Phishing Campaign Uses Banking Lure to Deliver Vjw0rm Worm/RAT

credit card on fish hook

A new phishing campaign uses a banking lure to deliver a hybrid worm/remote access trojan (RAT) called Vengeance Justice Worm (Vjw0rm).

First released in November 2016, Vjw0rm is a hybrid threat in that it can behave like a worm or a RAT. This cross-functionality makes Vjw0rm appealing to digital attackers, as they can use it to target various types and sizes of organizations. Additionally, the threat is publicly available, which makes it easier for amateur bad actors with minimum skills to obtain the malware, deploy it in various phishing campaigns and even ask for help with using it.

In their analysis of this latest phishing campaign, researchers with Cofense Intelligence found an identification number in the running memory strings and the JS file of each Vjw0rm sample. They determined that the number is unique to each JS file and factors into its decryption algorithm. Specifically, the analysts observed that the threat uses a calculation involving the length of the identification number and adds the results to the character code before using ‘String.fromCharCode()’ to convert the results of the file into Arabic.

Vjw0rm’s Infection Arsenal

Resolving the JS file aided Cofense Intelligence in its detection of Vjw0rm’s various capabilities. These means of attack include the following:

Data theft

Upon execution, the threat gathers information about the system including user credentials, clipboard content and cookie session data. It then appends this information to the User-Agent field within a HTTP POST request to its command-and-control (C&C) server. Vjw0rm sends this request to the ‘/Vre’ subdirectory of the host by default. 

That’s not the only way that Vjw0rm can steal an infected machine’s data. Cofense Intelligence noted that attackers may use the threat’s control panel to send and execute additional payloads via the File Transfer Protocol (FTP). These payloads, which can execute from a link and thereby not give away Vjw0rm’s entire C&C architecture, may include other information stealers.

Self-propagation

Cofense Intelligence found that much of Vjw0rm’s worm-like behavior rests in its ability to spread via removable drives. As the phishing threat intelligence provider explains in a blog post:

This sample scanned the machine for any DriveType 2 devices attached so that it can copy itself to the drive. Once on the drive, Vjw0rm sets all files and folders on the removable drive to “system hidden” and creates an icon with the name of one of the legitimate files previously hidden. This icon is a shortcut set to execute the copy of Vjw0rm hidden on the drive when opened.

Additionally, the threat is capable of copying itself throughout the operating system and startup folder. It can even persist in the operating system by editing registry keys.

Denial of service

Last but not least, Vjw0rm can function as a botnet by deploying advertisement floods and other types of denial-of-service (DoS) attacks. It can also manipulate Domain Name Service (DNS) requests as well as send and receive spam emails. This latter functionality allows the threat to spread to compromise additional machines, where the infection cycle can begin anew.

Defending against Hybrid Threats

To defend against a hybrid threat like Vjw0rm, organizations should monitor their USB devices and control how they are used in order to block malware from self-propagating. They should also implement a robust phishing solution to watch out for spam emails sent out by Vjw0rm. This utility should offer layers of email protection by analyzing a suspicious email’s IP address and URL. It should also examine the content of the email for targeted phrases, campaign patterns and behavior indicative of both known and zero-day malware, all while ensuring that the right emails continue to make their way into the organization.

Use the right email security solution to minimize risks with 99.5% accuracy.