Most of the time, links aren’t dangerous without user interaction. Recently, we discovered an innocent-looking link for a JPG picture that prompts a user to activate ActiveX on IE. Leveraging a social engineering technique, if the user activates ActiveX their machine will be infected by the RAMNIT.A Worm.
Figure 1: Submitting the Link to VMRay Analyzer for Analysis
Let’s take a closer look at the analysis to understand the malicious behaviors triggered by this URL.
After submitting the URL to VMRay Analyzer, we get a VTI Score of 100/100 (Figure 2), clearly extremely malicious.
Figure 2: Ramnit Worm VTI Score: 100/100
The VTI Score overview tells us that the visited website downloads and executes code that is most likely malicious. What happens here?
The screenshot of the website shows us that the requested picture wasn’t found – 404. But this error page doesn’t look like a normal 404 error page. We want to see the source code of this error page. This is easy because the analyzer captures the whole network traffic. We open the PCAP file with Wireshark and follow the HTTP Stream of this requested picture.
The header looks still normal to us, like a 404 error page (Figure 3)
Figure 3: PCAP File shows the HTTP Stream of the Requested Picture
But the source code of this error page solves the mystery (Figure 4).
Figure 4: Source Code Shows VBScript
At the end of this webpage, there is a Visual Basic Script which will start if ActiveX is running on the browser.
This Visual Basic Script will confirm what we already suspect (Figure 5).
Figure 5: VBS Script Starts if ActiveX is Running on the Browser
The ‘DropFileName = “svchost.exe” ‘ is already well known as the name of the dropped PE file shown in the VTI Information. Until ‘Set WSHshell = CreateObject(“WScript.Shell”) ‘ the script only drops the malicious “svchost.exe” to the user’s temporary folder, which is completely written down in the variable “WriteData”. After that, it creates a shell-object to run this malicious “svchost.exe”.
The dropped “svchost.exe” is well known as the RAMNIT.A worm which spreads through removable drives and also functions as a backdoor.
This technique isn’t that new but is another example of how malware authors can leverage social engineering techniques to exploit a user’s machine. Clearly, this URL should be on your blacklist. One way to automate that blacklisting process is to use a connector that we provide through our REST API to extract the IOCs and the threat score automatically after analysis.