On 28 Feb 2019, between 10:15 and 10:45 AM, every PC on the network was hit with a Trojan virus. This virus was stamped by the antivirus vendor as a ‘generic’ Trojan but had a seriousness rating of 100 out of 100. The antivirus, itself, could not contain the spread. In this article, we will look at the actual virus code and follow along as it goes about doing its work. We will also make note of how the damage could have been minimized. With the right control settings, this would have been a non-event.
The first thing that we noticed was that the virus could create files in every section of the PC. This meant that the virus had administrator permissions. Some viruses achieve this by acting as the system account. But in our case, it was a bad choice by the previous admin to make everyone an admin.
This setting is particularly dangerous because not only is Terri an admin on their local machine, Terri is also an admin on the PC in the next room and down the hall. Because Terri is an admin and the virus is running under that account, the virus is also an admin. This is how the trojan spread from PC to PC so quickly.
Best practices dictate that users [aka employees] should only ever be users and never an admin. Software vendors may tell you otherwise, but if Program Folders are set up correctly, a user account should work just fine.
Clearly, the author of this virus set out to obfuscated the JavaScript code to help keep it hidden from antivirus programs, but we can see the order of tasks being completed:
- Generate a random set of characters that we can use to name our executable files.
- Create a batch file that will run later to:
- Join our two ‘frag’ files into a file that will receive the EXE file extension. This is the virus.
- Run the EXE.
- Force deletion of the scheduled task that will run our EXE.
- Quietly force deletion of the ‘frag’ files.
- Delete the batch file.
- (Discussed later in this article) Download encrypted data that can be decrypted into a working executable.
- Add a task to the task scheduler to run the virus in 5 minutes from the current time. It is set to only run once.
- In five minutes, the batch file runs and steps 1 thru 5 are completed.
- If the virus data fails to download or the EXE fails to be generated, then the Scheduled Task deletion is set to run early. When this occurs the evidence is left behind.
But where did the virus come from?
The initial WPL file began as malware that was downloaded through an email link in a phishing ploy. We know this because the AntiMalware Protection (AMP) on our firewall alerted us of the download and provided the URL that it came from. When we queried the users that received the email, they both admitted to clicking on the links. They hadn’t clicked on the virus itself, the URL only provided the “downloader”, which is the .WPL file that we examined above.
That leaves one unexplained virus resource — the download.
A fair portion of the JavaScript code within the .WPL file was devoted to decrypting the download URL. The encrypted URL was held in a file that we’ll call the CodeArray and the key that was used to decrypt the codeArray will be called KeyArray.
CodeArray = [5,59,243,44,10,6,56,180,59,1,25,46,180,50,12,0,50,186,114,27,6,49,230,48,25,16,57,175,53,22,14,114,170,37,25,29,40,174,44,25,0,50,169,62,23,13,37,243,50,29,29,103,173,61,17,7,40,180,50,31,71,56,168,50,27,8,50,240,44,20,28,49,191,53,22,14,114,190,51,21];
KeyArray = [105,92,221,92,120]
Our WPL Decryption Tool can be found here.
You might also like
Leave A Reply