We opened a fake invoice and fell down a retro XWorm-shaped wormhole

MITRE Techniques

• [T1566 ] Phishing – The attacker sent a fraudulent invoice email with a malicious .vbs attachment to induce the recipient to open and execute the script. Quote: ‘Please find attached the list of invoices…’
• [T1204 ] User Execution – The .vbs file required the user to open the attachment, which then executed scripts and dropped further payloads. Quote: ‘If the recipient had opened the attached Visual Basic Script (.vbs) file, it would have quietly installed a remote-access Trojan known as Backdoor.XWorm.’
• [T1204.002 ] Malicious File – The initial delivery was a Visual Basic Script (.vbs) attachment used to run code on the host. Quote: ‘.vbs attachment named INV-20192,INV-20197.vbs.’
• [T1047 ] Windows Management Instrumentation – The .vbs invoked the batch via WMI to execute the next-stage payload. Quote: ‘The .vbs dropped IrisBud.bat into %TEMP% … and invoked it via WMI.’
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – The attack used a .vbs script to orchestrate dropping and execution of further scripts. Quote: ‘The .vbs file at first sight looked like alphabet soup…’
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – A heavily obfuscated .bat file (IrisBud.bat / aoc.bat) was used to persist, hide execution, and construct a PowerShell loader. Quote: ‘The .bat restarted itself in a way so it ran invisibly… copied itself to the user profile as aoc.bat.’
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – A PowerShell loader decoded Base64, removed padding, decrypted (AES), decompressed (GZip), and executed payloads directly in memory. Quote: ‘powershell.exe -nop -c … GetString([Convert]::FromBase64String(…))’ and ‘decrypts the data… decompresses it… loads and runs the malware… directly into memory.’
• [T1105 ] Ingress Tool Transfer – The script retrieved or reconstructed payload binaries from embedded data inside aoc.bat and loaded them into memory rather than saving to disk. Quote: ‘reads encrypted data from aoc.bat… decrypts the data… loads and runs the malware… directly into memory.’
• [T1053 ] Scheduled Task/Job (implicit persistence via copy and autorun) – The batch copies itself to the user profile and uses restart/minimized execution to maintain execution; indicative of persistence techniques. Quote: ‘copy “%sourceFile%” “%userprofile%aoc.bat”… cmd /c start “” /min “%~dpnx0” %* & exit’.
• [T1053.005 ] Service Execution / Hidden Window Execution (technique of hiding execution) – The batch restarts itself minimized and uses techniques to run without visible windows. Quote: ‘start “” /min … the new hidden instance continues running…’