Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the early warning of Flash zero-day vulnerability CVE-2018-5002 attack analysis, which may not be well understood by many people. In order to make you understand better, the editor has summarized the following contents for you. I hope you can gain something according to this article.

Background

On June 1st, 2018, the core security advanced threat response team took the lead in capturing a new out-of-office attack using Flash zero-day vulnerability. Hackers carefully constructed an Office document that loaded Flash vulnerabilities remotely. After opening the document, all exploit codes and malicious loads were sent through remote servers. This attack is mainly aimed at the Middle East. This vulnerability currently affects Adobe Flash Player 29.0.0.171 and below, and is the second wave of Flash zero-day exploits this year.

Analysis of related vulnerability files

The sample has a more seductive file name * salary.xlsx, whose content is also in line with the title, for salaries for all time periods, and the language is Arabic.

* salary.xlsx (MD5: * 517277fb0dbb4bbf724245e663) document is complete, and some screenshots are as follows:

Hackers embed a remote flash file link through activex controls and data, and the related exploit code is distributed under the control of remote server scripts.

Analysis of vulnerability attack process

After running the xlsx, you will download and release the malicious swf file (MD5: * 66491a5c5cd7423849f32b58f5) from the remote end (C&C:people.doha****.com) and run it. The swf file will once again request the server to download the encrypted data and decrypt the KEY. The decrypted file swf (md5:* e78116bebfa1780736d343c9eb) is Flash0day exploit. After the vulnerability is triggered, the remote end is requested to download the malicious shellcode and execute it. In the process of real-time analysis, we found that the attacker had turned off the distribution of the final Trojan load.

The process of multiple phases of a vulnerability attack is as follows:

Analysis of loophole principle

The flash attack code of the vulnerability has been highly confused. After debugging and analysis, we locate the zero-day vulnerability attack code in the attack sample.

The key code after restoration is as follows:

The Static-init methods Flash in the code will use the interpreter to handle, and the interpreter does not properly handle the scope of the exception when dealing with the trycatch statement, so that the li8 (123456) instruction in the code will be caught by the catch block after triggering the exception.

When dealing with try catch statements, Flash thinks that no code can be executed to the catch statement block, so the bytecode in the catch statement block is not checked. The attacker uses the getlocal,setlocal instruction in the catch statement block to read and write to any address on the stack. Finally, the attacker turns the vulnerability into a type obfuscation problem by swapping two object pointers on the stack to complete the attack.

By further debugging the attack code, we can observe the bytecode of the exploit and find that the localcount value of the function is 2, while in the catch block, getlocal,setlocal has manipulated the data at positions 448 and 498.

Debugging observation using the setlocal operation stack data, you can see that the value of ecx is the pointer of the class5 object, and 068fc1a0 is the pointer of class7.

After exchanging pointers of the two objects, the attacker determines whether the exploitation is successful by comparing the values of the object members.

Analysis of attack correlation information

The ip C of the vulnerability attack is people.doha**.com, and its corresponding ip address is * * .145.128.57. The whois information of the domain name shows that the registration time of the domain name is 2018-02-18, indicating that the attacker began to prepare for the attack during February this year.

Visit people.doha**.com directly and the visit will be forcibly redirected to https://people.**.com/***/, a Qatari Airways employee's home page.

People.**.com is a job search website in the Middle East, and the attackers only use a doha (Doha), which obviously has the intention to disguise the domain name for phishing, so we boldly guess that the attacker is targeting Doha, Qatar.

Through the analysis, we can find that this attack uses a zero-day vulnerability regardless of cost. The attacker developed an ingenious attack plan in the cloud, spent at least three months preparing the attack, and customized the detailed phishing attack content for the target, which is a typical APT attack. Please enhance the security awareness of relevant units and ordinary users, update the Flash version in a timely manner, and use 360security guards to defend against possible vulnerabilities.

After reading the above, do you have any further understanding of the early warning of Flash zero-day vulnerability CVE-2018-5002 attack analysis? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.