VBS APT34 Dropper Analysis

VBS APT34 Dropper Analysis

📅️ Published:

🔄 Updated:

🕔 6 min read ∙ 1072 words

Introduction

VBS scripts are malicious codes that can contain PowerShell commands that can severely damage the victim machine.. They can be found embedded in other common document formats used every day, such as PDF documents and Word documents. While most come off as non-malicious, these program sizes can grow huge and be hard to detect to the untrained eye as they usually obstruct themselves through compression and encoding in formats such as base64 or GZIP. The Win32.VBS.APT34Dropper was one of these scripts which I have analyzed.

Initial Analysis

Opening the VBS script up in Visual Studio Code (vscode) I see a could things. I see file paths and I see data which looks to be encoded in base64. Let us focus in on the first part of this script.

image

Here I see that the program is making sure that these file paths and files are created, and if not, then they are creating them for the malware. It is then writing to the script dhupdateChecker.ps1 what appears to be a set of PowerShell commands. Ok, good. I now know I am dealing with a VBS script that will be creating a PowerShell process. This knowledge will help me filter out unnecessary information when analyzing system processes.

We also know that the scripts GoogleUpdatechecker.vbs and dUpdateCheckers.ps1 are both files that this malware uses, so these can be host base indicators, and it can also be a hint at what this malware is doing.

By calling itself GoogleUpdateChecker.vbs it is essentially hiding. As it is possible to talk to the internet, this name could fly under the radar of someone not looking deeply at a network packet.

First Part Decode

Moving on. The next part of this is a check if the file hupdateCheckers.base exists. If not, the following information is stored in the file. This format is base64.

image

Once decoded, the following was found:

image

This code gets network information, extracts the computers UID and appears to be contacting and downloading data from the internet.

Also, we see the URL www.mumbai-m.site/update_wapp2.aspx. During dynamic analysis this should be observed.

Second Part Decode

The next part is essentially doing the same thing of base64 decode so I will just show you the end result.

image

This was very obstructed, and it took my a few minutes to make it neater. I will leave that up to you to do. This code drop does 3 main things.

It forms a unique URL based on the computer you are running on and contacting that URL. What ever is being received is being written to a file. This code is written to dUpdateCheckers.base

The last part of this malware is this last piece which is what gives this malware the best chance of not being detected and gaining persistence.

image

Here we see that a file called cUpdateCheckers.bat is written to the variable code4. This is a command that sets a scheduler that runs the scripts we saw earlier every minute. This allows this piece of malware to run even after reset of the victim’s computer. Even if specific files are deleted, if the primary component that can regenerate these deleted files is not removed, this script can keep repeatedly regenerating itself with each passing minute.

This malware also deletes the .base files at its end, so it’s cleaning itself up to avoid detection. It is also hiding behind the PowerShell process, which is being run in the background with no window ever being shown to the user.

Dynamic Analysis

Dynamic Analysis was done in two parts. Networked and un-networked. I decided to start with un-networked but that showed me everything I have already proved with static analysis. All the files I found in the VBS script were created and its behavior was what I expected. I then moved on to Network analysis. This was done with INetSim and Wireshark.

Network Set

  • Ubuntu 20.02 LTS Virtual Machine
  • Windows 7 Pro Virtual Machine (Victim Machine)
  • INetSim & Wireshark; Both Hosted on the Ubuntu Virtual Machine.

Creating a Host Only Network that connected the Machines together I was able to redirect all network traffic from the victim machine into the Ubuntu Machine which captured all network traffic. When doing this remember to turn of your firewall.

Capturing the data lead me to see a unique URL every few seconds, where for the majority of it, the words Mumbai-m.site stayed with it but a unique 23 Identifier was appended to it. I was not able to determine what this code was looking for but the constant pining and need for response never stopped.

image

Further analysis using the WayBackMachine on https://web.archive.org lead to no further information but I can come to some conclusion based of the static analysis I saw later.

Summary and Conclusion:

This script appears to be malicious, but in modern days, since the original URL it is trying to contact does not appear to be of use anymore, this malware cannot do any real harm. When analyzing this piece of code, it is essential to comment out the oShell.run command at the bottom so that you don’t accidentally cause this malware to run.

From statically and dynamically analyzing this piece of malware, I confirmed that it is indeed a dropper. It is constantly pinging a website, possibly waiting for more information to come its way and to download a file if need be.

This piece of malware took several steps to hide and protect itself from reboots and deletion and showed itself to have regenerating capabilities that attempted to ensure its survival. Also, using measures to place itself in places deemed trustworthy, like in java directories, and look like a standard update tool was a way to make itself into a Trojan and keep from being detected.

An unknowledgeable person would not have been able to handle this, which makes this malware so dangerous, mainly because its size is small and unsuspecting. With an unknowing person clicking, much damage can be done to the victim’s PC in the background so that a victim would not know its source.

This piece of malware does leave Host and Network indicators which can be found relatively easily. It attempts to self-delete parts of itself that can be stopped by editing the script and analyzing the network packets, finding keywords like Mumbai.site could easily detect it.

Tools & Research Sources

Edit on Github.

💬 Comment: