A VBScript disguised as a PDF is delivered via phishing with a ZIP attachment, then decodes and executes a multi-stage payload that ultimately injects into wab.exe and retrieves a GuLoader-like second stage over PowerShell. The write-up covers obfuscation techniques, dynamic string assembly to form PowerShell, and the two remote URLs used to fetch the payload. #GuLoader #PowerShell #VBScript #WindowsAddressBook #LambenSmi
Keypoints
- The malicious VBScript is delivered through a phishing email with a ZIP archive containing a file named “rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs” (SHA256:6e6ecd38cc3c58c40daa4020b856550b1cbaf1dbc0fad517f7ca26d6e11a3d75).
- The script enumerates Windows services via WMI to build a string and identify a path to PowerShell, using a Microsoft service-name check as a trigger.
- It constructs and invokes PowerShell by assembling the string “PowerShell” and then calling it for execution.
- The VBScript supports obfuscation, including string manipulation, XOR, and base64-encoded payloads, to hide the final payload and commands.
- The PowerShell payload fetches content online from remote URLs, decodes it, and uses a two-stage approach where the first stage loads an executable into memory and a second-stage PowerShell script is extracted from offset data.
- The in-memory payload is injected into wab.exe (Windows Address Book) and attempts to fetch additional payload from a remote URL, indicating a GuLoader-like loader variant.
MITRE Techniques
- [T1566.001] Phishing – Initial access via a phishing email with a zip attachment carrying a VBScript disguised as a PDF. Quote: ‘delivered through a phishing email with a zip archive’ and the filename ‘rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs’.
- [T1059.005] VBScript – The attack uses VBScript to run malicious code disguised as a PDF. Quote: ‘The script starts with a strange trick’ … ‘The filename is “rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs”‘
- [T1047] Windows Management Instrumentation – The script enumerates Windows services via WMI to assemble a string of service names. Quote: ‘lists the available Windows services, builds a string containing all the services names, and searches for the substring “Microsoft” across them’.
- [T1059.001] PowerShell – PowerShell is invoked after constructing the string and used to execute the payload. Quote: ‘PowerShell is invoked’ and ‘the downloaded payload in Base64 contains two important pieces of data’.
- [T1059.001] PowerShell – Use of Invoke-Expression (IEX) to execute decoded content. Quote: ‘the simple function to obfuscate its code that, once decoded, is executed with a classic IEX’.
- [T1027] Obfuscated/Compressed Files and Information – The payload is heavily obfuscated with many string manipulations and XOR. Quote: ‘The payload is polluted with many strings “Calc32”, replaced by “S” at the end’.
- [T1105] Ingress Tool Transfer – The PowerShell payload fetches content online from hxxp URLs to retrieve the next stage. Quote: ‘The downloaded payload… hxxp://85[.]209[.]176[.]46/Lamben.smi’ and ‘hxxp://ecox[.]pt/Lamben.smi’.
- [T1055] Process Injection – The in-memory payload is injected into wab.exe after allocating memory and copying code. Quote: ‘Some memory is allocated, fulfilled with executable code and invoked’ and ‘The Windows Address Book process’ injection.
Indicators of Compromise
- [SHA256] 6e6ecd38cc3c58c40daa4020b856550b1cbaf1dbc0fad517f7ca26d6e11a3d75 – VBScript payload file (initial sample)
- [URL] hxxp://85[.]209[.]176[.]46/Lamben.smi, hxxp://ecox[.]pt/Lamben.smi – second-stage payload delivery URLs
- [IP] 85.209.176.46 – C2/download server
- [Domain] ecox.pt – C2 domain
- [File name] rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs – phishing attachment name
- [File name] wab.exe – Windows Address Book process involved for in-memory injection
Read more: https://isc.sans.edu/diary/One+File+Two+Payloads/30558/