Friday, October 11, 2024
HomeCyber AttackNew CHAINSHOT Malware Attack Carried Adobe Flash 0-day Exploit with Weaponized Microsoft...

New CHAINSHOT Malware Attack Carried Adobe Flash 0-day Exploit with Weaponized Microsoft Excel Documents

Published on

Newly discovered CHAINSHOT Malware attack using Adobe Flash 0-day vulnerability that carried by several Weaponized documents along with the encrypted malware payload.

Researchers successfully cracked the 512-bit RSA key and decrypted the payload also the attack contains the several steps that follow each and every steps input.

Attackers using the new toolkit that performed as downloader to drop the Adobe Flash exploit CVE-2018-5002.

- Advertisement - EHA

A malicious Microsoft Excel document contains a tiny Shockwave Flash ActiveX object and the property called “Movie” contains a URL  to download the flash application.

Further analysis revealed that the Flash application is an obfuscated downloader which creates a random 512-bit RSA key pair in memory of the process.

In this case, the Private key remains in the memory and the public key will be sent to the attacker server to encrypt the AES key(used to encrypt the payload).

Later Encrypted payload send to the downloader and use the memory private key to decrypt the 128bit AES key and payload.

Since the attacker using 512-bit RSA key pair which is known to be insecure, researchers gain the private key using hardcoded exponent and public key.

Gain Encrypted Shellcode Payload

128-bit AES key has been decrypted using the private key that calculated by the small public tool to obtain the shellcode payload.

—–BEGIN RSA PRIVATE KEY—–
MIIBOgIBAAJAffMF1bzGWeVJfkgr0LUHxEgI3u6FJfJLJxLcSin1xE4eCMiJpkUh
u8ZxNs7RGs5VubwsHHyWYwqlFYlrL3NB/QIDAQABAkBog3SxE1AJItIkn2D0dHR4
dUofLBCDF5czWlxAkqcleG6im1BptrNWdJyC5102H/bMA9rhgQEDHx42hfyQiyTh
AiEA+mWGmrUOSLL3TXGrPCJcrTsR3m5XHzPrh9vPinSNpPUCIQCAxI/z9Jf10ufN
PLE2JeDnGRULDPn9oCAqwsU0DWxD6QIhAPdiyRseWI9w6a5E6IXP+TpZSu00nLTC
Sih+/kxvnOXlAiBZMc7VGVQ5f0H5tFS8QTisW39sDC0ONeCSPiADkliwIQIhAMDu
3Dkj2yt7zz04/H7KUV9WH+rdrhUmoGhA5UL2PzfP
—–END RSA PRIVATE KEY—–

So once AES 128 bit key will be decrypted then the actual payload can be easily decrypted and the decrypted shellcode payload is additionally compressed with zlib.

Further analysis revealed that attacker using the exploit and the complexity of shellcode payload that contains own two PE payloads.

Finally, the researcher set the environment to analyze the different stages and the malware working functions.

According to the Palo Alto Researchers, After the exploit successfully gains RWE permissions, execution is passed to the shellcode payload. The shellcode loads an embedded DLL internally named FirstStageDropper.dll, which we call CHAINSHOT.

“FirstStageDropper.dll is responsible for injecting SecondStageDropper.dll into another process to execute it. While the shellcode payload only contains code to search for and bypass EMET, FirstStageDropper.dll also contains code for Kaspersky and Bitdefender.”

Final payload is responsible for fingerprinting the system, sending details about the user and the processes running on the machine.

Indicators of Compromise

Adobe Flash Downloader

189f707cecff924bc2324e91653d68829ea55069bc4590f497e3a34fa15e155c

Adobe Flash Exploit (CVE-2018-5002)

3e8cc2b30ece9adc96b0a9f626aefa4a88017b2f6b916146a3bbd0f99ce1e497

Also Read:

Hackers Started Exploiting the Unpatched Windows Task Scheduler Zero Day Flaw using Malware

Hacker Revealed Unpatched Microsoft Windows Privilege Escalation Zero-day Flaw Exploit Online

Windows VBScript Engine Zero-day Flaw used by Darkhotel Hackers Group To Compromise Vulnerable Systems

macOS Zero-day Flaw Allow Hackers to Bypass Kernel Protection by Invisible Mouse Click Attack

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...