Hackers use Microsoft Excel Documents to carry out CHAINSHOT Malware Attack

Reading time icon 3 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

A new malware named CHAINSHOT was recently used to target Adobe Flash zero-day vulnerability (CVE-2018-5002). The malware was transferred using a Microsoft Excel file containing a tiny Shockwave Flash ActiveX object and the property called “Movie” containing a URL  to download the flash application.

Researchers have been able to crack the 512-bit RSA key and decrypted the payload. Moreover, researchers found that the Flash application was an obfuscated downloader which creates a random 512-bit RSA key pair in memory of the process. The Private key then remains in the memory and the public key is sent to the attacker server to encrypt the AES key (used to encrypt the payload). Later Encrypted payload sent to the downloader and existing private key to decrypt the 128-bit AES key and payload.

—–BEGIN RSA PRIVATE KEY—–
MIIBOgIBAAJAffMF1bzGWeVJfkgr0LUHxEgI3u6FJfJLJxLcSin1xE4eCMiJpkUh
u8ZxNs7RGs5VubwsHHyWYwqlFYlrL3NB/QIDAQABAkBog3SxE1AJItIkn2D0dHR4
dUofLBCDF5czWlxAkqcleG6im1BptrNWdJyC5102H/bMA9rhgQEDHx42hfyQiyTh
AiEA+mWGmrUOSLL3TXGrPCJcrTsR3m5XHzPrh9vPinSNpPUCIQCAxI/z9Jf10ufN
PLE2JeDnGRULDPn9oCAqwsU0DWxD6QIhAPdiyRseWI9w6a5E6IXP+TpZSu00nLTC
Sih+/kxvnOXlAiBZMc7VGVQ5f0H5tFS8QTisW39sDC0ONeCSPiADkliwIQIhAMDu
3Dkj2yt7zz04/H7KUV9WH+rdrhUmoGhA5UL2PzfP
—–END RSA PRIVATE KEY—–

Researchers at the Palo Alto Networks Unit 42 were the ones who cracked the encryption and shared their findings as well as how they cracked it.

While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server. On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload.

– Palo Alto Networks

Once the researchers decrypted the 128-bit AES key, they were able to decrypt the payload as well. According to the researchers, once the payload gains RWE permissions, the execution is passed to the shellcode payload which then loads an embedded DLL internally named FirstStageDropper.dll.

After the exploit successfully gains RWE permissions, execution is passed to the shellcode payload. The shellcode loads an embedded DLL internally named FirstStageDropper.dll, which we call CHAINSHOT, into memory and runs it by calling its export function “__xjwz97”. The DLL contains two resources, the first is x64 DLL internally named SecondStageDropper.dll and the second is a x64 kernelmode shellcode.

– Palo Alto Networks

The researchers also shared the Indicators of Compromise. You can take a look at both of them below.

Indicators of Compromise

Adobe Flash Downloader

189f707cecff924bc2324e91653d68829ea55069bc4590f497e3a34fa15e155c

Adobe Flash Exploit (CVE-2018-5002)

3e8cc2b30ece9adc96b0a9f626aefa4a88017b2f6b916146a3bbd0f99ce1e497

Source: Palo Alto Networks; Via: GB Hackers, Bleeping Computer

User forum

0 messages