www.mcafee.com
Open in
urlscan Pro
104.73.234.201
Public Scan
URL:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vbs-script-driven-campaign/
Submission: On January 18 via api from TR — Scanned from DE
Submission: On January 18 via api from TR — Scanned from DE
Form analysis 4 forms found in the DOM
https://www.mcafee.com/blogs
<form class="desktop-search-form-v2" action="https://www.mcafee.com/blogs">
<div><span class="search_icon_desktop"> <img src="/blogs/wp-content/themes/securingtomorrow-brillio/img/new-icons/search_icon_black.svg" alt="search grey icon"> </span></div>
<div class="desktop-search-div"><input class="dsk-search" autocomplete="off" name="s" type="text" placeholder="Search"></div>
</form>https://www.mcafee.com/blogs
<form class="desktop-search-form" style="display: none;" action="https://www.mcafee.com/blogs">
<div class="desktop-search-div"><input class="dsk-search" autocomplete="off" name="s" type="text" placeholder="Type and hit enter..."></div>
<div><span class="close_icon_desktop"> <img src="https://www.mcafee.com/blogs/wp-content/themes/securingtomorrow-brillio/img/new-icons/cross-grey-icon.svg" alt="close grey icon"> </span></div>
</form>https://www.mcafee.com/blogs
<form class="form-inline my-2 my-lg-0" action="https://www.mcafee.com/blogs">
<div class="input-group mb-3 search-div">
<div class="input-group-append"><button class="sarch-btn" type="button"><span class="fa fa-search" title="Type and hit enter..."><span style="display: none;">.</span></span> </button>
</div>
</div>
</form>https://www.mcafee.com/blogs
<form action="https://www.mcafee.com/blogs" class="desktop-search-form" style="display: none;">
<div class="desktop-search-div">
<input class="dsk-search" name="s" type="text" placeholder="Type and hit enter..." autocomplete="off">
</div>
<div><span class="close_icon_desktop">
<img src="https://www.mcafee.com/blogs/wp-content/themes/securingtomorrow-brillio/img/new-icons/cross-grey-icon.svg" alt="close grey icon">
</span>
</div>
</form>Text Content
* Products
* All-In-One Protection Recommended
* NEW!
McAfee+ Products
Worry-free protection for your privacy, identity and all your personal
devices.
Individual and family plans
* NEW!
McAfee+ Ultimate
Our most comprehensive privacy, identity and device protection with $2M
ID theft coverage.
* Total Protection
Protection for your devices with identity monitoring and VPN
* Device Protection
* Antivirus
* Virtual Private Network (VPN)
* Mobile Security
* Free Tools & Downloads
* Web Protection
* Free Antivirus Trial
* Device Security Scan
* Other Services
* PC Optimizer
* Techmaster Concierge
* Virus Removal
* Features
* Keep Me Private Online
* Personal Data Cleanup
* VPN (Virtual Private Network)
* Safeguard My Identity
* Identity Monitoring
* Security Freeze
* Identity Theft Coverage & Restoration
* Password Manager
* Protect My Devices
* Antivirus
* Web Protection
* Protect My Family
* Protection Score
* Parental Controls
* About Us
* Our Company
* Company Overview
* Awards & Reviews
* Investors
* Our Efforts
* Inclusion & Diversity
* Integrity & Ethics
* Public Policy
* Join Us
* Careers
* Life at McAfee
* Our Teams
* Our Locations
* Resources
* Stay Updated
* McAfee Blog
* Reports and Guides
* McAfee Labs
* McAfee on YouTube
* Learn More
* Learn at McAfee
* What is Antivirus?
* What is a VPN?
* What is Identity Theft?
* Press & News
* McAfee Newsroom
* Why McAfee
Products
Recommended
All-In-One Protection
NEW! McAfee+ Products
Worry-free protection for your privacy, identity and all your personal devices.
Individual and family plans
NEW! McAfee+ Ultimate
Our most comprehensive privacy, identity and device protection with $2M ID theft
coverage.
