VBScript has been used for many years. VBScript has been installed, by default, in every desktop release of Microsoft Windows since Windows 98. Therefore, almost every Windows PC can execute VBScript without any additional effort. VBE (which is actually VBScript that has been encoded) can be easily decoded using tools such as ayra.ch or VBE decoder.

Recently, there has been a resurgence of malware attacks using a rarely used file extension .vbe, mainly targeting Brazilian banks. FraudWatch International has been seeing instances of VBE (VBScript Encoded) malware variants since May 2015 and it was first seen in the following report: VirusTotal report/malwr.com

The Brazilian branch of anti-virus company, Kaspersky, recently reported, “We saw a great wave of VBE files reaching Brazilian users, distributed via e-mail. Most are downloaders that after execution, will install a number of malicious files on the victim’s computer, such as banking Trojans, RATs (remote admin tool) and in some cases, malware that alters bank slips. VBE Files (VBScript Encoded) are scripts executed by the Windows Script Host. As .JS (Javascript) and .VBS (Visual Basic Script) files, can be used to download files, run them, making profound changes in the system etc… Cybercriminals often encode files in an attempt to evade antivirus detection.”

Malware analysis sandboxes

Most security organizations and anti-virus companies utilise malware analysis sandboxes to analyse potential malware files.

A number of Malware analysis sandboxes can be found online from the below websites: a malware expert at FraudWatch International has done some research into which sandboxes can detect and analyse .VBE files.

• zeltser.com/automated-malware-analysis/
• http://kromer.pl/malware-analysis/choosing-th-best-sandbox-for-malware-analysis/

* (Found details here)

** See their blog here

• Only 1 out of 16 sandboxes can execute a VBE file, as at 2nd Sep 2015.
• Cyber criminals have discovered that very few anti-virus programs and sandbox environments can detect or analyse malicious VBE code, hence the increasing attacks using VBE malware.
• The malwr.com analysis sandbox has limited behavioral reporting, because of the simple technique implemented by VBE malware. See more details below:

Example of VBE malware:

Below is the analysis data obtained for the following Malware.

Malware sample: SHA256 d281755c5d99e0a73e8d068f5ac526e56622bf8ac1c306479ff373a6f333dad9

• com analysis
• Virustotal

The information below shows some of the methods that the malware uses to obstruct the automated analysis of the file code.

Delay method implemented

• Creates a scheduled task and set its schedule as boot time with 9 minutes delay (wait until next boot then wait 9 minutes)

Command executed:

schtasks /CREATE /F /SC ONSTART /DELAY 0009:00 /TN “{EC58E96D-3D0A-4D74-BB38-0A585D015CF9}”

Delay & Reboot method implemented

• Creates a scheduled task to be executed after 2 minutes and reboot

Command executed:

schtasks /CREATE /F /SC ONCE /ST ” & FormatDateTime(DateAdd(“n”, 2, Now()),4) & ” /TN “”{EC58E96D-3D0A-4D74-BB38-0A585D015CF9}4″” /F &shutdown /r /t 60 /f” /RU SYSTEM

Disturb payload behavioural analysis independently

• VBE malware is programmed to downloaded a file named “jogue.jpg” but the real file type is actually ‘PE32 executable (DLL)’.
• DLL executable should be executed using the syntax below, otherwise it cannot be properly executed.

RUNDLL command syntax: RUNDLL.EXE <dllname>,<entrypoint> <optional arguments>

• <entrypoint> value must be a function name or ordinal selected from the exported function table in the DLL.

For example: rundll32.exe jogue.jpg.dll,#1

• ‘#1’ is an <entrypoint> ordinal number and FraudWatch International have seen malware variants using random function names instead of ordinal numbers.
• If <entrypoint> function name/ordinal is not properly provided, the malicious DLL won’t be executed.
• If the VBE malware has not been thoroughly analysed and the URL is just extracted from the VBE, the analysis of the payload may result in trouble.

How can sandboxes be improved to detect VBE?

VBE malware utilises the two simple tactics, of delaying and rebooting the infected machine, which interrupts the automated behaviour analysis. These simple techniques force the malware analyst to spend more time analysing the malware code manually, therefore extending the detection timeframe.

Given the above techniques used, detection of VBE malware is quite low. If VBE malware is combined with another malware, such as Dyre which also includes anti-sandbox techniques, then its detection rate will be extremely low.

Just as FraudWatch International analysts have done, Sandbox developers can improve detection by updating their sandboxes to accept the VBE file type and adding functions along the following lines to enable proper analysis of VBE malware.

• Create a bypass function for ‘schtasks’ delay
• Continuous analysis after reboot.
  (Note: The threattracksecurity sandbox seems to be the only malware analysis sandbox to have implemented this functionality already).