Showing posts with label #VBScript. Show all posts
Showing posts with label #VBScript. Show all posts

Friday, 10 March 2017

New Way to run VBScript Payload


Some day ago I received an email in an unmarked Gmail mail box. It was a clear Phishing email, but what catched my eyes has been a Password reported into the email's body and the attachment. It was a Microsoft Word file with ".docx" extension.

The first question that I asked to myself was: "Why this file wasn't dropped from Google security check?".

I decided to analyze the attachment and investigate about the sender.

First of all, I opened the attachment and putted into the password reported into the email's body. Opened, it had only three icons that looks like word's icons.



My first words were "What a fuck of Word file is this?!?!".
It doesn't makes sense! No text, no request to enable macro on startup.

The total words catch my eye. As you can see into the red circle, they were 369 words, but the document didn't had text, only 3 image's icons.

Double click on the image and I discovered the secret. The macro, VBScript, is embedded within it!

"What?! A macro into an image?!...You are a fucking genius!!" I Thought.

 But in which way is possible to embedded a VBScript into an image?!

The answer of my question was behind the right-click. Who created this document used Packager Shell Object to embed the VBScript content.

Taking a close look to Packager Shell Object properties was easy to understand that it was a VBScript file and where it was it was stored.

It was stored in "\Local\Temp" folder every time the Word file is executed. When the file is going to shut down it is going to be deleted from this folder.



The VBScript was obfuscated, but not in a hard way.

In the snippet code reported below, is reported two different files that are going to be created based on seconds:

  • the first one had extension ".viv"
  • the second one had extension ".qde"
Please note, seconds were used as file's name.



"JAy0D" function reads from file ".qde" and write into the file ".viv".

The snippet code reported below shows the resource that the dropper has to download, file with extension ".pkg".



Using whois protocol, I retrieved domain's information. Is useful to note that this domain is protect by privacy policy agreement.



File format ".pkg" is an installation file used by Apple in its Operating System.

Was impossible to download "tmp.pkg" file. The server gave error 404 Not Found.


Another resource that has to be downloaded is a file ."jpt".
JPT format file (JPEG-PNG-Type) takes advantage of the compression ratio from JPEG and PNG at the same time.
The main image is stored in JPEG while the alpha channel is stored in a PNG file as a gray scale.
While the PNG file can be 32 bit, 24 bit, 8 bit or even palette based, it is recommended to use
only 8 bit or palette based images in order to save space and actually take advantage of the JPT
format.
The next step was to analyze this file.


There I discovered the home page where this library come from.

It was hosted in a github page that it is not longer available.


From the page, I was able to recovery the developer's name "Jake J. Davis" and thanks to Google Cache, part of his GitHub account.

Jakey J. Davis closed a lot of his accounts in the last months, like github, libraries.io, etc.

Another analysis I did was the email's header. Here we can read sender's PC name connected to the server.




 Hey! Bruce, remember: "The first Internet's rule is: Stay Stealth"! 👀


CONCLUSION and HESITATIONs:

Something doesn't seems clear.
  1. File PKG is not reachable.
  2. JTP file doesn't seems to be JTP's format.
  3. This VBScript works only on Windows OS and it acts as a dropper to download other resources. It also use windows like commands ("cmd.exe") to perform some checks ("ping 8.8.8.8");
  4. If everything seems wrote for Windows OS, why it has to download file that works on Mac OS?







In conclusion: Given all these inconsistencies, many questions are still outstanding and this leave us two options, everything is part of a bigger project or the one who created these files is a newbie?


Thanks to my colleague for the support provided! ☺