Total Protection
Protection for your devices with identity monitoring and VPN
Device Protection
Antivirus
Virtual Private Network (VPN)
Mobile Security
Free Tools & Downloads
Web Protection
Free Antivirus Trial
Device Security Scan
Other Services
PC Optimizer
Techmaster Concierge
Virus Removal
Features
Keep Me Private Online
Personal Data Cleanup
VPN (Virtual Private Network)
Safeguard My Identity
Identity Monitoring
Security Freeze
Identity Theft Coverage & Restoration
Password Manager
Protect My Devices
Antivirus
Web Protection
Protect My Family
Protection Score
Parental Controls
About Us
Our Company
Company Overview
Awards & Reviews
Investors
Our Efforts
Inclusion & Diversity
Integrity & Ethics
Public Policy
Join Us
Careers
Life at McAfee
Our Teams
Our Locations
Resources
Stay Updated
McAfee Blog
Reports and Guides
McAfee Labs
McAfee on YouTube
Learn More
Learn at McAfee
What is Antivirus?
What is a VPN?
What is Identity Theft?
Press & News
McAfee Newsroom
Why McAfee
Support
Help
Customer Support
Support Community
FAQs
Contact Us
Activation
Activate Retail Card
Choose Region
Sign in
* Support
* Help
* Customer Support
* Community
* FAQs
* Contact Us
* Activation
* Activate Retail Card
*
* Sign in
*
* Blog
* Topics
Internet Security Mobile Security Family Safety Privacy & Identity Protection
Security News Tips & Tricks
* At McAfee
McAfee News Executive Perspectives McAfee Labs Life at McAfee Hackable?
Podcast
* English
* Portuguese (BR)
* Spanish
* French(FR)
* German
* Italian
* Japanese
* French(CA)
* Portuguese (PT)
* Spanish (MX)
*
* Blog
* Topics
Internet Security Mobile Security Family Safety Privacy & Identity Protection
Security News Tips & Tricks
* At McAfee
McAfee News Executive Perspectives McAfee Labs Life at McAfee Hackable?
Podcast
* .
* Portuguese (BR) Spanish French(FR) German Italian Japanese French(CA)
Portuguese (PT) Spanish (MX)
Blog Other Blogs McAfee Labs From Email to RAT: Deciphering a VBS Script-Driven
Campaign
FROM EMAIL TO RAT: DECIPHERING A VBS SCRIPT-DRIVEN CAMPAIGN
McAfee Labs
Jan 17, 2024
10 MIN READ
Authored by Preksha Saxena and Yashvi Shah
McAfee Labs has been tracking a sophisticated VBS campaign characterized by
obfuscated Visual Basic Scripting (VBS). Initially delivering the AgentTesla
malware, the campaign has evolved into a multi-faceted threat, employing VBS
scripts as a versatile delivery mechanism. Notably, this campaign extends beyond
AgentTesla, now distributing a range of malware such as Guloader, Remcos RAT,
Xworm, and Lokibot.
This campaign illustrates a comprehensive infection process initiated by a VBS
file delivered via email. Starting with the activation of a VBS script, it
progresses through PowerShell phases, utilizing the BitsTransfer utility for
fetching a second-stage PowerShell script. The decoded and executed Shellcode A
conceals and loads Shellcode B. In the final phase, wab.exe downloads the
encrypted Remcos RAT payload. Shellcode B decrypts and injects it into wab.exe,
making it function as the Remcos RAT.
The observed campaign has been noted for targeting diverse regions worldwide.
Presented below is a geographical heatmap depicting McAfee customers who have
been targeted and saved over the past three months.
Figure 1: Geo Heatmap showing targeted regions.
In the featured blog post, malicious actors utilized GuLoader to deploy the
Remcos RAT.
EXECUTION CHAIN
Figure 2: Infection chain
The execution begins by running a VBS script. then it triggers the execution of
the first-stage PowerShell. Subsequently, the BitsTransfer utility is employed
to fetch a second-stage PowerShell which is base64 encoded.
The second stage PowerShell is then encoded and executed. Following this, the
First Shellcode is meticulously carved out and loaded reflectively. The second
Shellcode encoded within Shellcode A undergoes decoding and is also reflectively
loaded.
The final step involves a second Shellcode which is leveraged to retrieve and
inject the Remcos RAT (Remote Control and Surveillance Tool) into a legitimate
Windows process. In this case, wab.exe. This intricate series of actions allows
for the stealthy deployment and operation of the Remcos RAT within the Windows
environment.
