A new malware recently surfaced with a very low detection rate and capability of delivering multiple Trojans to infect computers. The researchers from Fortinet found a sample file of a dropper that was flagged suspicious. Upon research, it was found that the new malware has the capability to drop both RevengeRAT and WSHRAT on systems running Windows.
This is double trouble in every sense. The dropper gets in action with a JavaScript code which contained a URL-encoded data, which the researchers later uncovered as VBScript code. According to Fortinet, “The author of this malware used simple character replacement when calling the “Chr()” function in an attempt to hide the actual strings (“shell.application” and “cmd /c cd %temp%”, respectively.”
According to the researchers, the objectives of the VBScript code are:
- Create a new Shell.Application object
- Call the ShellExecute() function, which eventually generates a new file with the hardcoded filename of “A6p.vbs”
- Execute the newly-created script file “A6p.vbs”
- Pause the CMD command execution for 13 seconds (by calling the timeout.exe program)
- Delete the script file “A6p.vbs”
- Execute the downloaded script file “Microsoft.vbs”
- Close the current/active window
The VBScript code then summons a Shell.Application which generates a new script file, which then fetches another payload (VBScript code) from an external source. The new string pulls a script Microsoft.vbs from a remote server and saves itself in the temp folder. The code is composed of the main class called “th3m41n” using three methods “dugh41r,” “t01l3t,” and “b3st1n”.
“Once the aforementioned code is executed, it creates a new WScript.Shell object and collects OS environment and hardcoded data, which will eventually end in running the newly created script (GXxdZDvzyH.vbs) by calling the VBScript interpreter with the “//B” parameter. This enables “batch-mode” and disables any potential warnings or alerts that can occur during execution,” researchers wrote. As the code is executed, a new key is added which is called Microsoft which stores the malformed base64-encoded data.
With the new key into the registry, commands are executed to bypass execution policies and the RAT payload is then deployed. Following the RevengeRAT attack IP addresses, usernames, machine data, CPU data, webcam access, information on firewall installations and antivirus are stolen. RevengeRAT is infamous and has been earlier deployed to steal data from financial firms, governments, and IT companies. But the buck doesn’t stop there.
The dropper also deploys another payload, a WSHRAT on the same script with a few changes. The second attack is the double whammy. The second payload which is the newest version of the WSHRAT, an infamous phishing tool, is capable of stealing information stored in browsers. It is also capable of remotely installing and uninstalling programs and several other methods of keylogging.