Command and Scripting Interpreter: VBScript

Adversaries may abuse VBScript scripts for execution. VBScript is a Windows scripting language modeled after the Visual Basic language, also known as Visual Basic for Applications (VBA).[1] VBScript is built on top of the Component Object Model (COM), which allows it to interact with the environment. VBScript can also be used in place of JavaScript on webpages served to Internet Explorer, however, most modern browsers do not come with VBScript support.

In a command-line environment, Cscript.exe is used to execute scripts. If a GUI is desired, Wscript.exe is used.

Adversaries may abuse VBScript to execute malicious command and payloads. A common usage is embedding VBScript content into Spearphishing Attachment payloads.

ID: T1059.005
Sub-technique of:  T1059
Tactic: Execution
Platforms: Windows
Permissions Required: Administrator, SYSTEM, User
Data Sources: Process command-line parameters, Process monitoring, Windows event logs
Version: 1.0
Created: 09 March 2020
Last Modified: 28 March 2020

Procedure Examples

Name Description
APT32

APT32 has used macros, COM scriptlets, and VBS scripts.[30][31]

Bisonal

Bisonal's dropper creates VBS scripts on the victim’s machine.[3]

BRONZE BUTLER

BRONZE BUTLER has used VBS and VBE scripts for execution.[32]

Comnie

Comnie executes VBS scripts.[17]

Exaramel for Windows

Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.[5]

FIN7

FIN7 used VBS scripts to help perform tasks on the victim's machine.[33][34]

Gorgon Group

Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.[24]

Helminth

One version of Helminth consists of VBScript scripts.[18]

Honeybee

Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.[35]

JCry

JCry has used VBS scripts. [16]

jRAT

jRAT has been distributed as HTA files with VBScript.[20]

KeyBoy

KeyBoy uses VBS scripts for installing files and performing execution.[15]

Koadic

Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .[2]

Leviathan

Leviathan has used VBScript.[22]

Magic Hound

Magic Hound malware has used VBS scripts for execution.[21]

MuddyWater

MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.[36][37][38][[39][6]

NanHaiShu

NanHaiShu executes additional VBScript code on the victim's machine.[11]

NanoCore

NanoCore uses VBS files.[9]

OopsIE

OopsIE creates and uses a VBScript as part of its persistent execution.[7][8]

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D uses VBS scripts.[19]

Patchwork

Patchwork used Visual Basic Scripts (VBS) on victim machines.[40][41]

POWERSTATS

POWERSTATS can use VBScript (VBE) code for execution.[6]

QUADAGENT

QUADAGENT uses VBScripts.[4]

Rancor

Rancor has used VBS scripts as well as embedded macros for execution.[42]

Remexi

Remexi uses AutoIt and VBS scripts throughout its execution process.[13]

Silence

Silence has used VBS scripts.[26]

Smoke Loader

Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.[12]

StoneDrill

StoneDrill has several VBS scripts used throughout the malware's lifecycle.[14]

TA459

TA459 has a VBScript for execution.[23]

TA505

TA505 has used VBS for code execution.[27][28]

Turla

Turla has used VBS scripts throughout its operations.[29]

WIRTE

WIRTE has used VBS scripts throughout its operation.[25]

Xbash

Xbash can execute malicious VBScript payloads on the victim’s machine.[10]

Mitigations

Mitigation Description
Disable or Remove Feature or Program

Turn off or restrict access to VBScript.

Execution Prevention

Use application whitelisting where appropriate.

Detection

Monitor for usage of Cscript.exe or Wscript.exe. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

References

  1. Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.
  2. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  3. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  4. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  5. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  6. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  7. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  8. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  9. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018.
  10. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  11. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  12. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  13. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  14. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  15. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  16. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  17. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  18. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  19. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  20. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  21. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  1. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  2. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  3. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  4. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  5. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  6. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  7. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  8. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  9. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  10. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  11. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  12. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  13. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  14. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  15. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  16. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  17. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  18. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  19. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  20. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  21. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.