Figure 3: Process Tree
OBFUSCATED VBSCRIPT TECHNICAL OVERVIEW:
STAGE 1: (DEOBFUSCATING VBS)
Attached to the email is a ZIP file seemingly labeled as
“revised_quotation_for_purchase_invoice_order_design_6th_november_2023“,
resembling an invoice to the user. The intent, much like similar deceptive
emails, is for the recipient not to scrutinize the email closely.
Inside the zip file attachment is a heavily obfuscated VBS file. The VBS script
employed several techniques to make the analysis quite difficult. It has many
garbage variables, decoy functions, and unnecessary comments, and all the
malicious functions are obfuscated.
Figure 4: Heavily obfuscated script
The code appears streamlined after removing redundant lines, resulting in a more
concise and efficient version. After removing all the comments, the script
turned out to be as follows:
Figure 5: Post-removing the junk code
In the script, there’s a frequent appending of new strings to the variable
“Fu6”. This method serves to increase the complexity of the analysis. Once all
the strings are concatenated and formatted, the result emerges in a more
intriguing manner. As shown in the below image.
Figure 6: After deobfuscating the code
The function “Mikr9” will handle the conversion of strings, rendering them
readable. We converted all the lines to a readable format, with the help of the
“Fu6” function. For example, as shown in Figure 5, the string
‘DelfhAdvetFagstStatpYapp:Nona/fisk/Indh1 Sic0 Tra3parc.
Mon1Gens7Vide6Eufo.Tast1Outs1Midd1afte.Dors1husg6 Hal3Beja/ Hypm
RenuColonSprgdNasahToasuRafflchon.GyttpBrnefMuckbAcci ‘ became
http://103.176.111[.]163/mundhul.pfb.
Likewise, the entire script is decoded, and we get the following script:
Figure 7: After applying decrypting function Mikr9()
The script conducts the following sequence of activities:
* Retrieves the second-level file from “hxxp://103.176.111[.]163/mundhul.pfb”
using BitsTransfer.
* Save the acquired file in the Appdata folder.
* Decodes the file from Base64, converting it into a string format.
* Navigates to offset 229981 and extracts the subsequent 28050 units of data.
* Executes the extracted data using IEX (Invoke-Expression).
STAGE 2:
POWERSHELL EXECUTION
The file retrieved shows zero detection on VT, appears to be base64 encoded, and
has a size of 336KB.
Figure 8: Second Powershell script
Figure 9: Content is base64 encoded
Upon decoding “mundhul.pfb,” a detailed analysis can be conducted to comprehend
its functionality, enabling further examination of the malware’s execution. Once
the file gets decoded, it reveals a code resembling the image provided below.
Figure 10: Base64 decoded data
As specified in the script, execute a jump to offset 229981 and retrieve the
ensuing 28050 units of data. This marks the start of the second PowerShell
script, which is 28050 bytes, marked as follows.
Figure 11: Start of encrypted second PowerShell
The code contains various comments, so we followed the same procedure, as we did
for the first script, removed all the junk code and we got a function that seems
to handle the decryption of all the strings.
Figure 12: After removing the junk
The decryption process iterates multiple times to unveil the strings, and the
malware employs the “Invoke” method to execute its commands. After decoding all
the strings using “Bedroges02” function, we finally got the intent of the
script.
Figure 13: After applying decryption logic
The PowerShell script initially loads the VirtualAlloc() function and stores the
memory handle in variables named “trll3” and “Akuammin195”. These sections
possess permissions for writing, reading, and executing. The latter segment of
the script appears to invoke a concealed shellcode embedded within it.
The execution sequence involves copying the bytes as follows: The initial 644
bytes from the beginning of this PowerShell script constitute the first
shellcode. Subsequently, starting from byte 644, the script copies the next
229337 bytes, constituting the second shellcode.
Figure 14: Constituting shellcode
Following the execution sequence, malware initiates the API call
CallWindowProcA, leading subsequently to the invocation of the native function
NtProtectVirtualMemory. Then the process transitions directly to initiating the
first shellcode.
STAGE 3: SHELLCODE-A EXECUTION
The shellcode-A’s primary action involves copying the shellcode B into memory,
as depicted in the figure below.
