- Feb 7, 2014
- 1,540
- Content source
- http://www.viruslist.com/de/analysis?pubid=200883882
Had to translate this so you can be informed.
A prerequisite for the success of any malware attack is that the attack is not noticed, neither the system nor protection of victims. The main role in the implementation of a hidden attack play exploits security holes in the software, which undetected malicious code can be loaded onto the victim's computer using. The exploits are usually transported in exploit packs, where it is a plug-Detect (which determines what software is which versions installed on the user's computer) and are summarized in the multiple exploits, one of which is to the user will be shipped when an appropriate vulnerability has been found.
We recently came across a new method to hide an attack using exploits, namely packaged cybercriminals the exploit pack in a Flash file.
Packed flash object (Exploit Pack)
Here's how it looks without obfuscation:
Flash object (Exploit Pack) without obfuscation
The packaging should protect the malicious object of discovery. From most of the major Deobfuscatoren such a flash object does not open automatically. SWF Decompiler for example hangs and displays an error message.
Consequences of the application of a common Deobfuscators to a Flash object with the exploit pack neutrino
In this case, the Flash object writes to the page in the user's browser with the parameter allowscriptaccess = "always" a. This gives it the ability to modify the page, even when the object itself is loaded from a different domain. On one hand, it is not necessarily safe to give permission for modifying a Flash page, as the use of Flash objects does not require such possibilities, and that could awaken suspicion. At the same time it is a completely legal option, and a lot of Flash content is loaded on just this way. With this option, writes a malicious Flash object from its binary data simply exploits on the page.
In this way, no malicious content appeared on - neither in traffic, even on the side that is passed to the browser. Everything is hidden in a beautiful package, and the exploits are visible in the processing of the page in the browser.
[paste:font size="5"]RC4 encrypted and some are also deflate compressed using the standard algorithm.
Encrypted binary objects within desFlash object
And so one of the objects is decrypted and displayed:
Code for decrypting and paste the exploits of the page
The remaining objects are opened in the same way.
Here is a list of binary objects that are contained in the flash-Pack:
In recent modifications change the flash pack were made, among other things, was added in Adobe Flash another exploit for the vulnerability CVE-2015-0536.
[paste:font size="5"]
On the side of placed image
A special function transmits this image of the landing page, it decodes the Base64 and RC4 and obtains the configuration file.
Function to obtain the configuration file
The configuration file contains the keys and IDs discussed above exploits that can be loaded on the user's system. The configuration file allows cybercriminals flexible working: You can, without changing the exploit pack itself, set operating parameters that are optimal for a certain period of time. For example, an individual exploits Priority can be given or the key to deciphering the objects in the package can be stored separately.
The decoded image from the configuration file
The following modifications of the flash packs the configuration file is no longer the way, implemented in the form of a single image, but it is in the exploit pack itself included.
[paste:font size="5"]
Main part of the code of shell32.dll
Launched Skriptp.js
This script is the loader the actual destination malicious file.
[paste:font size="5"]
Geography of the attacks of Flash Pack neutrino (March 2015)
[paste:font size="5"]Conclusion
The relatively new technology for the dissemination of exploits using a flash pack has proven to be quite beneficial for cybercriminals. The standard features of Flash allow them to grab an exploit pack in a Flash object and hide it by an obfuscator. And the property of Flash to be able to spend parameter to access a page to write exploits on a page in the user's browser allows. Here are neither present in the traffic in the page to be loaded components of the exploit packs.
Although the malware authors are constantly updating the exploit pack and modify the harmful Flash code to avoid detection, Kaspersky Lab timely response to these threats. In addition to the standard protection methods, our products use the special component "Automatic Exploit Prevention" (AEP), which detects this threat using a behavior analysis.
Kaspersky Lab detects this flash pack as HEUR: Exploit.Script.Blocker, HEUR: Exploit.SWF.Generic.
