Friday, July 5, 2019

Autoit Compiled FORMBOOK malware bypassing UAC, Anti - VM and Obfuscation ...

Autoit is one of the Compiler that was really abused by malware because of its flexibility, easy to obfuscate like a other scripting language and decompression of autoit compile file is quite expensive for some AV product. And I found one malware sample of "FORMBOOK" that use this compilation. I will show in this post some of the technique it use to bypassed UAC, anti-VM, obfuscation and etc.

so Lets start :)

FORMBOOK Code Obfuscation:

Upon extracting the AUTOIT script of this malware, you can see right away that its code is obfuscated and some of it are encoded.

figure 1: formbook autoit script

Decoding Process:

There are 2 function that are responsible for decoding the encoded string these are the "FUNC VXAUWUFVKBKH" and "FUNC MIBYZTSVUFNMTML". The "FUNC VXAUWUFVKBKH" is only reversing the inputted string to it.

figure 2: function for reversing the string
The other function will initialized a STANDARD_ALPHANUM_TABLE then it will split those comma separated string that will serve as the index to the ALPHANUM_TABLE to decode the actual string.

figure 3: decoder function

I convert these 2 function in python to decode the whole string within this autoit script file for much easier static analysis.

figure 4: part of my python script to decode the string

below is the decoded string output of my python script. out of this, maybe you noticed that some of the variables has no other reference and never been used in other part of the code, just because they are the garbage code that add more obfuscation to its code and make the code analysis more confusing.