Figure 15: Loop used for copying shellcode B
The shellcode B undergoes decryption via XOR operation. This operation serves to
transform the code into its executable form, allowing the decrypted shellcode to
execute its intended instructions within the system’s memory.
Figure 16: Decryption loop used for decrypting shellcode B
STAGE 4: SHELLCODE-B
The shellcode is designed to establish a new process named “wab.exe” and it
replicates 0x3FC4000 bytes of decrypted shellcode into its memory space. As
indicated by the highlighted blue box, the content decrypted from the second
shellcode (shown in Figure 15) is subsequently injected into the wab.exe process
(depicted in Figure 16).
Figure 17: Injection of second shellcode
The objective of the shellcode is to fetch the Remcos RAT from the specified
URL, “hxxp://103.176.111.163/lnHxQotdQb132.bin” and subsequently inject it into
the “wab.exe” process. Once “wab.exe” is injected by the final payload, it
undertakes all malicious activities.
Figure 18: wab.exe connecting to C2
The file obtained from the provided URL seems to be an encrypted binary. Upon
decryption, it has been recognized to initiate communication with the IP address
94.156.65.197 through port 2404. An observation revealed the creation of a mutex
named “Rmc-R7V4VM.” Data keylogged during its operation is stored in a file
labeled “logs.dat.” Additionally, screenshots captured are saved in a directory
named “Screenshots,” while the overall repository for the collected data is
titled “Remcos.”
CONCLUSION
This campaign outlines the comprehensive infection process initiated by a VBS
file received through email. The process begins with the activation of a VBS
script, initiating the initial PowerShell phase. Subsequently, the BitsTransfer
utility is used to fetch a second-stage PowerShell script, encoded in base64.
After decoding and execution, the first Shellcode is carefully extracted and
loaded reflectively. Simultaneously, Shellcode A conceals and loads the decoded
Shellcode B.
In the final phase, the injected wab.exe proceeds to download the encrypted
final payload of the Remcos RAT. Shellcode B is responsible for decrypting the
payload, and it is subsequently injected into wab.exe. Consequently, this
particular instance of wab.exe functions as the Remcos RAT.
VBSCRIPT IN THE WINDOWS ENVIRONMENT: A SECURITY PERSPECTIVE
VBScript, introduced by Microsoft in 1996, was crucial in the Windows
environment as a scripting language for task automation, tightly integrated with
Internet Explorer, and a key component of technologies like Windows Script Host,
Active Server Pages, and Office automation. It provided a simple scripting
solution for system tasks, web development, and server-side logic. Microsoft is
deprecating VBScript, and it will be available as a feature on-demand before
eventual removal from Windows, said the company. This decision aligns with a
broader strategy to reduce malware campaigns exploiting Windows and Office
features. VBScript, disabled by default in Internet Explorer 11 since 2019, has
been used by malicious actors for distributing malware, and Microsoft aims to
enhance security by eliminating this infection vector. Attackers exploit
vulnerabilities in phased-out technologies due to lingering use in legacy
systems, slow adoption of updates, custom applications, stringent industry
requirements, and user resistance to change. To mitigate risks, proactive
measures such as prompt updates, security education, and staying informed about
software lifecycles are crucial.
Mitigation:
Avoiding falling victim to email phishing involves adopting a vigilant and
cautious approach. Here are some common practices to help prevent falling prey
to email phishing:
* Verify Sender Information
* Think Before Clicking
* Check for Spelling and Grammar
* Be Cautious with Email Content
* Verify Unusual Requests
* Implement Email Filters
* Check for Secure Connections
* Report Suspicious Emails
* Keep the software up-to-date
* Align with security patches
IOCS
VBS file 6fdd246520eebb59e37a7cd544477567b405a11e118b7754ff0d4a89c01251e4 Second
PowerShell 5d21216a92ffea5b8ba70f48f9bcbb8a530a9b272423ae3ba519dbf74a905a65
Final payload 7d947df412e78a595029121ecaf9d8a88e69175cffd1f2d75d31e3ca8995c978
URL1 hxxp://103.176.111[.]163/mundhul.pfb URL2
hxxp://103.176.111[.]163/lnHxQotdQb132.bin IP address 103.176.111[.]163 IP
address 94.156.65[.]197 Mutex Rmc-R7V4VM
INTRODUCING MCAFEE+
Identity theft protection and privacy for your digital life
Download McAfee+ Now
Stay Updated
Follow us to stay updated on all things McAfee and on top of the latest consumer
and mobile security threats.
