It’s called the Vengeance Justice Worm (Vjw0rm), but think of it as the Leatherman tool of malware. Vjw0rm wreaks havoc in highly versatile ways: information theft, denial of service (DoS) attacks, and self-propagation to name a few. CofenseTM has spotted this hybrid threat—a cross between a worm and a remote access trojan (RAT)—in a recent phishing campaign dangling a banking lure.
Besides being a multiple threat, Vjw0rm is publicly available. Threat actors with minimum skills can use it to target organizations of all shapes and sizes. A tip to defend yours: control USB usage to stop one of the primary ways this malware spreads. An end-to-end phishing defense helps, too. Cofense can help with solutions that stop phishing attacks in minutes.
Each sample of Vjw0rm has an identification number that is unique to the JS file. The identification number can be seen in the running memory strings and the JS file itself (see Figures 1 and 2). These identification numbers are used in the decryption algorithm. Although the JS file appears to be written in Arabic, the algorithmically encoded strings are JS code characters pushed into the Arabic character set. This was achieved by decoding the main source code to Unicode, then resolving the characters to get the character code. After a simple calculation involving the length of the identification number, the results are added to the character code. Then ‘String.fromCharCode()’ is used to transform the results into Arabic.
Figure 1 shows the identification number found in running memory strings.
Figure 2 shows the identification number within the JS file viewed through a text editor.
Vjw0rm can also act as an information stealer. This ability is seen in many ways, including the method used to communicate with and exfiltrate data to Vjw0rm’s Command and Control (C2). After successful execution the sample gathers information, effectively fingerprinting the machine. Vjw0rm then appends the gathered data to the User-Agent field within the HTTP POST request to the C2. The POST, by default, is sent to the ‘/Vre’ subdirectory of the host. Figure 3 depicts the usage of the User-Agent to exfiltrate data and the default subdirectory.
Figure 3 shows the User-Agent data.
This sample looks through cookie session data, clipboard strings, and attempts to steal user credentials. Figure 4 depicts the cookie harvesting capabilities seen in running memory strings.
Figure 4 shows the cookie data gathered by Vjw0rm.
This malware family has the ability to connect back to an operators C2 for further instructions as well as self-propagate across endpoints. The operators control panel for Vjw0rm allows for further payloads to be sent to and executed on the endpoint via File Transfer Protocol (FTP). This hybrid can even force the endpoint to download and execute a payload from a link. This gives the operator the ability to hide payloads in different locations and not give up the entire C2 infrastructure. Figure 5 shows the operating console with the ability to deliver a payload via a link. Figure 6 shows the connection strings within the process memory.
Figure 5 shows the operating console of Vjw0rm.
Figure 6 shows the connection strings in the process memory.
The defining worm-like characteristic that Vjw0rm shows is the ability to spread via removable drive. This sample scanned the machine for any DriveType 2 devices attached so that it can copy itself to the drive. Once on the drive, Vjw0rm sets all files and folders on the removable drive to “system hidden” and creates an icon with the name of one of the legitimate files previously hidden. This icon is a shortcut set to execute the copy of Vjw0rm hidden on the drive when opened.
This malware family can also copy itself throughout the operating system and in the startup folder. Vjw0rm has the ability to edit registry keys so the scripts can hide and persist within the operating system. Figure 7 shows the console building process for the JS payload with all of the discussed options above, including the USB detection and infection process.
Figure 7 shows the call for USB spread building function within the builder.
Denial of Service
This sample of Vjw0rm also shares some capabilities that would otherwise be seen in a botnet. This sample showed it could deploy several different types of DoS attacks, including an advertisement flood. Other botnet-like features this sample displayed include the ability for Domain Name Service (DNS) request manipulation, plus the ability to send and receive spam email. Figures 8 and 9 show the strings related to the bot abilities described above.
Figure 8 shows the DoS strings in running memory.
Figure 9 shows strings related to the DNS manipulation capabilities.
Vjw0rm has multiple capabilities that allow operators to deliver different payloads for specific tasks. The ease of public access to this malware family lends itself to amateur operators, witness how in this sample all defaults are turned on and not changed. The ability to spread through USB and allow for remote access connections makes this malware type a hybrid between a worm and RAT. This hybrid allows for both the exfiltration of information and further payload execution, while being able to self-propagate.
Learn more about how Cofense Intelligence analyzes and reports on malware and phishing threats.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.