Although malicious VBScript has long been a fixture of spam and phishing campaigns, its functionality has been limited to downloading malware from an attacker-controlled server and executing it on a compromised computer – but that has changed, according to security researchers.
Researchers at Flashpoint have seen and analysed a unique departure from this norm in a downloader dubbed “ARS VBS Loader”, which they describe as a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked on Russian crimeware forums in 2015.
ARS VBS Loader not only downloads and executes malicious code, but also includes a command-and-control application written in PHP that allows a botmaster to issue commands to a victim’s machine.
“This behaviour likens ARS VBS Loader to a remote access Trojan (RAT), giving it behaviour and capabilities rarely seen in malicious ‘loaders’, such as initial infection vector malware families used to install subsequent payloads,” said Paul Burbage, researcher at security firm Flashpoint.
According to Burbage, the new loader has been spammed out in email attachments enticing victims with lures in subject lines related to personal banking, package shipments and toll road notifications.
“Should a victim interact with the attachment and launch it, analysts say numerous types of commodity malware could be installed, including the AZORult information-stealing malware, which was also used in campaigns targeting more than 1,000 Magento admin panels,” he said.
In those attacks, the malware was used to scrape payment card information from sites running the popular free and open source e-commerce platform.
“ARS VBS Loader targets only computers running the Microsoft Windows operating system and supports Windows 10, according to posts to a Russian-speaking forum going back to December,” said Burbage. “Previously, another loader called FUD ASPC Loader, first advertised in May 2017, contained similar functionality, but not Windows 10 support.”
According to Flashpoint analysts, the loader is also likely to side-step detection by signature-based antivirus and intrusion detection systems (IDS) because of the relative ease in which attackers can obfuscate VBScript.
Obfuscation, through various means, typically allows attackers to hide malware, and if malware is obfuscated with encryption or packing, it is much more difficult for antivirus software to detect malicious code.
The researchers found that once the ARS VBS Loader executes on a victim’s computer, it immediately creates a number of entries in nearly a dozen autorun locations, including registry, scheduled tasks and the startup folder, ensuring persistence through reboots.
ARS VBS Loader will then connect to the attacker’s server, sending it system information such as the operating system version name, computer user name, memory, processor and graphics card information, a randomly generated ID for infection tracking, and machine architecture information.
Meanwhile, the botmaster can remotely administer commands to bots through the PHP command-and-control application. However, communication with the command-and-control server is carried out in plaintext over HTTP, making it easy to spot, said Flashpoint analysts.
The malicious code that runs on the victim’s machine is written entirely in VBScript and contains functionality for updating and deleting itself, and deploying plugins such as a credentials stealer, or launching application-layer denial of service (DoS) attacks against websites, and loading additional malware from external websites.
The most common command spotted by analysts is download, which instructs bots to download and execute malware from a supplied link. There is also the plugin command, where plugins that steal passwords or capture desktop screenshots can be pushed to compromised computers.
“The DDoS command is also noteworthy because it is a unique capability, but analysts said they have not seen this command used in the wild,” said Burbage.
The command tells bots to send a specified number of HTTP POST requests to a particular web server. But because this is a simple application layer flooding attack, analysts said it is currently unknown how successful it would be against targets in the wild, pointing out that it would be easy to spot such traffic because the same hardcoded POST values are sent in the HTTP flood.
Analysts warned that users should be vigilant about not opening email attachments from unknown sources, adding that it is likely ARS VBS Loader will continue to be an effective initial infection vector for spam campaigns.