Threat behavior
TrojanDownloader:VBS/Obfuse uses malware obfuscation technique—a process that disguises binary and textual data to make it difficult to understand and/or detect. It works as a digital camouflage, allowing attackers to disguise legitimate files and processes.
Obfuscation techniques can come in different forms:
- Packing: This involves compressing the malware into a smaller file and including a built-in tool that unpacks it when it runs. This makes it harder for antivirus programs to inspect the malware before it activates.
- Encryption: Parts of the malware’s code are scrambled or encoded so they can’t be read until the malware is actually running. This helps it avoid detection during scans.
- Polymorphism: The malware constantly changes how its code looks while keeping its harmful behavior the same. This allows it to slip past security systems that rely on recognizing known patterns.
TrojanDownloader:VBS/Obfuse creates the following files:
- C:\Program Files\Google\Temp\GUM1CC5.tmp
- C:\PROGRA~2\MICROS~1\OFFICE\DATA\opa12.dat
- C:\Users\ADMINI~1\AppData\Local\Temp\~DF54E67A1A47FA9131.TMP
- C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc
- C:\Program Files\Google\Policies
- C:\Users\<USER>\AppData\Roaming\Microsoft\Templates\Normal.dotm
- C:\Users\<USER>\Desktop\design.docm
- C:\Users\<USER>\AppData\Roaming\Microsoft\Office\Recent\design.docm.LNK
- C:\Users\<USER>\AppData\Local\Temp\VBE\MSForms.exd
- C:\Users\<USER>\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
- C:\Users\user\AppData\Local\Temp\VBE
- C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
- C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier
This malware also sets the following registries:
- {'key': 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Resiliency\\StartupItems\\ sc'}
- {'key': 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Resiliency\\StartupItems\\r$d'}
- {'key': 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Resiliency\\StartupItems\\dje'}
TrojanDownloader:VBS/Obfuse also creates the following processes:
- "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" "C:\Users\<USER>\Desktop\attachment.docm"
- C:\Windows\Explorer.EXE
- "C:\Users\<USER>\AppData\Local\Temp\rad0EDCC.tmp.exe"
- C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
- "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
- "C:\Program Files\WindowsApps\Microsoft.WidgetsPlatformRuntime_1.6.2.0_x64__8wekyb3d8bbwe\WidgetService\WidgetService.exe" -RegisterProcessAsComServer -Embedding
This malware also communicates to the following hosts:
Prevention
Guidance for Individual users
Keep your operating system and antivirus products up to date. Customers who have turned on automatic updates do not need to take additional action
Take these steps to help prevent malware infection on your computer.
Guidance for enterprise administrators and Microsoft 365 Defender customers
Ransomware more than often attacks enterprises than individuals. Following the below mitigation steps can help prevent ransomware attacks.
Microsoft recommends the following mitigations to reduce the impact of activity.
