Shulou(Shulou.com)05/31 Report--

What this article shares with you is how to understand the complete analysis report of Adobe Flash zero-day vulnerabilities in opposition. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it with the editor.

Background

On January 31, 2018, the South Korean computer Emergency response team issued a warning about the 0day vulnerability of Adobe Flash Player, saying that hackers used the vulnerability to carry out targeted attacks as early as mid-November 2017.

On February 1, 2018, Adobe officially issued a security notice for AdobeFlash Player products (APSA18-01). The latest Adobe 0day zero-day vulnerability was found to be aimed at people in South Korea. The Adobe vulnerability is numbered Adobe-4878.

On February 5, 2018, Adobe officially released a patch to fix the zero-day vulnerability of CVE-2018-4878.

During the patch vacuum period of the CVE-2018-4878 zero-day vulnerability, the 360 security guard can perfectly defend against this vulnerability without upgrading. During this period, the 360 Core Security Advanced threat response team reacted quickly, taking the lead in intercepting the attack of the vulnerability and issuing an analytical early warning. After the official release of the vulnerability patch and the proper resolution of the zero-day vulnerability, we release a complete analysis of the attack in the field to help you infer the full picture of this advanced threat attack from different angles.

Figure 1

Analysis of the attack process of vulnerability documents

Attackers carefully planned social engineering attacks on the relevant personnel, and sent excel bait documents containing vulnerabilities and malicious code to the relevant personnel through live chat tools and mailboxes to trick the victims into opening the trap.

Figure 2 content of the bait document

The bait document contains an ActiveX object that corresponds to an swf file.

Figure 3 ActiveX object file included in the document

After opening the document, the ActiveX object will automatically play flash content, and the next attack will be carried out from the cloud after playback is allowed.

Figure 4

After the flash in the bait document is played, the next step is to request the remote URL www.dylboiler.co.kr/admincenter/files/boad/4/manager.php

Url request parameters include id (unique identifier), fp_vs (flash version), os_vs (system information)

Figure 5

The flash in the bait document will decrypt the encrypted file stream returned by the remote URL address and dynamically execute flash content containing the cve-2018-4878 vulnerability.

Figure 6

The website where the cve-2018-4878 vulnerability load is located is a regular Korean company website, which is suspected to have been invaded and completely controlled by an attacker, who can add arbitrary malicious code to the site.

Figure 7

Zero-day vulnerability Analysis of CVE-2018-4878

We analyzed the cve-2018-4878 vulnerability file stream and found that the sample was attacked by manipulating the DRMManager object in the com.adobe.tvsdk package of Flash.

The key code for this part of the vulnerability lies in the method_3 method, which new an object of class_8, passes it to drmManager.initialize, and then leaves var_16 empty.

Figure 8

In the constructor of class_2, LocalConnection (). Connect will actively call gc to release the memory that is not referenced, while the second call to LocalConnection (). Connect will generate an exception, and a class_8 object will be assigned to var_13 during the exception handling.

Figure 9

After that, a timer is created, and the timer handler function determines whether the value of the var_13.a1 member has been modified.

Figure 10

If the value is found to have been modified, the flash_24/25 method is called.

Figure 11

In the flash_25 method, a ByteArray object of class_7 is assigned to var_17 by new.

Figure 12

Var_17 is a ByteArray object, which can be read and written in arbitrary memory by modifying the Length of the ByteArray object. The exploit techniques there are similar to hacking team's flash exploit techniques, and the related code has been opened up and will not be discussed in detail.

Figure 13

Further we debug and analyze the vulnerability, commenting out the var_13 = newclass_8 (); code will trigger a null pointer access crash.

Eax=6906d8e9 ebx=00000000 ecx=00000000edx=00000000 esi=08055d28 edi=0685b020eip=6850e148 esp=024fd5c0 ebp=024fd5f0iopl=0 nv up ei pl nz ac po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 eflora 00210212 Flash42 "28" 0 "0" 137 "DllUnregisterServer" 0x14ecdapur6850e148 8b4904 mov ecx,dword ptr [ecx+4] ds:0023:00000004=?

