Hackers use Microsoft Excel Documents to carry out CHAINSHOT Malware Attack

Reading time icon 3 min. read

Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

A new malware named CHAINSHOT was recently used to target Adobe Flash zero-day vulnerability (CVE-2018-5002). The malware was transferred using a Microsoft Excel file containing a tiny Shockwave Flash ActiveX object and the property called “Movie” containing a URL  to download the flash application.

Researchers have been able to crack the 512-bit RSA key and decrypted the payload. Moreover, researchers found that the Flash application was an obfuscated downloader which creates a random 512-bit RSA key pair in memory of the process. The Private key then remains in the memory and the public key is sent to the attacker server to encrypt the AES key (used to encrypt the payload). Later Encrypted payload sent to the downloader and existing private key to decrypt the 128-bit AES key and payload.


Researchers at the Palo Alto Networks Unit 42 were the ones who cracked the encryption and shared their findings as well as how they cracked it.

While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server. On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload.

– Palo Alto Networks

Once the researchers decrypted the 128-bit AES key, they were able to decrypt the payload as well. According to the researchers, once the payload gains RWE permissions, the execution is passed to the shellcode payload which then loads an embedded DLL internally named FirstStageDropper.dll.

After the exploit successfully gains RWE permissions, execution is passed to the shellcode payload. The shellcode loads an embedded DLL internally named FirstStageDropper.dll, which we call CHAINSHOT, into memory and runs it by calling its export function “__xjwz97”. The DLL contains two resources, the first is x64 DLL internally named SecondStageDropper.dll and the second is a x64 kernelmode shellcode.

– Palo Alto Networks

The researchers also shared the Indicators of Compromise. You can take a look at both of them below.

Indicators of Compromise

Adobe Flash Downloader


Adobe Flash Exploit (CVE-2018-5002)


Source: Palo Alto Networks; Via: GB Hackers, Bleeping Computer

More about the topics: Adobe Flash Player, microsoft, Microsoft Excel, zero-day vulnerability