Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis on the discovery of suspected CVE-2020-0968 remote code execution vulnerabilities. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

one。 Event background

In early September 2020, the Shadow Hunting Laboratory of an Heng Information threat Intelligence Center captured a rtf sample from Belarus, which was named "relevant information about the defendant".

Disguising the document as a criminal case registration card, you can see information related to the judiciary of the Supreme Court, and the language in the document is in Russian. This template can be downloaded from an education website in Russia.

It is clear that the attackers took advantage of the cyber attack launched by the outbreak of large-scale activities and a large number of arrests after the Belarusian presidential election.

The attacker used the JS engine parsing vulnerability CVE-2020-0968, which had never been publicly exploited before, which Microsoft had identified as unexploited. The use of unknown 1day shows that the attacker this time has very high technical or economic strength (spending money to buy vulnerabilities), and the Trojan horse he uses uses the particularity of a function named "Domino", so we named this activity Operation Domino.

two。 Overview of attack

The document uses unpublicly exploited code CVE-2020-0968 vulnerabilities to load remote malicious Trojans, professional attack techniques, download Trojans with legal digital signatures, in addition to the traditional Trojan features, but also repair the existence of vulnerabilities exploiting documents, a look is a professional team.

three。 Detailed analysis of weapons

The rtf document embedded in URL Moniker in the sample is used as the carrier, and the web page file located in http://94.156.174[.]7/up/a1a.htm is loaded remotely.

An embedded web page file loaded remotely was first observed to exploit jscript vulnerabilities in the field.

The Shadow Hunting Lab analyzed the vulnerability and found that it was a UAF vulnerability in the jscript.dll module of the IE browser. When jscript handles the addition of two objects (type=0x81), CScriptRuntime::Run will call VAR::GetValue twice in a row to get the corresponding value, and the developer does not add the variant variable saved on the stack to the GC tracking list. If the object implements a custom toString method, the NameTbl::InvokeInternal function is further called inside the VAR::GetValue. This function can call the custom toString. In the callback caused by the second VAR::GetValue, you can manually release the relevant variant variable. When the callback function returns, the CScriptRuntime::Run will use the released variant variable again, resulting in UAF.

Through patch analysis, it can be confirmed that the vulnerability occurred after the double Star vulnerability (CVE-2020-0674) and was fixed in the April 2020 patch.

It is worth noting that Microsoft did fix an IE vulnerability rated "Critical" in April 2020 and labeled it "Exploited: Yes" at its initial release, but then changed it to "Exploited: No", which also sparked discussion among security researchers at the time:

Combined with the repair time and the above information, we reasonably infer that the vulnerability used in this attack is the CVE-2020-0968 Jscript remote code execution vulnerability. The vulnerability in this attack uses the same way as the previous Jscript UAF vulnerability, first revealing the address of a RegExp object through the vulnerability, then forging a super-long BSTR using the RegExp object, realizing out-of-bounds reading with the help of this BSTR array, forging a fake RegExpObj object on this basis, and finally realizing the read and write of any address with the help of the regular engine to realize the ShellCode execution.

After the ShellCode executes successfully, it downloads the add-in from the remote address http://94.156.174[.]7/up/a1a.dll and decrypts the execution. The decryption method is a simple XOR, and the key is "weHnh". The decrypted dll file contains an export function named "Domino", which is judged to be the main function.

The Dll sample finds its own rtf/doc document, finds the content of "{\ object\ objemb...}" and deletes it, which is the embedded URL Moniker data.

After you delete the URL Moniker, dll opens the document again. The original document has been modified to a clean document.

Dll then executes an embedded EXE program

The EXE backdoor uses a printer icon to disguise it as a Microsoft Windows Fax and Scan program, which contains a valid digital certificate and the signer information is "Sizg Solutions GmbH". The EXE program is shelled by VMP, and the input table is encrypted:

When the backdoor starts, a window is created with the title "8Wsa1xVPfvJcrgRY" and the class name "frAQBc".

Then enter the message loop mechanism. Most of the malicious functions are implemented in the window handler function WindowProc. When the window receives the window creation message WM_CREATE, the backdoor sends custom messages to trigger other key malicious processes:

The function statistics of most of the message codes are shown in the following table:

After obtaining the API address dynamically, obtain all kinds of operating system, hardware, user information and other information through the wmi command.

A large number of different keys decrypt the HTTP communication by XOR algorithm, which requires HTTP header information, which is used to construct the packet requested by Post.

The communication data is encrypted by AES, three sets of keys are built into the back door, and different keys are used to process the data in different functional modules.

Because the back door is protected by VMP and the internal confusion is serious, it has caused a lot of interference to the analysis. The main functions found in the current analysis include:

User information collected by ● encrypted upload

● screenshot to get the user's desktop and update itself

four。 Relevance conjecture

This attack uses a JScript vulnerability that has not been seen in the public eye before. From the perspective of exploit methods, only DarkHotel has this kind of original new JScript exploit. However, in the process of analyzing the subsequent loads, we do not find any obvious characteristics of DarkHotel. Considering that this vulnerability is used as a 1Day, it does not preclude other organizations from obtaining and exploiting this vulnerability from relevant sources.

Cyber secret warfare plays a key role in the political and military game, from the collection of information to the attack of cyberspace infrastructure can play an unexpected role in the operation of political and military intelligence system.

Just like the dll function "Domino" used in this event, after pushing the first step, the chain reaction caused by dominoes leads to a series of guided changes. Imagine a little more here. In the 1950s, the domino theory first put forward by US President Dwight Eisenhower was a very important theory for the form of Southeast Asia at that time. As long as the political tendency of a country in Southeast Asia appears for the first time, then other countries in the region will, like dominoes, tend to go in one direction after another. Its use in the current situation is also very timely.

This is the first time to find the suspected CVE-2020-0968 loophole exploited by the opposition, indicating that the attacking organization has a certain strength. In view of the particularity of the "Domino" function, we named this activity Operation Domino.

Microsoft no longer provides service support for windows7 systems, so patches will not be pushed by default. If windows7 users need to go to Microsoft website to download patches manually to install them.

This is the end of the example analysis on the discovery of suspected CVE-2020-0968 remote code execution vulnerabilities. I hope the above content can be helpful to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.