Keypoints
- Initial delivery is an Excel document with a VBA macro that runs PowerShell to download an obfuscated batch file (Windows Update.bat) from filebin.net.
- Windows Update.bat is obfuscated with Abobus techniques and deobfuscates to download and execute test.vbs, which is the middle-stage downloader.
- Test.vbs retrieves three components: script.py (the info-stealer), Document.zip (Python 3.11 and required libraries), and bypass.vbs (launches script.py with the downloaded Python).
- Persistence is established by creating a Run registry value named “WinUpdater” under HKEY_CURRENT_USER…CurrentVersionRun to autorun bypass.vbs at login.
- script.py (obfuscated with PyObfuscate) extracts cookies and login data from many browsers (Chrome, Edge, Cốc Cốc, etc.), compresses the data, and sends it to the attacker’s Telegram bot.
- Many stages and related tools are hosted on public platforms (GitLab, GitHub); repositories also contain other malware variants such as XWorm, RedLine, and VenomRat.
MITRE Techniques
- [T1204] User Execution – The campaign uses a malicious Excel macro to trigger the attack: (‘The first stage of this attack is an Excel document with a VBA script that executes a PowerShell command to download a Windows Update.bat from filebin.net.’)
- [T1059.001] Command and Scripting Interpreter: PowerShell – VBA executes PowerShell to download and run the next-stage downloader: (‘executes a PowerShell command to download a Windows Update.bat from filebin.net.’)
- [T1105] Ingress Tool Transfer – Multiple stages and dependencies are retrieved from public hosting platforms to stage the payloads: (‘many stages of this attack are downloaded from an open platform.’)
- [T1027] Obfuscated Files or Information – Attack components are obfuscated to hinder analysis (Abobus, PyObfuscate): (‘protected by the Abobus obfuscator.’ / ‘Script.py is obfuscated by PyObfuscate’)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via a Run registry value named “WinUpdater”: (‘creates a value named “WinUpdater” within the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun to automatically run bypass.vbs when the victim logs in.’)
- [T1071.001] Application Layer Protocol: Web Protocols – Stolen data is exfiltrated to a Telegram bot over web-based APIs/protocols: (‘The collected data is compressed into a zip file, which will be sent to the attacker’s telegram bot with a message containing the date, victim’s country, IP address, language, password count, and cookie count.’)
Indicators of Compromise
- [Git repositories] Hosting used to serve stages and tools – gitlab[.]com/anhducratsilver, github[.]com/Akabanwa-toma, and 3 more repositories
- [IP addresses] Network hosts observed in the report – 65[.]0[.]50[.]125, 103[.]85[.]247[.]61, and 3 more IPs
- [File hashes] Malware and stage file hashes – d897376e35ace588d386b9fff1ba65277172571f5d0af90f371413380996e1e4, 70e77806d5bec502c66ef9c3ce9d0cc9294f965b15a33cf8b180749171d5b710, and 10 more hashes
- [File names] Stage filenames and lures used – Windows Update.bat, test.vbs, script.py, Document.zip, bypass.vbs, done 300coki.docm
The infection chain begins with an Excel document containing a VBA macro that runs PowerShell to download an obfuscated batch (Windows Update.bat) from filebin.net; that batch is disguised via the Abobus obfuscator and, once deobfuscated, downloads and executes test.vbs. Test.vbs then pulls three components: script.py (the obfuscated Python info-stealer), Document.zip (a bundled Python 3.11 runtime and required libraries to satisfy PyObfuscate dependencies), and bypass.vbs (which launches script.py using the bundled Python). For persistence test.vbs creates a “WinUpdater” Run value under HKEY_CURRENT_USER…CurrentVersionRun to autorun bypass.vbs at user login.
script.py, obfuscated with PyObfuscate, focuses on extracting browser cookies and saved logins across many Chromium-based and regional browsers (Chrome, Edge, Cốc Cốc, etc.) by reading browser SQLite storage, then packages the harvested data into a ZIP and uploads it to an attacker-controlled Telegram bot along with metadata (date, country, IP, language, counts). Multiple stages and toolsets are hosted on public services (GitLab/GitHub), and repositories associated with the campaign also contained other commodity malware such as XWorm, RedLine, and VenomRat.
A variant campaign uses a Word macro lure (e.g., “done 300coki.docm”) that downloads an obfuscated batch and fragments the infection chain further; in another technique DLL payloads were appended (base64-encoded) to image files (JPEG) and later extracted, with XWorm identified as a final-stage payload in some samples. The overall operational pattern relies on simple, obfuscated downloaders hosted on open platforms to evade detection while leaving recoverable artefacts across repositories and chat logs.