Command and Scripting Interpreter: Visual Basic

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.[1][2]

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.[3] VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript/JScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).[4]

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads.

ID: T1059.005
Sub-technique of:  T1059
Tactic: Execution
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, SYSTEM, User
Data Sources: DLL monitoring, File monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Version: 1.0
Created: 09 March 2020
Last Modified: 25 June 2020

Procedure Examples

Name Description
APT-C-36

APT-C-36 has embedded a VBScript within a malicious Word document which is executed upon the document opening.[75]

APT32

APT32 has used macros, COM scriptlets, and VBS scripts.[59][39]

APT33

APT33 has used VBScript to initiate the delivery of payloads.[85]

APT37

APT37 executes shellcode and a VBA script to decode Base64 strings.[62]

BackConfig

BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.[38]

Bisonal

Bisonal's dropper creates VBS scripts on the victim’s machine.[8]

BRONZE BUTLER

BRONZE BUTLER has used VBS and VBE scripts for execution.[60][61]

Cobalt Group

Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.[43][44][45][46][47][48]

Cobalt Strike

Cobalt Strike can use VBA to perform execution.[6][7]

Comnie

Comnie executes VBS scripts.[31]

Emotet

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. [21][22][23][24][25]

Exaramel for Windows

Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.[11]

FIN4

FIN4 has used VBA macros to display a dialog box and collect victim credentials.[49][50]

FIN7

FIN7 used VBS scripts to help perform tasks on the victim's machine.[63][64]

Frankenstein

Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.[77]

Gamaredon Group

Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.[80][81]

Goopy

Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.[39]

Gorgon Group

Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.[51]

Helminth

One version of Helminth consists of VBScript scripts.[32]

Honeybee

Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.[65]

Inception

Inception has used VBScript to execute malicious commands and payloads.[35][76]

JCry

JCry has used VBS scripts. [30]

jRAT

jRAT has been distributed as HTA files with VBScript.[33]

KeyBoy

KeyBoy uses VBS scripts for installing files and performing execution.[29]

Koadic

Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .[5]

Leviathan

Leviathan has used VBScript.[41]

Magic Hound

Magic Hound malware has used VBS scripts for execution.[40]

Molerats

Molerats used various implants, including those built with VBScript, on target machines.[78]

MuddyWater

MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.[66][67][68][69][12][70][71]

NanHaiShu

NanHaiShu executes additional VBScript code on the victim's machine.[18]

NanoCore

NanoCore uses VBS files.[16]

OopsIE

OopsIE creates and uses a VBScript as part of its persistent execution.[14][15]

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D uses Word macros for execution.[20]

Patchwork

Patchwork used Visual Basic Scripts (VBS) on victim machines.[72][73]

PoetRAT

PoetRAT has used Word documents with VBScripts to execute malicious activities.[34]

PowerShower

PowerShower has the ability to save and execute VBScript.[35]

POWERSTATS

POWERSTATS can use VBScript (VBE) code for execution.[12][13]

QUADAGENT

QUADAGENT uses VBScripts.[9]

Ramsay

Ramsay has included embedded Visual Basic Scripts in malicious documents.[37]

Rancor

Rancor has used VBS scripts as well as embedded macros for execution.[74]

Remexi

Remexi uses AutoIt and VBS scripts throughout its execution process.[26]

Sandworm Team

Sandworm Team has created VBScripts to run an SSH server.[82][83][84]

Sharpshooter

Sharpshooter's first-stage downloader was a VBA macro.[79]

Silence

Silence has used VBS scripts.[53]

Smoke Loader

Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.[19]

StoneDrill

StoneDrill has several VBS scripts used throughout the malware's lifecycle.[27]

TA459

TA459 has a VBScript for execution.[42]

TA505

TA505 has used VBS for code execution.[54][55][56][57]

Turla

Turla has used VBS scripts throughout its operations.[58]

TYPEFRAME

TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.[10]

Ursnif

Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.[28]

VBShower

VBShower has the ability to execute VBScript files.[36]

WIRTE

WIRTE has used VBS scripts throughout its operation.[52]

Xbash

Xbash can execute malicious VBScript payloads on the victim’s machine.[17]

Mitigations

Mitigation Description
Antivirus/Antimalware

Anti-virus can be used to automatically quarantine suspicious files.

Disable or Remove Feature or Program

Turn off or restrict access to unneeded VB components.

Execution Prevention

Use application control where appropriate.

Restrict Web-Based Content

Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.

Detection

Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.

Understanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.

References

  1. .NET Team. (2020, March 11). Visual Basic support planned for .NET 5.0. Retrieved June 23, 2020.
  2. Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020.
  3. Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020.
  4. Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.
  5. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  6. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  7. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  8. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  9. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  10. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  11. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  12. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  13. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  14. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  15. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  16. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018.
  17. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  18. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  19. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  20. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  21. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  22. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  23. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  24. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  25. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  26. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  27. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  28. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  29. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  30. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  31. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  32. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  33. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  34. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  35. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  36. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  37. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  38. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  39. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  40. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  41. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  42. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  43. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  1. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  2. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  3. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  4. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  5. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  6. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  7. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  8. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  9. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  10. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  11. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  12. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  13. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  14. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  15. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  16. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  17. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  18. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  19. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  20. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  21. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  22. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  23. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  24. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  25. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  26. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  27. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  28. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  29. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  30. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  31. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  32. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  33. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  34. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  35. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  36. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  37. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  38. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  39. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
  40. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  41. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
  42. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.