible for the initial infection process. Over the past several months we have observed a series of campaigns that leverage a new version of one of these tools, referred to as 3LOSH crypter. These tools often combine functionality normally associated with packers and crypters and, in many cases, are not directly tied to the malware payload itself. Malware distributors often leverage tools to obfuscate their binary payloads and make detection and analysis more difficult. ![]() These campaigns appear to be linked to a new version of the 3LOSH crypter, previously covered here.The infections leverage process injection to evade detection by endpoint security software.Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims. ![]() By Edmund Brumaghin, with contributions from Alex Karkins. ![]()
0 Comments
Leave a Reply. |