Backtracking found that the address data came from the esi+0c location

6850e142 8b4e0c mov ecx,dword ptr [esi+0Ch] 6850e145 8b4908 mov ecx,dword ptr [ecx+8] 6850e148 8b4904 mov ecx,dword ptr [ecx+4] 015 05 > dd 066e4100066e4100 066e4f60 00000000 00000000 00000000066e4110 00000000 00000000 00000000

Since we have annotated the var_13 creation code here, indicating that other objects have been released incorrectly, LocalConnection () .connect will actively call gc to release the memory that is not referenced, so here we annotate this part again and set a breakpoint at 6850e1428b4e0c mov ecx,dword ptr [esi+0Ch] to observe the content of the freed data.

Figure 14

After the breakpoint is hit, you can find that the data is actually the content of the class_8 object, that is, the memory of the var_16.

Eax=67c1d8e9 ebx=00000000 ecx=0607b2e0edx=00000000 esi=04785d28 edi=0626b020eip=670be148 esp=022fcfc0 ebp=022fcff0iopl=0 nv up ei pl nz ac po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 eflange 00200212Flash4228000137DllUnregisterServerServer 0x14ecdaVo 670be148 8b4904 mov ecx,dword ptr [ecx+4] ds:0023:0607b2e4=060ba4c0 0Rose 005 > dd 0618e1000618e100 67c51a88 00000002 0607b2e0 07d980400618e110 001100002222 003333 000044440618e120 000055550066007777 000088880618e130 009999 0000aaaa 0000110000002222

The final analysis confirms that the cve-2018-4878 zero-day vulnerability is caused by drmManager.initialize 's improper handling of objects held by UAF.

Analysis of Shellcode attack flow

Next, the shellcode triggered by the vulnerability will determine whether the user has installed AhnLab, ViRobot APT Shield and 3603 security software commonly used in China and South Korea through the process name, so as to take different approaches to attack.

Figure 15

L three security software, any one of the existing environment

Directly call wininet series functions to download the malicious load corresponding to http://www.1588-2040.co.kr/conf/product_old.jpg execution.

L there are no three security software installed, or an environment in which other unknown security software may exist

Create a cmd process for the cmd process to download the malicious load execution corresponding to http://www.1588-2040.co.kr/conf/product.jpg by injecting code from a remote thread.

Figure 16

L the environment in which two Korean security software coexist

Shellcode will exit directly without doing anything.

The website where the malicious load address downloaded by Shellcode is also a regular Korean company website, which is suspected to have been hacked and completely controlled by attackers to place the final malicious load.

Figure 17

Malicious load analysis

The final execution of the malicious load will be divided into two stages of the program, the first stage is the Dropper load release program, the second stage is the use of network cloud disk to control the backdoor program.

Load release Program (Dropper)

The program loads a resource named JOK from the resource, and the content of the resource is the actual executed Shellcode. The program newly starts wscript.exe and injects shellcode into the wscript process through remote threads for execution. Finally, Shellcode will decrypt and release the PE file from memory and relocate the node area to execute the final backdoor program in memory.

Figure 18

It is worth noting that the PDB path of this program is related to the ROKRAT Trojan Horse (http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html?m=1) of the Group 123 organization reported by Cisco in November 2017.

L d:\ HighSchool\ version13\ 2ndBD\ Tunable M\ Result\ DocPrint.pdbl D:\ HighSchool\ version13\ First-Dragon (VS2015)\ Sample\ Release\ DogCall.pdb

At the same time, the execution process and technical details of the program are also consistent with the dropper programs reported by Cisco, which is suspected to be the same series of ROKRAT Trojans.

Figure 19

Network disk backdoor program (Cloud Drive RAT)

The program uses the public network disk as a ClipC server to store screenshot information or download plug-ins; compared with the traditional CC server, the use of public network disk makes it more difficult to identify traffic, because the network disk URLs are trusted white domain names.

Figure 20

The cloud disk information used is as follows:

The URL that appears in the program corresponds to the network disk api.box.comBoxcontent.dropboxapi.comDropBoxapi.pcloud.compCloudcloud-api.yandex.netYandex

Analysis of main process of program

The program first generates an 8-byte random string that is used as the identity of this communication, which is involved in subsequent uploads and CC commands.