A prerequisite for the success of any malware attack is that the attack is not noticed, neither the system nor protection of victims. The main role in the implementation of a hidden attack play exploits security holes in the software, which undetected malicious code can be loaded onto the victim's computer using. The exploits are usually transported in exploit packs, where it is a plug-Detect (which determines what software is which versions installed on the user's computer) and are summarized in the multiple exploits, one of which is to the user will be shipped when an appropriate vulnerability has been found.
We recently came across a new method to hide an attack using exploits, namely packaged cybercriminals the exploit pack in a Flash file.
Packed flash object (Exploit Pack)
Here's how it looks without obfuscation:
Flash object (Exploit Pack) without obfuscation
The packaging should protect the malicious object of discovery. From most of the major Deobfuscatoren such a flash object does not open automatically. SWF Decompiler for example hangs and displays an error message.
Consequences of the application of a common Deobfuscators to a Flash object with the exploit pack neutrino
In this case, the Flash object writes to the page in the user's browser with the parameter allowscriptaccess = "always" a. This gives it the ability to modify the page, even when the object itself is loaded from a different domain. On one hand, it is not necessarily safe to give permission for modifying a Flash page, as the use of Flash objects does not require such possibilities, and that could awaken suspicion. At the same time it is a completely legal option, and a lot of Flash content is loaded on just this way. With this option, writes a malicious Flash object from its binary data simply exploits on the page.
In this way, no malicious content appeared on - neither in traffic, even on the side that is passed to the browser. Everything is hidden in a beautiful package, and the exploits are visible in the processing of the page in the browser.
[paste:font size="5"]RC4 encrypted and some are also deflate compressed using the standard algorithm.
Encrypted binary objects within desFlash object
And so one of the objects is decrypted and displayed:
Code for decrypting and paste the exploits of the page
The remaining objects are opened in the same way.
Here is a list of binary objects that are contained in the flash-Pack:
- An exploit for the vulnerability CVE-2013-2551 in Internet Explorer.
Exploit the vulnerability CVE-2013-2551
- (Of which we have discussed later) a malicious dll that is included in other versions of the exploit packs neutrino.
- Two exploits for this vulnerability CVE-2014-6332 in the VBS routine in IE:
Exploits for CVE-2014-6332
- An exploit for the vulnerability in Adobe Flash 2014-0569
Exploit the vulnerability 2014-0569
- Exploit the vulnerability CVE-2014-0515 in Adobe Flash
Exploit the vulnerability CVE-2014-0515
In recent modifications change the flash pack were made, among other things, was added in Adobe Flash another exploit for the vulnerability CVE-2015-0536.
[paste:font size="5"]
On the side of placed image
A special function transmits this image of the landing page, it decodes the Base64 and RC4 and obtains the configuration file.
Function to obtain the configuration file
The configuration file contains the keys and IDs discussed above exploits that can be loaded on the user's system. The configuration file allows cybercriminals flexible working: You can, without changing the exploit pack itself, set operating parameters that are optimal for a certain period of time. For example, an individual exploits Priority can be given or the key to deciphering the objects in the package can be stored separately.
The decoded image from the configuration file
The following modifications of the flash packs the configuration file is no longer the way, implemented in the form of a single image, but it is in the exploit pack itself included.
[paste:font size="5"]
Main part of the code of shell32.dll
Launched Skriptp.js
This script is the loader the actual destination malicious file.
[paste:font size="5"]
Geography of the attacks of Flash Pack neutrino (March 2015)
[paste:font size="5"]Conclusion
The relatively new technology for the dissemination of exploits using a flash pack has proven to be quite beneficial for cybercriminals. The standard features of Flash allow them to grab an exploit pack in a Flash object and hide it by an obfuscator. And the property of Flash to be able to spend parameter to access a page to write exploits on a page in the user's browser allows. Here are neither present in the traffic in the page to be loaded components of the exploit packs.
Although the malware authors are constantly updating the exploit pack and modify the harmful Flash code to avoid detection, Kaspersky Lab timely response to these threats. In addition to the standard protection methods, our products use the special component "Automatic Exploit Prevention" (AEP), which detects this threat using a behavior analysis.
Kaspersky Lab detects this flash pack as HEUR: Exploit.Script.Blocker, HEUR: Exploit.SWF.Generic.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
