The implant first checks if the user’s machine has a VBScript-enabled browser (a Microsoft Internet Explorer (IE) version prior to version 11). If VBScript is detected, the implant will attempt to download and execute a malicious payload; if not, the implant directly executes the payload.
Besides taking several steps to try to impede analysis by populating the code with junk data, the VB script also checks if it is running under a virtualized environment such as VirtualBox and VMWare, and if so, terminates itself, in addition to stopping the infection chain upon detecting Russian, Ukrainian, or several other Eastern European languages. The malware uses an open-source code library to determine the current computer’s internal IP address.
This summer, Microsoft announced the next version of its Windows operating system, codenamed “Windows 11.” Microsoft has stated that it is considering Windows 11 as the last version of desktop Windows, meaning that it will not release another major upgrade after Windows 11.
One of the features that Microsoft promoted for this release was the return of the Start menu. The company’s press release states:
Windows 8 was built to take advantage of modern technology and designed to work with touchscreen devices. Windows 8.1 was about refining the experience and responding to customer feedback, with features like support for virtual desktops, expanded folders, better search, the Start button and more. With Windows 11, we’re looking ahead again to continue to modernize Windows and create a unique experience for our customers as they use their desktop PC, tablet, phone and other devices.
While this release will not be the last of Microsoft’s operating systems on traditional personal computers—the company will release future versions of its Xbox One operating system—it is likely that Windows 11 will be the last major upgrade released before Microsoft shifts its focus towards mobile-centric systems.
The VB script is a proof-of-concept malware test for this infection vector.
When the victim opens the document, they will receive a warning about “Macros have been disabled.” However, if they click on the enable content button the embedded macros will execute. This step triggers one of Microsoft’s documented implementation flaws in how it handles specially crafted files. Specifically, Microsoft treats the presence of a VBScript as a trigger to activate the malicious content.
However, with VBScript disabled by default in its most common browsers (including IE), this triggers another warning box. Users are likely to consider the message as part of an anti-malware process and might click past it. This leads to the next stage of the infection chain.
The current version of the malware, which is a modified version of a publicly available exploit code published by CanSecWest, dropped a different payload with slightly different behavior. The payload was custom-written for this sample to download and execute its own configuration file (named config.memory.html). The implant first attempts to download the malicious configuration file using the already existing mechanism; if this succeeds, it will take unspecified action.
Interested in reading more about how to defend against hackers manipulating widows? Best Antivirus for Windows PC discusses the best antivirus to use when using a computer running Windows 10.
If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at email@example.com.