Figure 21

Then check the operating system version and current execution and environment

Figure 22

Collect computer, user name, BIOS information

Figure 23

Try to load the following DLL, try to get the VMwareTools version number and BIOS version information, and then determine if you are in a sandbox environment or debugging

Figure 24

L sandbox environment list

The Dll name corresponds to the sandbox or debug environment SbieDll.dllSandboxiedbghelp.dllMicrosoft debugging toolsapi_log.dllGFI SandBoxdir_watch.dllGFI SandBox

After judging the sandbox environment, the program begins to create worker threads and perform the corresponding functions.

Figure 25

The backdoor program uses public cloud disks for data transfer, and there are four kinds of cloud disks built into the program, namely box,dropbox,pcloud and yandex. The samples intercepted this time use pcloud network disks.

Figure 26

The program uses GDI API to capture the screen of the victim machine, and saves the picture in the temp directory, naming the randomly generated sequence number + the sequence number of the current screenshot.

Figure 27

Figure 28

Then, the program will read the image data, delete the pictures in the temp directory, and upload the previously collected environment information and image data to the cloud disk.

Figure 29

L format of uploaded data

Offset address length information 08 randomly generated identification data 102 system version information 1264 victimized machine name 7664 user name 140256 current process path 396128BIOS information 5241 sandbox environment information 5251 judge whether the Windows directory is writable 52640Vmtools version information 56639 motherboard, BIOS model 6057character disable11194 screenshot picture size 1123 is not fixed picture data

The program will cycle to the network disk to request a file named def_ + randomly marked, and parse the file to obtain the cloud ClearC instruction to attack.

Figure 30

L Cloud Control ClearC command list

Instruction serial number function 1 obtains data from the specified URL to memory, as Shellcode memory execution 2 obtains data from the specified URL to memory, as Shellcode memory execution 3 obtains new network disk Token, downloads file ADI.bin, acquires new network disk Token as Shellcode memory execution 4, downloads file DDI.bin, and acquires data from the specified URL as Shellcode memory execution 5 to memory. Save file% temp%/setup.exe execute 6 to get data from the specified URL into memory, save file% temp%/setup.exe execute 7 to get new network disk Token, download file ADX.enc, save file% temp%/setup.exe execute 8 to get new network disk Token, download file DDX.enc, save file% temp%/setup.exe execute 9 to get new network disk Token, download file ERSP.enc Save file temp%/setup.exe execution

After completing the command parsing, the program will also call the delete API of the network disk to delete the corresponding instruction file.

Figure 31

We speculate that in the actual attack process, the attacker will collect screenshots and other information, select valuable targets, and then upload customized instruction files to the network disk to attack.

Trace the source of attack information

Through the reverse analysis of the program, we found that the Token permission of the network disk is not strictly restricted. Through this Token, we can obtain the registration information of the network disk and the content saved in the network disk, from which we locate that the attacker's network disk registration mailbox is cheseolum@naver.com, and the registration time is December 11, 2017, which is similar to the time when the attack began in November announced by the South Korean response Center.

Figure 32

After the attack was officially exposed on January 31, a large number of new recruits uploaded information to the cloud disk. In the screenshot information obtained, we found a large number of virus detection sandboxes and sample analysts. Judging from the screenshot message, most analysts are doing virus analysis based on the samples in https://github.com/brianwrf/CVE-2017-4878-Samples.

Figure 33

During the screenshot investigation, we also accidentally found a screenshot of a computer desktop of a suspected domestic security practitioner, which may have been accidentally used when downloading an analysis sample.

Figure 34

Through the analysis, we can find that this attack is carefully planned, and the attack period is more than three months. The attacker places malicious loads by invading the websites of two regular companies, uses normal cloud disk services as CareC infrastructure, and develops exquisite attack plans by exploiting zero-day vulnerabilities regardless of cost. A large number of resources used during the attack show that this is not something that individuals and ordinary teams can implement, and this is a typical APT attack. With the gradual disclosure of vulnerability information, relevant units and ordinary users need to improve their security awareness, update the Flash version in time, and turn on security software to defend against possible vulnerability threats.

The above is how to understand the complete analysis report of Adobe Flash zero-day vulnerability attacks. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.