The Art of Evasion: How Attackers Use VBScript and PowerShell in the Obfuscation Game

 

Summary

 

As we know, using obfuscated VBScript to execute obfuscated PowerShell is a common technique in malware to evade detection and complicate analysis. This approach leverages the strengths of both scripting languages while making it harder for security tools and analysts to understand the malicious intent.

 

Recently I came across a malware that is very well-designed for these obfuscation techniques to use, which is so interesting and attracted my curiosity to learn more about what’s happened inside the malware, and it was also low detection rate until first discovered.

 

Below, I would like to share how the attackers use VBScript and PowerShell to evade detection, maybe it can help other malware researchers or analysts, and the common technique but new doing uncommon which being talked on both VBScript obfuscation and PowerShell obfuscation.

 

 

Technical analysis

 

Basic info

The sample hashs:

md5 0e513e80fc18e3db4f0eb6ecb558534b

Sha256
7444d08579781b3d7b233e9fd3e7f9b31a85837c29adf2f4ae7965a628078639

 

 

VBScript obfuscation and evasion technique

In order to execute the VBScript, the attacker uses a mix of obfuscation that combines irrelevant comments, time-based delay, string splitting and concatenation, and dynamic behavior. It is very thoughtful. In addition, the structure of the VBScript code seems to intentionally disrupt logical order to interfere with analysts.

 

 

Adding Irrelevant Comments

The first sight is that the malware was inserted by a large number of difficult-to-understand comments or annotations, which seem like the stream of consciousness in monologues or novels or random text; its aim is to have a mind to interfere with or confuse or mislead information with analysts and antivirus.

Fig.1 a large number of understandable annotations for interfering

 

Ok, in order to do an analysis for this kind of malware, it is a time-consuming thing to remove all the annotations manually. The first thought is to use regular expression; a text editor like Sublime can help us to handle them. To replace all the single-line comment content with regular expressions is '.*$, but it should be done carefully because the obfuscation PowerShell will be replaced and should be checked later one by one.

Fig.2 regular expressions

 

 

Time-Based Obfuscation

Using time delays or conditions to execute parts of the script only after a certain time. Malware often uses time delays to evade sandbox detection and avoid immediate detection. Here, the VBScript code snippet appears to be a time-delay loop, starting a loop that continues until the current time Now() exceeds Suspensorium (i.e., for 9 seconds), and then it will loop 50 times and pause the script for 100 milliseconds (0.1 seconds) during each iteration of the loop, and the real PowerShell scripts will be executed when it Suspensorium exceeds 50.

Fig.3 VBScript Time delay to execute PowerShell

 

Combining obfuscation technique

The below VBScript code snippet demonstrates a malware evasion technique that combines time-based delays, string obfuscation, and dynamic behavior.

1.       String Obfuscation: pronegotiation= array(79+1,79,87,69,82,83,72,69,76,76), The array contains ASCII codes for the characters in the string "POWERSHELL"

2.       Time-Based Evasion: Checks if the current time (Now()) is less than the value of Suspensorium

3.       Dynamic Behavior: The script behaves differently depending on the current time

Fig.4 combining obfuscation technique

 

String splitting and Concatenation

 using ChrW(34) to concatenate strings that include double quotes, and using Chr(99) instead of the literal character 'c' makes the script harder to read and analyze; the command executes splitting to “Exe + chr(99) + “ute.”

Fig.5 VBScript String splitting and Concatenation

 

 

 

PowerShell obfuscation and evasion technique

In order to execute the PowerShell in VBScript, the attacker uses a user-defined algorithm and heavily obfuscates strings. It is different from other APT groups that use mature algorithms for obfuscation of strings; the attacker is very professional.

 

String splitting and Concatenation

The PowerShell code, the string splitting by well design in VBScript, and using the variable Hennafarvedes and character “&” for concatenation. And the variable in VBScript becomes a bridge in PowerShell scripts.

Fig.6 PowerShell String splitting and Concatenation

 

 

Specific Algorithm for Deobfuscated Script

The real intents in the well design strings, it extracts the characters by a specific algorithm with hardcode value： It iterates over the array, starting at index 4 and incrementing by 5 each time. The function returns the concatenated string.

Fig.7 specific algorithm for deobfuscated script

 

 

String obfuscation with inserting invalid characters

The below strings obfuscation technique is also very special; the valid characters are only used as a small part of them and used by a user-defined algorithm to extract them, but the unused strings are like random characters to insert and confuse analysts, like pouring a pile of garbage into a real PowerShell to conceal the attacker's intentions. From the above specific algorithm and hardcoded value, we can get a glimpse of being proficient in the use of obfuscation techniques by the attackers.

Fig.8 strings obfuscation

The real intent
From the above analysis, do further research analysis; the PowerShell script can download the payload from the remote URL address hxxps[:]//aghayezayeat.ir/kids/tyrosines.lzh and finally execute the payload. Here it is not special, and the URL can’t be accessed until now.

Fig.9 PowerShell snippet

 

 

Conclusion

From the above process of analysis, it shows that the attacker is very professional on combining different type of obfuscation techniques to do evasion and being proficient in programming, the malware sample tells cybersecurity community, the attacker always look for breakthroughs in defense and are very proactive, a more hidden threat around the digital world; let’s pay close attention.

 

 

IOCs

Files:

SKMBT20783_ZM.vbs md5 0e513e80fc18e3db4f0eb6ecb558534b

Sha256
7444d08579781b3d7b233e9fd3e7f9b31a85837c29adf2f4ae7965a628078639

 

Network:

hxxps[:]//aghayezayeat[.]ir/kids/Tyrosines.lzh

hxxps://aghayezayeat[.]ir/529/eiRBgmsetYWnjJJIug45[.]bin ( from vmray Platform)

185[.]159.153.133

 

Host:

C:\Users\kEecfMwgj\AppData\Roaming\Hikes.Ove

End.