VBE Script Leads to Bank Fraud

I only stumbled on this at the middle so I don’t know how this is being targeted to users. Apparently this particular scam has been out there since at least August 2013 and it’s still up and running.

This is a VBScript Encoded file (VBE) that starts off the fraud:

2014-04-05_01

And it looks like this:

2014-04-05_02

Using a VBE decoder, I can convert the file to get the following. You can go here or here for the decoder.

2014-04-05_03

There’s several functions in this script and the one at the top deobfuscates the content by doing some math to convert decimal values to ASCII. The AppdataPath and File1 variables look interesting so I just add this to the script:

2014-04-05_04

This pops up the deobfuscated values then quits before it executes anything further. Here’s the result which tells us where the file will be written to and where to download the file from.

2014-04-05_05

Let’s get the second VBE file and decode that one as well.

2014-04-05_06

While going through the script, this pops up:

2014-04-05_07

This turns out to be a proxy.pac malicious script! Downloading the third file, I get this obfuscated proxy.pac file.

2014-04-05_08

After I clean this up, here’s what we get:

2014-04-05_09

After analyzing the scripts, here’s what it does…it changes the proxy values in IE and Firefox browsers:

2014-04-05_10

Then, whenever the user visits one of the sites found in the proxy.pac file, they get redirected to a phishing page but the URL bar shows that they are at the right banking site.

2014-04-05_11

Truncating the path reveals an open folder that contain files that make up the phishing page which is a sign we truly are not on the legitimate site.

2014-04-05_12

Here’s what the real banking site looks like:

2014-04-05_13

Packet captures shows that our traffic is indeed being sent to the phisher’s site when we attempt to visit one of those Brazilian bank sites.

2014-04-05_14

Here’s information about the domains and files:

Domain: eua.bestworked[.]com
IP: 64.74.223[.]40

Domain: euas.bestworked[.]com:8082
IP: 64.74.223[.]40

Domain: mn.dmanwork[.]com:8082
IP: 8.5.1[.]49

Filename: update.vbe
MD5: a8f52fb1a543abf5ac18ae2dbc0351e8
VT: 3/48

Filename: seta.vbe
MD5: 3fc44dae258d0316179541db44d09ad7
VT: 4/51

This entry was posted in Malscript. Bookmark the permalink.