November 4, 2021 | Shaul Vilkomir-Preisman
“Vengeance Justice Worm” was first discovered in 2016 and is a highly multifunctional, modular, publicly available “commodity malware”, i.e., it can be purchased by those interested through various cybercrime and hacking related forums and channels.
VJw0rm is propagated primarily by malicious email attachments and by infecting removeable storage devices.
Once executed by the victim, the very heavily obfuscated VJw0rm will enumerate installed drives and, if a removeable drive is found, VJwOrm will infect it if configured to do so.
It will continue to gather victim information such as operating system details, user’s details, installed anti-virus product details, stored browser cookies, the presence of vbc.exe on the system (Microsoft’s .NET Visual Basic Compiler, this indicates that .NET is installed on the system and can affect the actor’s choice of additional malware delivery), and whether the system has been previously infected.
VJw0rm will then report this information back to its command-and-control server and await further commands, such as downloading and executing additional malware or employing any of its other numerous capabilities.
Finally, VJw0rm establishes persistency in the form of registry auto-runs, system startup folders, a scheduled-task, or any combination of these methods.
Figure 1: Obfuscated VJw0rm snippet
Figure 2: VJw0rm check if previously infected
Figure 3: VJw0rm Command-and-Control contact
Figure 4: VJw0rm establishes persistency
As with all Remote-Access Trojans (RATs), WSHRat’s primary purpose is to maintain access to the machine, executing remote commands, and downloading additional malware.
WSHRat is propagated primarily by malicious email attachments and is also capable of infecting removable storage drives.
Once executed by the victim, the very heavily obfuscated WSHRat will follow a course similar to that of the above described VJw0rm – gather operating system and user’s details, installed anti-virus product details, report this back it’s command-and-control, perform removeable storage drive infection if configured to do so and await further commands.
“Houdini” VBS based variants of the malware are known to have been involved in a recently reported, very protracted, espionage campaign that targeted the aviation industry.
NJrat/Bladabindi and Remcos RAT are two common follow-up payloads of Houdini/WSHRat.
Figure 5: Obfuscated WSHRat snippet
Figure 6:WSHRat Command-and-Control contact
Figure 7: WSHRat establishes persistency
STRRAT is propagated by malicious email attachments. Its capabilities include standard RAT functionalities (remote access, remote command execution), browser and email-client credential harvesting, and a unique ransomware-like functionality – if instructed, it will add a “.crimson” extension to files on the device, rendering them inoperable (though they can be easily recovered because their content is not modified).
Figure 8: STRRAT core payload snippet, encoded and obfuscated
Figure 9:STRRAT "bring your own JRE" function
Figure 10: STRRAT deploys and runs payload
It will proceed to check for the presence of several anti-virus and sandbox-related .DLLs, attempt to bypass AMSI, delete system shadow-copies in order to hinder system recovery, and modify several other system services (including Windows Firewall) in order to “prep” the system for encryption. Once the system is “ready” for encryption, it will download a symmetric key-file which will be used to encrypt files on the system. If this file is not found, the malware will terminate.
Unlike most Ransomware today, BlackByte uses a single symmetric encryption key, and does not generate a unique encryption key for each victim system, meaning the same key can be used to decrypt all files encrypted by the malware.
This makes for substantially easier key-management for the actors behind BlackByte at the cost of a weaker encryption scheme and easier victim system recovery (as there is only a single online point with a single key to maintain).
As with most Ransomware today, BlackByte has worming capabilities and can infect additional endpoints on the same network.
Figure 11: A snippet of BlackByte's contained encoded .NET payload
Figure 12: BlackByte AMSI bypass
Carbanak/FIN7 needs little introduction. Discovered in 2014, they are one of the most prolific and successful, financially-motivated threat actors in action today, responsible for an estimated $1 billion in losses to countless financial institutions worldwide.
Carbanak/FIN7’s main means of spreading malware consists of highly targeted and highly effective spear-phishing emails.
Once executed, the backdoor will initiate a two-minute delay in an effort to avoid automated sandbox detection (analysis timeout), and then will collect the infected machine’s IP and MAC addresses, DNS hostname, and report back to its Command-and-Control server and execute any code it receives back as response.
Carbanak/FIN7 are known to employ Cobalt Strike as their post-breach follow-up malware.
Figure 13: Obfuscated Carbanak Backdoor snippet
Figure 14: Carbanak Backdoor delay function
Figure 15: Carbanak Backdoor gathers victim information
Figure 16: Carbanak Backdoor Command-and-Control URL "constructor" function
Figure 17: Carbanak Backdoor Command-and-Control contact
For a demo of the world’s best malware-prevention solution, request a demo.
IOCs of examined samples:
Drops Remcos RAT: 52cbc7b3e3c373b8857245207f0cfca50c35b6edc49255441f74fdf45a71ac46
(Remcos employs same C2 as WSHRat)
SHA256 (JAR): 6b723bd260b53c68c716ef218c78718d3e99ab4d4238a4bd823fd0cd6ec8007b
"bring your own JRE” URL: wshsoft.company/jre7.zip
Key file URL: 220.127.116.11/forest.png