Attackers use VBS file with execution policy bypass flag

Feb 17, 2015 20:26 GMT  ·  By

A new cybercriminal campaign aiming to infect users’ computers with Vawtrak banking Trojan has been spotted by security researchers to rely on a multi-stage compromise routine that includes usage of Microsoft Word documents laced with malicious macros.

The list of banks targeted by the current campaign includes Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan.

Cybercriminals use evasive tactics

The perpetrators rely on multiple tactics to mask the attack, one of them being to provide seemingly scrambled content in the document, which becomes clear only after turning on the macro feature in the Word software component.

Another is to deliver a VBS file that has a “-ExecutionPolicy bypass” policy flag enabled. This is used by system administrators as a security mechanism to prevent users from launching scripts if they do not comply with the policy requirements.

Scripts with the “bypass” command are allowed to execute files without restriction and without producing any warnings.

The malicious emails purport to be from reputed services such as FedEx, informing of the arrival of a package, or American Airlines, notifying the recipients of a transaction made with their payment card.

All messages have a Word document attached that allegedly offers more details about the matter exposed in the message.

When the victim opens the text file, they are prompted to enable macros, a set of commands whose legitimate purpose is to run automated routines in an Office document.

Microsoft has disabled the feature by default in Office components after it started being abused by malicious actors. However, users that need macros for automated tasks can enable them manually from the product.

In the case of Vawtrak campaign, the macro contains commands for downloading a batch file, a VBS script and a PowerShell file. The batch file runs the VBS, which in turn executes the PowerShell file that funnels in the malware onto the system.

This three-step infection chain has been adopted most likely as an evasion tactic, security researchers at Trend Micro allege, a theory that is supported by the “bypass” execution flag for the VBS script.

Most affected users are located in the US

Trend Micro says that this variant of Vawtrak pilfers log-in data for Microsoft Outlook as well as the credentials stored in Google Chrome and Mozilla Firefox, and FTP clients.

The analysis of the malware revealed that it can hook into the web browser and bypasses the SSL mechanism.

By running the connection to the bank through their infrastructure, the cybercriminals can serve the client modified pages in order to trick the victim into providing two-factor authentication codes and make it look at the server where all fraudulent transactions are carried out from the victim’s system.

The largest number of infections with this version of Vawtrak has been observed in the US (60.71%), followed by Japan (10.22%), Germany (6.83%), United Kingdom (4.47%) and Australia (3.42%).