Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze the samples of CVE-2018-4878 Flash 0day vulnerabilities. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Background

On January 31, 2018, South Korea's CERT issued an announcement that the Flash 0day vulnerability had been discovered in the field and the attacker carried out targeted attacks; on February 1, Adobe issued a security bulletin confirming that there was a remote code execution vulnerability (CVE-2018-4878) in Adobe Flash Player 28.0.0.137 and earlier versions; on February 2nd, the Cisco Talos team released a brief analysis of the incident involving attack samples On February 7th, Adobe released a security patch for the CVE-2018-4878 vulnerability. Based on the samples given in the Talos article and the output report of the 360Security Guards team, this paper makes further analysis of the relevant samples to enrich the corresponding technical details, but does not involve the analysis of CVE-2018-4878 vulnerabilities.

The carrier of Flash 0day vulnerability

The Flash 0day CVE-2018-487exploit code is embedded in the Office document, the sample uses the Excel document as the carrier, and an animation is embedded to load the malicious Flash components:

The bait file contains an ActiveX object, and the Flash content is loaded when the file is opened:

This activeX1.bin cannot be opened directly through AS3:

Delete the data in front of FWS, and AS3 can decompile normally:

The SWF itself is a loader. Before running, an URLrequest instance is initialized, and the corresponding completion event is set. After the instance communicates with the remote server to obtain the decryption key of the Exploit, call Decrypt to decrypt the corresponding Exploit code:

The constructed URL request to send the initial data is as follows, including:

1. Uniquely marked id

2. Flash version

3. System version

Attackers use these basic information to determine whether the target system is within the scope of the vulnerability, which is also a routine operation in Flash vulnerability exploitation, that is, Exploit itself does not land easily, and only when the local environment is confirmed, the corresponding Exploit and the corresponding decryption key are returned from the ClearC server.

An example of the submitted packet is as follows:

After that, the Exploit execution is obtained by decrypting the key returned by the request:

Payload analysis

Because the connection to the website providing the decryption Exploit key has been removed, the Exploit code itself cannot be obtained at present, so this paper analyzes the landing Payload after the completion of the CVE-2018-4878 vulnerability exploitation provided by the Cisco Talos team, and the corresponding file Hash is: d2881e56e66aeaebef7efaa60a58ef9b

The sample takes data from the resource JOK and injects it into a self-starting wscript process for execution:

Data in the resource JOK:

The injected data begins with a load code, and the main function is to relocate and decrypt the second Shellcode after XOR decryption. The decryption key is obtained by encrypting the first byte of Shellcode and 0x90 XOR operation:

Shellcode2 first obtains the Kernel32 base address, and then uses the 90909090 tag to find the address of the subsequent PE file to be decrypted:

The decryption Key of PE is obtained by encrypting the first byte of PE and XOR operation with 0x4D, and the final PE file is decrypted:

Start the decryption of the corresponding PE file as shown in the following code:

The malicious PE file is then re-copied into a section of the requested memory to repair the import table and execute:

ROKRAT back door

The malicious code that is loaded into memory by Shellcode is an EXE program, which is a backdoor remote control for the ROKRAT family. The sample will upload data through the network disk, and the API Key of the network disk will be built into the sample data. The following picture shows the information of the extracted string. The sample will call four mainstream foreign network disks through API, including pcloud, box, dropbox, and yandex.

The code to get the Key from the file is as follows:

The file name uploaded to the network disk is in the format of pho_ [randomly generated 8-byte hexe value (machine identity)] _ [upload times increment]. The code for constructing the file name is as follows:

Network disk data

Use the obtained Key request pcloud to obtain the registrant information of the network disk. The registration email is cheseolum@naver.com, and the registration time is December 11, 2017:

The list of files that use listfolder API to get the root directory is as follows:

Then get the download link of the specified file through API:

Https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1

The path download file is obtained by stitching the hosts and path fields in the returned result above. The hexadecimal data in the middle is a randomly generated 8-byte HEX value. The list of downloaded files is as follows:

The format of the data obtained by analyzing these files is as follows:

The data in the front of the file is the machine model and machine name information and the host path where the malicious code is executed:

The data structure information of the image starts with the offset 0x45F of the file, followed by a 4-byte picture length and subsequent picture content data:

The picture is a screenshot of a computer. Here is an example:

The earliest data we saw was uploaded on February 2, later than after the attack was revealed, so almost all computer desktop screenshots were taken by security analysts or sandboxes:

After reading the above, do you have any further understanding of how to parse the samples of CVE-2018-4878 Flash 0day vulnerabilities? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.