I made an attempt to deofuscated and analyze a malicious Adobe Flash SWF file from Malware Traffic Analysis blog about the Angler Exploit kit. I ran through the steps I mentioned to export from the PCAP and turn the SWF file into ActionScript code.
I ended up with this ugly obfuscated mess of ActionScript code. Below is just a sampling, but here is the full obfuscated ActionScript code.
var _local1:* = new ((this.1[IlllI.11IIlI1lIl](IlllI.I11lI1IlI1) as Class))();
var _local2:* = new this.ll1IlI1II1lI()[IlllI.1lIlI1lI];
var _local3:int = _local2[IlllI.1lIIlI1lI1];
var _local4:int = _local2[IlllI.Ill1lI1];
var _local5:uint;
var _local6:uint = (10 - (5 * 2));
var _local7:int;
while (_local7 < _local3) {
_local8 = 0;
while (_local8 < _local4) {
_local9 = _local2[IlllI.11lIlI](_local7, _local8);
if ((((_local7 == 0)) && ((_local8 == 0)))){
_local5 = (_local9 & 0xFFFFFF);
}
I thought I'd take a stab at de-obfuscating this code, and I was decently successful with unraveling the first layer of obfuscation I thought. I pasted partial deobfuscated code here and thought I'd review some of it below. I deobfuscated it by renaming variables and functionings, removing unnecessary variable declarations and string concatenations, removing unnecessary nested function calls, etc.
public class Document extends MovieClip {
public function Document(){
super();
if (this["stage"]){
this.functionStartExploit();
} else {
this["addEventListener"]("addedToStage", this.functionStartExploit);
};
}
Per the above code, when the SWF file loads in the user's browser, it does the standard start for a flash file. It basically waits for the stage (the main area of the SWF) to load, and if it's not loaded yet it adds a listener which will trigger an event as soon as the stage has loaded. Once it's loaded the attacker starts the exploit.
public function functionStartExploit():void{
this["removeEventListener"]("addedToStage", this.functionStartExploit);
var _localEmbeddedSWF:* = new flash.display.Loader();
_localEmbeddedSWF["loadBytes"](this.functionEmbeddedSWFFromBitmap());
this["addChild"](_localEmbeddedSWF);
}
First the attacker removes the stage listener since it's already loaded now. Then the attacker creates a place holder for a nested SWF file (yes there is essentially a SWF within a SWF). There was an initial layer of obfuscation that involved all the renaming of variables, creating unnecessary string concatenations, etc. But there is a secondary layer of obfuscation that is occurring by loading an embedded SWF file inside this one. So the actual exploit isn't occurring in this SWF that I'm analyzing but in a nested one that appears to have been hidden in a Bitmap file as you'll see below. Once that embedded SWF is loaded, then it's added as a child to this SWF file so that it will load also.
private function functionEmbeddedSWFFromBitmap(){
var _localMaliciousByteArray:* = new flash.utils.ByteArray();
var _localBitmap:* = new BitmapAsset()["bitmapData"];
...
while (_localCounter2 < _localBitmap["width"]) {
while (_localCounterNested < _localBitmap["height"]) {
_localPixel = _localBitmap["getPixel"](_localCounter2, _localCounterNested);
...
_localMaliciousByteArray["writeByte"]((_localPixel & 0xFF));
_localMaliciousByteArray["writeByte"](((_localPixel >> 8) & 0xFF));
_localMaliciousByteArray["writeByte"](((_localPixel >> 16) & 0xFF));
...
_localCounterNested++;
};
...
_localCounter2++;
};
...
_localMaliciousByteArray["position"] = 0;
return (_localMaliciousByteArray);
}
Finally above when loading that embedded SWF from a BitMap file there is some additional altering or messing with the bytes before it's returned back and loaded into that nested location.
I found it interesting to see this nested obfuscation technique in action and it definitely makes it harder to analyze as a security researcher because the exploit you're looking for doesn't even actually exist in this SWF file that we spotted.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment