Analysis on the flood attack event of a technical blog in China

[Note: to prevent the spread of malicious samples, replace {BLOCKED} with some information in the article.]

• Overview

Recently we captured a number of attacks using Adobe Flash Vulnerability (CVE-2014-0502), the attacker on a technical blog in China "www. java {BLOCKED }. com "implanted malicious code. The page implanted with malicious code is as follows:

The SWF file specified on this page is used in a loophole. After successful use, a segment of shellcode in logo.gif will be executed,

The main function of shellcodeis to download and execute another executable file d.exe (MD5: E3AF2857178B7AB5A86269 {BLOCKED:

For details about exploits, refer:

Http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html

• Get the second shellcode

After the trojan program runs, it first decrypts the configuration file download link in the memory. The decryption algorithm is as follows:

 

for ( i = 0; i < a3; *(_BYTE *)v4 = v5 ){v4 = i + a2;v5 = i + *(_BYTE *)(a1 - a2 + i + a2) - 2;++i;}

 

The decrypted url is http: // www. {BLOCKED }. ru/new/3d/mp4/flash. in php, the trojan program calls GetVersion to obtain the operating system version. If the operating system version is later than NT5. *, this url will add "? Id = 2.
Afterwards, the trojan program obtains the configuration file through InternetOpenUrlA and InternetReadFile, And the User-Agent in the HTTP request is disguised as "Mozilla/4.0 (compatib )".

The Flash. php page hides a piece of html code that has been commented out and a script that has been commented out.
The label contains an encrypted shellcode. If you view the Page in a browser, the javascript sayhello function is called. This function will call document. write to overwrite the Page content as "Page Not Found !"

• Decrypt shellcode

 

The trojan program parses the html page and obtains the content of the configuration file through the data size mark (0 × 2bf2) in the header. Then, perform the following steps to decrypt the shellcode

1. base64decode:

The configuration file is base64-encoded and the encoding table is dynamically generated in the memory.

2. Exclusive or specified string:

After decryption, write the configuration file to C: \ Document and Settings \ [user name] \ Application Data \ mydesktop. ini (or C: \ Users \ [user name] \ AppData \ Roaming \ mydesktop. ini.

If an error occurs during decryption, the trojan will pop up a disguised MessagBox and terminate the operation. MessageBox contains the following information:

 

MessageBoxA(0, "file system information", "information", 0);MessageBoxA(0, "file system", "info", 0);MessageBoxA(0, "task over", "info", 0);

 

• Execute shellcode

After the shellcode is decrypted, call VirtualAlloc to allocate a memory with the "PAGE_EXECUTE_READWRITE" attribute and copy the shellcode to the memory, then call the shellcode address to execute shellcode.

• Shellcode Analysis

 

Shellcode is also encrypted by repeating an exclusive or specified string: the exclusive or encrypted key is as follows:

The decrypted code implements the main functions of the Trojan program. According to the operating system version, shellcode has different functions:

1. OS version = NT5

Copy the secret to the C: \ Windows directory and rename it cusse.exe. Modify the Registry to add the self-start process. Then, create the iexplore.exe process in a hidden window and communicate with the C & C server hk. {BLOCKED}. epac. to through HTTPS.

2. OS version> NT5

Shellcode is not injected. Directly copy itself to C: \ Users \ [user name] \ AppData \ Roaming \ d.exe and add auto-start upon startup. Then, it also uses HTTPS and C & C server hk. {BLOCKED }. epac. to communication.

On the NT5. * system, the trojan will obtain the copied exe path and output "sheldon here :":

• Related Files
• Conclusion

Attackers can deploy malicious code on a designated zombie server, and then obtain the updated code from the server through HTTP requests, this not only facilitates the replacement of C & C servers and attack code, but also makes it more difficult to locate attackers.