Friday, June 14, 2024

New CHAINSHOT Malware Attack Carried Adobe Flash 0-day Exploit with Weaponized Microsoft Excel Documents

Newly discovered CHAINSHOT Malware attack using Adobe Flash 0-day vulnerability that carried by several Weaponized documents along with the encrypted malware payload.

Researchers successfully cracked the 512-bit RSA key and decrypted the payload also the attack contains the several steps that follow each and every steps input.

Attackers using the new toolkit that performed as downloader to drop the Adobe Flash exploit CVE-2018-5002.

A malicious Microsoft Excel document contains a tiny Shockwave Flash ActiveX object and the property called “Movie” contains a URL  to download the flash application.

Further analysis revealed that the Flash application is an obfuscated downloader which creates a random 512-bit RSA key pair in memory of the process.

In this case, the Private key remains in the memory and the public key will be sent to the attacker server to encrypt the AES key(used to encrypt the payload).

Later Encrypted payload send to the downloader and use the memory private key to decrypt the 128bit AES key and payload.

Since the attacker using 512-bit RSA key pair which is known to be insecure, researchers gain the private key using hardcoded exponent and public key.

Gain Encrypted Shellcode Payload

128-bit AES key has been decrypted using the private key that calculated by the small public tool to obtain the shellcode payload.


So once AES 128 bit key will be decrypted then the actual payload can be easily decrypted and the decrypted shellcode payload is additionally compressed with zlib.

Further analysis revealed that attacker using the exploit and the complexity of shellcode payload that contains own two PE payloads.

Finally, the researcher set the environment to analyze the different stages and the malware working functions.

According to the Palo Alto Researchers, After the exploit successfully gains RWE permissions, execution is passed to the shellcode payload. The shellcode loads an embedded DLL internally named FirstStageDropper.dll, which we call CHAINSHOT.

“FirstStageDropper.dll is responsible for injecting SecondStageDropper.dll into another process to execute it. While the shellcode payload only contains code to search for and bypass EMET, FirstStageDropper.dll also contains code for Kaspersky and Bitdefender.”

Final payload is responsible for fingerprinting the system, sending details about the user and the processes running on the machine.

Indicators of Compromise

Adobe Flash Downloader


Adobe Flash Exploit (CVE-2018-5002)


Also Read:

Hackers Started Exploiting the Unpatched Windows Task Scheduler Zero Day Flaw using Malware

Hacker Revealed Unpatched Microsoft Windows Privilege Escalation Zero-day Flaw Exploit Online

Windows VBScript Engine Zero-day Flaw used by Darkhotel Hackers Group To Compromise Vulnerable Systems

macOS Zero-day Flaw Allow Hackers to Bypass Kernel Protection by Invisible Mouse Click Attack


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles