Many adversaries abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core. VB can be abused in Microsoft Office Macros, as standalone script files, within HTA files and run on the command line as a method of evading detection, hiding code or otherwise used as a method of general execution. In the targeted technique, an adversary will utilize a registry key containing an HTA application or vbscript and utilize a script interpreter or rundll32 to run vbscript that will execute the code from the registry. This is a method of defense evasion to hide code in unsuspecting places, but still be able to execute it.
Tactic(s): Defense Evasion, Execution
Technique(s): Mshta (T1059.005), Visual Basic (T1218.005)
This technique was observed being utilized by Nobelium’s (UNC2452) Sibot malware in early 2021. According to Microsoft “Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task.” Aside from the reported Nobelium activity, analysts can verify the vbscript code run in the command line parameters and locate a registry key to find the intended script being executed. VBScript in most cases is relatively obvious that it is a script, given the likely length and inclusion of keywords such as Execute, vbscript, Shell.Application, etc. In many cases the code in the value will be heavily obfuscated and require decoding using tools like CyberChef. If unsure of the encoding schema, try using the “Magic” function with Intense Mode on. Additionally, as indicated by the Nobelium activity noted above, searching for suspicious scheduled tasks containing a registry value in its details can be indicative of a scheduled task that executes the code stored in the registry key observed.