EdgeScheduler: A VBScript Bot in action
In the race of complex malware, a simple malware can also be very destructive. A VBScript malware has been spotted by SonicWall which looks very simple but its capabilities are no lesser than any other predominant malware bots.
File Level Activity
The VBScript Bot contains base64 encoded PowerShell script which is dropped into the %TEMP% directory after decoding. The PowerShell script has code to fetch user’s credentials from the “Credential Locker” using the PasswordVault class which is available in the Windows 8 and above versions. The stolen data is then sent to the CNC server.
Later, the random id is sent to the CNC server along with the other stolen data.
The Bot creates a sub-directory named "Edge" in the %APPDATA% directory where it copies wscript executable from system directory as "amsi.dll". It also drops its copy in the same directory using the random id as the filename.
Command & Control (C&C) Server connections
The Bot establishes connection with the C&C server and sends below mentioned data from the victim's machine:
- Operating system information.
- Username and computer name.
- Anti-Virus product information.
- RAM, CPU and Virtual Machine Information.
- Randomly generated id.
- Processor architecture.
If the length of the response data is more than 4 Bytes, the Bot assumes, the C&C server is running. Otherwise, it tries to establish communication with another server. If the C&C server is running, the Bot parses the response data to retrieve the command and its arguments which are separated by “!”. At the time of analysis, the C&C server sent the “nope” command which means “No Operation”.
The Bot also contains code to upload file from victim's machine to the C&C server but that code has not been used this time. This gives us the impression that the Bot is still in development phase and can add more capabilities in future.
This threat was proactively detected by Capture ATP w/RTDMI engine.
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: EdgeScheduler.DEC (Trojan)