McAfee Labs Threat Research Team
McAfee Labs is one of the leading sources for threat research, threat
intelligence, and cybersecurity thought leadership. See our blog posts below for
more information.
MORE FROM MCAFEE LABS
Previous
PEELING BACK THE LAYERS OF REMCOSRAT MALWARE
Authored by Preksha Saxena McAfee labs observed a Remcos RAT campaign where
malicious VBS files were delivered...
Aug 29, 2023 | 9 MIN READ
CRYPTO SCAM: SPACEX TOKENS FOR SALE
Authored by: Neil Tyagi Scam artists know no bounds—and that also applies to
stealing your cryptocurrency. Crypto...
Aug 24, 2023 | 5 MIN READ
INVISIBLE ADWARE: UNVEILING AD FRAUD TARGETING ANDROID USERS
Authored by SangRyol Ryu, McAfee Threat Researcher We live in a world where
advertisements are everywhere, and...
Aug 04, 2023 | 6 MIN READ
THE SEASON OF BACK TO SCHOOL SCAMS
Authored by: Lakshya Mathur and Yashvi Shah As the Back-to-School season
approaches, scammers are taking advantage of...
Aug 02, 2023 | 5 MIN READ
STEALTH BACKDOOR “ANDROID/XAMALICIOUS” ACTIVELY INFECTING DEVICES
Authored by Fernando Ruiz McAfee Mobile Research Team identified an Android
backdoor implemented with Xamarin, an open-source...
Dec 22, 2023 | 14 MIN READ
SHIELDING AGAINST ANDROID PHISHING IN INDIAN BANKING
Authored by Neil Tyagi and Fernando Ruiz In a digitally evolving world, the
convenience of banking through...
Dec 20, 2023 | 8 MIN READ
PDF PHISHING: BEYOND THE BAIT
By Lakshya Mathur & Yashvi Shah Phishing attackers aim to deceive individuals
into revealing sensitive information for...
Dec 04, 2023 | 6 MIN READ
BENEATH THE SURFACE: HOW HACKERS TURN NETSUPPORT AGAINST USERS
NetSupport malware variants have been a persistent threat, demonstrating
adaptability and evolving infection techniques. In this technical...
Nov 27, 2023 | 12 MIN READ
FAKE ANDROID AND IOS APPS STEAL SMS AND CONTACTS IN SOUTH KOREA
Authored by Dexter Shin Most people have smartphones these days which can be
used to easily search...
Nov 15, 2023 | 10 MIN READ
UNMASKING ASYNCRAT NEW INFECTION CHAIN
Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for
“Asynchronous Remote Access Trojan,” is a sophisticated...
Nov 03, 2023 | 7 MIN READ
EXPLORING WINRAR VULNERABILITY (CVE-2023-38831)
Authored by Neil Tyagi On 23 August 2023, NIST disclosed a critical RCE
vulnerability CVE-2023-38831. It is...
Sep 19, 2023 | 8 MIN READ
AGENT TESLA’S UNIQUE APPROACH: VBS AND STEGANOGRAPHY FOR DELIVERY AND INTRUSION
Authored by Yashvi Shah Agent Tesla functions as a Remote Access Trojan (RAT)
and an information stealer...
Sep 08, 2023 | 13 MIN READ
PEELING BACK THE LAYERS OF REMCOSRAT MALWARE
Authored by Preksha Saxena McAfee labs observed a Remcos RAT campaign where
malicious VBS files were delivered...
Aug 29, 2023 | 9 MIN READ
CRYPTO SCAM: SPACEX TOKENS FOR SALE
Authored by: Neil Tyagi Scam artists know no bounds—and that also applies to
stealing your cryptocurrency. Crypto...
Aug 24, 2023 | 5 MIN READ
INVISIBLE ADWARE: UNVEILING AD FRAUD TARGETING ANDROID USERS
Authored by SangRyol Ryu, McAfee Threat Researcher We live in a world where
advertisements are everywhere, and...
