Shulou(Shulou.com)06/02 Report--

This article will explain in detail the case analysis of WinRAR vulnerability CVE-2018-20250 attack samples. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

I. background

Recently intercepted an attack sample using the newly published WinRAR vulnerability (CVE-2018-20250), the file name is Meeting summary.rar. The malicious ACE zip file contains an Office Word document called Meeting summary, which induces the victim to extract and release the file directly.

After opening it with WinRAR, the contents of the archive are as follows.

Click in the winrar to enter the directory to see the specific information of startups.exe, as shown in the following figure.

This vulnerability will be triggered when the victim decompresses the file directly through WinRAR, thus releasing the built-in malicious program (startups.exe) into the boot directory of the user's windows system, so that the malicious program can automatically start and run the next time the system is rebooted.

Second, startups.exe program analysis file name startups.exeMD57706640ac741740d1e5521ed671e8904SHA159773b72caefa9f882a8602a19d9210fa9ad1f65

After the startups.exe program executes, it first deletes the previously generated files. Look in the temporary directory for files that end with .accouna-delete-me and delete them.

Get the full-path file name of the executable file through GetModuleFileName.

Then get the name of the directory where exe is located.

Set the environment variable OCRA_EXECUTABLE.

Open the exe file and map it to memory.

Determine whether the file flag 0x41B6BA4E MagneEXE file ends with the four bytes.

When you open startups.exe with winhex, you can see that startups.exe does end with those four bytes.

Read the location of the operation flag (four bytes from the beginning of the eighth position at the end of the file). From the image above, we can see that the location of the flag is 0x00009600, that is, the value is taken from the offset 0x0000960 of the exe file, and the value in startups.exe is 0x00000004.

Perform the corresponding operation of the 0x00000004 operation number, which uses the LZMA algorithm to decompress the file.

After unzipping the function 004032c0, the extracted memory data is shown below.

Read the operation flag number in the unzipped data, such as 0x00000001 for the first 4 bytes in the above figure, which is to create a directory. As you can see in the figure above, the directory created is the src directory. Then the operation identification number is 0x00000002, which indicates the creation of the file, and the file name immediately following the above figure is src\ buby.rb.

In this way, all directories and files contained in the extracted data are created to the appropriate location under the system temporary directory.

Then, the process creation action is performed with the operation identification number 0x00000006. The process that is created to start is rubyw.exe (ruby program) in the bin directory, with the parameter src\ ruby.rb.

The IDA code is as follows:

The ruby.rb is as follows:

The above code uses https to access the contents of https://66.42.33.59:443/#WEZf, and then creates and starts threads through RtlMoveMemory and CreateThread.

Unfortunately, the URL is currently unreachable, so further malicious load cannot be analyzed.

In addition, through web search, it is found that the OCRA string often found in the above analysis is actually an open source project. OCRA (OneClick Ruby Application Builder) is a gem that packages a .rb file as an executable file, and the resulting EXE can be run without the Ruby environment. The principle is to take away all the interpreters, gems and so on needed by the Ruby program to run.

The common parameters are as follows:

-- windows does not display console (rubyw.exe)

-- console display console (default, ruby.exe)

-- dll dllname contains the DLL specified in the bin directory of Ruby

-disable LZMA compression when no-lzma is packaged

-- quiet does not show packaging progress

-- help views ocra help

-- no-autoload does not contain items with autoload in the script

Icon replaces the default ruby icon with a custom ico

Therefore, startups.exe is actually an exe file converted by OCRA.

III. Concluding remarks

1. Exploit winrar (CVE-2018-20250) vulnerability

2. Use OCRA to convert RB code into EXE program.

3. The subsequent malicious code is also made use of RB language.

It can be expected that attacks that use WinRAR vulnerabilities (CVE-2018-20250) to spread malicious programs will become more popular. In addition, it may be a trend to use the open source framework (this article OCRA) to load malicious code.

Users should be wary of compressed documents with the suffix rar. Users who have not upgraded the winrar patch are advised to update the new version of winarar immediately or delete the UNACEV2.DLL file so that it cannot support ACE format. In addition, it is recommended to modify the usage habits of winrar and not to right-click to release it without knowing it. It is recommended to double-click to open it, see the specific information of the compressed package, and then decompress it.

On the WinRAR vulnerability CVE-2018-20250 attack sample case analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.