A polymorphic malware distributed by USB devices in Mexico

In recent months, SCILabs detected a new threat distributed via USB devices with the ability to self-replicate, modify multiple operating system files to harm them, download dynamic new malicious code, and add the infected computer to a botnet. This malware operates through polymorphic code with multiple environment validations and evasion techniques, making it difficult to detect. 

SCILabs performed extensive research on the threat to identify other similar artifacts with greater coverage and detection, however, no more artifacts were identified with similar behavior. On the other hand, in a segment of the malware code, the cybercriminal uses a field which is sent to the C2 site to identify the version of the malware that infected the device, which could represent that there are other versions of malware. 

Artifact capabilities 

When analyzing the artifact, we observe that it is a Visual Basic Script file that contains very few functions and most of the code is commented. This code is mixed and concatenated to make it difficult to analyze. On the other hand, the malware itself will be able to re-read its own commented code and modify itself through execution. Additionally, there are multiple delays of several minutes for each step of the malware to avoid being analyzed by a sandbox or automated tools. 

Figure 1 Code for Runtime Environment Verification
  • The first phase of the malware oversees verifying that the computer was not previously compromised and then copies the malware onto the victim’s computer.  The verification is done through WMI and the malware will check that the “Urm_At_Tawill” process does not exist, if it does, this could be considered a kill switch. 
  • On the other hand, the malware will create a file called fuckyou_powershell.bat which will be used to modify execution permissions and elevate privileges. The directory where all files will be copied will be %ProgramFiles%\Windows 
  • The malware will modify the shortcuts (.lnk files) on the victim’s device, as well as the shortcut icons on the taskbar, in order to generate persistence. 
  • Subsequently, the malware will try to spread massively on all removable drives on the computer. 
  • Once the malware installation process is complete, the information gathering will begin. The malware will get antivirus information, username, operating system version, computer domain, malware version, and a list of file names in the computer’s user folder. This information will be stored in different files, which are named “servant“, “map” and “Dreams“. 
  • The malware will obtain the IP address of the C2 site from a predefined URL in the code corresponding to the Pastebin site. The information will be downloaded in a file called coordinates_of_Rlyeh 
  • Once all the necessary files have been created, they will be read and concatenated, encrypted with the XOR and finally encoded with base64 to be sent to the C2 site of the cybercriminal to register the victim’s computer.  
  • Once the malware has registered, a new series of data will be downloaded that will serve as a token to establish continuous communication with the C2 server. 
  • The device will listen to it trying to connect to the C2 server and execute the code it receives, turning the computer into a bot. 
Figure 2 Rewriting the artifact

TTPs observed aligned to MITRE’s ATT&CK framework. 

Initial Access  Execution  Defense Evasion  Discovery  Lateral Movement  Collection  Command and Control 
T1091 Replication Through Removable Media  T1059.005 – Command and Scripting Interpreter: Visual Basic  T1140 – Deobfuscate/Decode Files or Information  T1083 – File and Directory Discovery  T1091 – Replication Through Removable Media  T1005 – Data from Local System  T1132.001 – Data Encoding: Standard Encoding 
  T1204.002 – User Execution: Malicious File  T1222.001 – File and Directory Permissions Modification: Windows File and Directory Permissions Modification  T1518.001 – Software Discovery: Security Software Discovery    T1025 – Data from Removable Media  T1071.001 – Application Layer Protocol: Web Protocols 
  T1047 – Windows Management Instrumentation    T1082 – System Information Discovery      T1573.001 – Encrypted Channel: Symmetric Cryptography 
      T1033 – System Owner/User Discovery       

Attack flow 

Figure 3 Attack flow