Aug 04, 2023 | 6 MIN READ
THE SEASON OF BACK TO SCHOOL SCAMS
Authored by: Lakshya Mathur and Yashvi Shah As the Back-to-School season
approaches, scammers are taking advantage of...
Aug 02, 2023 | 5 MIN READ
STEALTH BACKDOOR “ANDROID/XAMALICIOUS” ACTIVELY INFECTING DEVICES
Authored by Fernando Ruiz McAfee Mobile Research Team identified an Android
backdoor implemented with Xamarin, an open-source...
Dec 22, 2023 | 14 MIN READ
SHIELDING AGAINST ANDROID PHISHING IN INDIAN BANKING
Authored by Neil Tyagi and Fernando Ruiz In a digitally evolving world, the
convenience of banking through...
Dec 20, 2023 | 8 MIN READ
PDF PHISHING: BEYOND THE BAIT
By Lakshya Mathur & Yashvi Shah Phishing attackers aim to deceive individuals
into revealing sensitive information for...
Dec 04, 2023 | 6 MIN READ
BENEATH THE SURFACE: HOW HACKERS TURN NETSUPPORT AGAINST USERS
NetSupport malware variants have been a persistent threat, demonstrating
adaptability and evolving infection techniques. In this technical...
Nov 27, 2023 | 12 MIN READ
FAKE ANDROID AND IOS APPS STEAL SMS AND CONTACTS IN SOUTH KOREA
Authored by Dexter Shin Most people have smartphones these days which can be
used to easily search...
Nov 15, 2023 | 10 MIN READ
UNMASKING ASYNCRAT NEW INFECTION CHAIN
Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy AsyncRAT, short for
“Asynchronous Remote Access Trojan,” is a sophisticated...
Nov 03, 2023 | 7 MIN READ
EXPLORING WINRAR VULNERABILITY (CVE-2023-38831)
Authored by Neil Tyagi On 23 August 2023, NIST disclosed a critical RCE
vulnerability CVE-2023-38831. It is...
Sep 19, 2023 | 8 MIN READ
AGENT TESLA’S UNIQUE APPROACH: VBS AND STEGANOGRAPHY FOR DELIVERY AND INTRUSION
Authored by Yashvi Shah Agent Tesla functions as a Remote Access Trojan (RAT)
and an information stealer...
Sep 08, 2023 | 13 MIN READ
PEELING BACK THE LAYERS OF REMCOSRAT MALWARE
Authored by Preksha Saxena McAfee labs observed a Remcos RAT campaign where
malicious VBS files were delivered...
Aug 29, 2023 | 9 MIN READ
CRYPTO SCAM: SPACEX TOKENS FOR SALE
Authored by: Neil Tyagi Scam artists know no bounds—and that also applies to
stealing your cryptocurrency. Crypto...
Aug 24, 2023 | 5 MIN READ
INVISIBLE ADWARE: UNVEILING AD FRAUD TARGETING ANDROID USERS
Authored by SangRyol Ryu, McAfee Threat Researcher We live in a world where
advertisements are everywhere, and...
Aug 04, 2023 | 6 MIN READ
THE SEASON OF BACK TO SCHOOL SCAMS
Authored by: Lakshya Mathur and Yashvi Shah As the Back-to-School season
approaches, scammers are taking advantage of...
Aug 02, 2023 | 5 MIN READ
Next
* 1
* 2
* 3
Back to top
*
*
*
*
*
--------------------------------------------------------------------------------
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA
Products
McAfee+
McAfee® Total Protection
McAfee Antivirus
McAfee Safe Connect
McAfee PC Optimizer
McAfee Techmaster
McAfee Mobile Security
Resources
Antivirus
Free Downloads
Parental Controls
Malware
Firewall
Blogs
Activate Retail Card
McAfee Labs
Support
Customer Support
FAQs
Renewals
Support Community
About
About McAfee
Careers
Contact Us
Newsroom
Investors
Legal Terms
Your Privacy Choices
System Requirements
Sitemap
--------------------------------------------------------------------------------
United States / English Copyright © 2023 McAfee, LLC
United States / English Copyright © 2023 McAfee, LLC
✓
Thanks for sharing!
AddToAny
More…