Autoit Script VM Detection

While looking at one of the samples reported to be apart of Norman's excellent "Unveiling an Indian Cyberattack Infrastructure - a special report" LINK; I saw something that caught my eye. I haven't looked at AutoIt scripting in a while but during dynamic analysis I saw nothing of interest. I recall reading an analysis by malware-lu using EXE2Aut to extract the AutoIt Script. After extracting the script the following routine caught my eye. The function speaks for itself. I have removed lines from the script so it won't compile to prevent cutting and pasting.

Func _checkvm()
 $strcomputer = "."
        __REMOVED
 $vmhit_count = 0
 $vmhit_details = ""
 If ProcessExists("VBoxService.exe") OR ProcessExists("VBoxTray.exe") OR ProcessExists("VMwareTray.exe") OR ProcessExists("VMwareUser.exe") Then _addvmhit($vmhit_count, $vmhit_details, "RUNNING SOFTWARE", "Found a Vbox or VMware guest OS service or tray process")
 If NOT IsObj($objwmiservice) Then
  Return ""
        __REMOVED
 $colitems = $objwmiservice.execquery("SELECT * FROM Win32_DiskDrive", "WQL", 16 + 32)
 If IsObj($colitems) Then
  For $objitem In $colitems
   $vreturn = $objitem.model
   Select 
    Case StringInStr($vreturn, "VBOX HARDDISK")
     _addvmhit($vmhit_count, $vmhit_details, "DISKS", 'Found device "VBOX HARDDISK"')
    Case StringInStr($vreturn, "QEMU HARDDISK")
     _addvmhit($vmhit_count, $vmhit_details, "DISKS", 'Found device "QEMU HARDDISK"')
    Case StringInStr($vreturn, "VMWARE VIRTUAL IDE HARD DRIVE")
     _addvmhit($vmhit_count, $vmhit_details, "DISKS", 'Found device "VMWARE VIRTUAL IDE HARD DRIVE"')
    Case StringInStr($vreturn, "VMware Virtual S SCSI Disk Device")
     _addvmhit($vmhit_count, $vmhit_details, "DISKS", 'Found device "VMware Virtual S SCSI Disk Device"')
   EndSelect
  Next
 EndIf
 $colitems = $objwmiservice.execquery("SELECT * FROM Win32_BIOS", "WQL", 16 + 32)
 If IsObj($colitems) Then
  For $objitem In $colitems
   Select 
                     __REMOVED
     _addvmhit($vmhit_count, $vmhit_details, "BIOS", "Found Vbox BIOS version")
    Case StringInStr($objitem.smbiosbiosversion, "virt")
     _addvmhit($vmhit_count, $vmhit_details, "BIOS", "Found Vbox BIOS version")
   EndSelect
  Next
 EndIf
 $colitems = $objwmiservice.execquery("SELECT * FROM Win32_Baseboard", "WQL", 16 + 32)
        __REMOVED
  For $objitem In $colitems
   Select 
    Case StringInStr($objitem.name, "Base Board") AND StringInStr($objitem.product, "440BX Desktop Reference Platform")
     _addvmhit($vmhit_count, $vmhit_details, "MOTHERBOARD", 'Found VMware-style motherboard, "440BX Desktop Reference Platform" / Name="Base Board"')
   EndSelect
  Next
 EndIf
 If $vmhit_count >= 2 Then
        __REMOVED
 Else
  Return ""
 EndIf
EndFunc

Interesting to see AutoIt scripts/executables being used as disposable installers for the first round of an attack. The script is 2500 lines long. I'm kind of surprised how much can be done by attackers using AutoIt scripts. Might be worth looking for UserAgents of "AutoItScript/".

2 comments:

  1. Hey cool find. Excuse my ignorance but does AutoIT need to be installed in order for the script to run right? So is the malware author assuming that the target has it installed?

    thanks

    ReplyDelete
    Replies
    1. Via AutoIt's site ( http://www.autoitscript.com/site/autoit/ )

      "AutoIt has been designed to be as small as possible and stand-alone with no external .dll files or registry entries required making it safe to use on Servers. Scripts can be compiled into stand-alone executables with Aut2Exe."

      They need to be executed like any other executable, either via CreateProcess or ShellExecute or double clicking. The autoit executable I looked at was UPX packed and written to disk and executed by WinRar executable installer. I was originally under the impression that AutoIt was used as installers but it has a rich feature set. Check out the author's site.

      Delete