This article discusses a malware that skillfully employs obfuscated VBScript and PowerShell to evade detection and complicate analysis. The attacker uses various obfuscation techniques, including irrelevant comments, time-based delays, and string manipulation, to confuse security analysts. The malware demonstrates a combination of traditional methods with new approaches, highlighting the need for continuous vigilance in cybersecurity. Affected: malware analysis, cybersecurity
Keypoints :
- The malware uses obfuscated VBScript to execute obfuscated PowerShell to evade detection.
- Malware has a low detection rate and uses sophisticated methods for analysis evasion.
- Obfuscation techniques include irrelevant comments, time-based delays, and string splitting/concatenation.
- VBScript code intentionally disrupts logical order to mislead analysts.
- The PowerShell script utilizes a user-defined algorithm for further obfuscation.
- The malware is effective in downloading payloads from remote locations.
- Two primary hashes (MD5 and SHA256) are provided for identification of the malware sample.
- The infliction of poor strategies for evasion signifies a more proactive threat landscape.
MITRE Techniques :
- T1063 – Application Layer Protocol: The VBScript uses HTTP to download malicious payloads from remote URLs.
- T1071 – Application Layer Protocol: The obfuscation of PowerShell leverages application layer protocols to transfer the malicious payload.
- T1203 – Exploitation for Client Execution: The use of time delays and obfuscation techniques serves as an exploitation tactic for executing malicious payloads without detection.
Indicator of Compromise :
- [MD5] 0e513e80fc18e3db4f0eb6ecb558534b
- [SHA256] 7444d08579781b3d7b233e9fd3e7f9b31a85837c29adf2f4ae7965a628078639
- [URL] hxxps[:]//aghayezayeat[.]ir/kids/Tyrosines.lzh
- [IP Address] 185[.]159.153.133
Full Story: https://malwareanalysisspace.blogspot.com/2025/03/the-art-of-evasion-how-attackers-use.html