Analysis of the code - capabilities of WSH RAT
In previous post I wrote about the link between WSH RAT and some other crypter services so in this post I'm going to dig a bit in the analysis on the code.
In essence, WSH RAT generates malicious JS or VBS based on the HWorm, and a good write-up about the functionalities of version 2.0 of HWorm has been recently done by StrangerealIntel in this post, but I will add a couple of interesting things.
WSH RAT builder
I took a look to one of the WSH RAT builders from a few months back (a version from July).
The builder acts as well as the C2.
In essence, WSH RAT generates malicious JS or VBS based on the HWorm, and a good write-up about the functionalities of version 2.0 of HWorm has been recently done by StrangerealIntel in this post, but I will add a couple of interesting things.
WSH RAT builder
I took a look to one of the WSH RAT builders from a few months back (a version from July).
The builder acts as well as the C2.
The first interesting aspect is that the malicious payload, which it is HWorm, (both in VBS or JS) is included in the resources.
All the additional plugins for RDP, filemanager, offline-keylogger, etc, are linked to a URL which are part of the builder itself. This means that the plugins are allocated in a system owned by the developer of the builder, so the criminal using the builder doesn't have any control on the plugins being pushed to the infected system:
Password stealer
The password stealer capability is based on the PasswordStealer tool from @trestacon github https://github.com/tresacton/PasswordStealer.
Download and Execute / Upload and Execute
WSH Rat is used to deploy additional malware. As mentioned previously, the builder is also acting as the C2.
The additional payload can be pushed in two different ways: downloading the file from an external URL, or uploading the file through the WSH builder. Code for both methods are below:
