| ID | X0039 |
| Type | Worm |
| Aliases | None |
| Platforms | Windows |
| Year | 2016 |
| Associated ATT&CK Software | None |
Vobfus is a Visual Basic worm that spreads across removable media and network shares. Vobfus can also download and execute additional binaries from other malware families.
| Name | Use |
|---|---|
| Lateral Movement::Lateral Tool Transfer (T1570) | Vobfus drops copies of itself to any external drives or network shares attached to the infected system. [1] |
| Name | Use |
|---|---|
| Command and Control::Ingress Tool Transfer (E1105) | Vobfus downloads the latest version of itself from a remote server. [1] |
| Persistence::Registry Run Keys/Startup Folder (F0012) | Vobfus adds registry keys to enable startup after reboot. [1] |
| Defense Evasion::Hidden Files and Directories::Location (F0005.002) | Vobfus is located on external drives or network shares and attaches itself to any ZIP or RAR files, removable drives, and network shares. The malware hides all folders in the external drive and drops an executable with the same name and a disguished folder icon. [1] |
| Execution::User Execution (E1204) | The malware relies on user interaction to run the executable. [1] |
| Defense Evasion::Disable or Evade Security Tools (F0004) | Vobfus uses GetModuleHandle API call to check for presence of Avast Antivirus. [1] |
| Persistence::Modify Existing Service (F0011) | Vobfus disables Windows AutoUpdate on the infected system. The malware patches the first byte of TerminateProcess and TerminateThread API with C3 (RET Instruction) to prevent any external processes from terminating the running instance of the malware. [1] |
| Name | Use |
|---|---|
| Anti-Behavioral Analysis::Capture Evasion::Encrypted Payloads (B0036.002) | Vobfus is downloaded in encrypted form and then decrypted. [1] |
| Execution::Install Additional Program (B0023) | Vobfus downloads other malware family executables. [1] |
| Anti-Behavioral Analysis::Debugger Evasion (B0002) | Vobfus uses GetModuleHandle API to check for the presence of a debugger. [1] |
| Anti-Behavioral Analysis::Sandbox Detection (B0007) | Vobfus uses GetModuleHandle API to check for the presence of a sandbox. [1] |
| Anti-Behavioral Analysis::Virtual Machine Detection (B0009) | Vobfus checks for the presence of virtualization software, such as VMware, VirtualBox, and QEMU, by querying the system registry. [1] |
Download locations
- %USERPROFILE%muoeyus.exe
- %USERPROFILE%vuvuv.exe
- %USERPROFILE%3s8.exe
- %TEMP%2724921.exe
Potential File Names
- Passwords.exe
- Porn.exe
- Secret.exe
- Sexy.exe
- x.mpeg [0 byte File]
- Autorun.inf
- Muoeyus.exe
[1] https://securitynews.sonicwall.com/xmlpost/revisiting-vobfus-worm-mar-8-2013/