A new malware named CHAINSHOT was recently used to target Adobe Flash zero-day vulnerability (CVE-2018-5002). The malware was transferred using a Microsoft Excel file containing a tiny Shockwave Flash ActiveX object and the property called “Movie” containing a URL to download the flash application.
Researchers have been able to crack the 512-bit RSA key and decrypted the payload. Moreover, researchers found that the Flash application was an obfuscated downloader which creates a random 512-bit RSA key pair in memory of the process. The Private key then remains in the memory and the public key is sent to the attacker server to encrypt the AES key (used to encrypt the payload). Later Encrypted payload sent to the downloader and existing private key to decrypt the 128-bit AES key and payload.
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–
Researchers at the Palo Alto Networks Unit 42 were the ones who cracked the encryption and shared their findings as well as how they cracked it.
While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server. On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload.
– Palo Alto Networks
Once the researchers decrypted the 128-bit AES key, they were able to decrypt the payload as well. According to the researchers, once the payload gains RWE permissions, the execution is passed to the shellcode payload which then loads an embedded DLL internally named FirstStageDropper.dll.
After the exploit successfully gains RWE permissions, execution is passed to the shellcode payload. The shellcode loads an embedded DLL internally named FirstStageDropper.dll, which we call CHAINSHOT, into memory and runs it by calling its export function “__xjwz97”. The DLL contains two resources, the first is x64 DLL internally named SecondStageDropper.dll and the second is a x64 kernelmode shellcode.
– Palo Alto Networks
The researchers also shared the Indicators of Compromise. You can take a look at both of them below.
Indicators of Compromise
Adobe Flash Downloader
Adobe Flash Exploit (CVE-2018-5002)