Thursday, June 2, 2016

Partial Deobfuscation of an Angler EK SWF

I made an attempt to deofuscated and analyze a malicious Adobe Flash SWF file from Malware Traffic Analysis blog about the Angler Exploit kit. I ran through the steps I mentioned to export from the PCAP and turn the SWF file into ActionScript code.

I ended up with this ugly obfuscated mess of ActionScript code. Below is just a sampling, but here is the full obfuscated ActionScript code.

var _local1:* = new ((this.1[IlllI.11IIlI1lIl](IlllI.I11lI1IlI1) as Class))();
var _local2:* = new this.ll1IlI1II1lI()[IlllI.1lIlI1lI];
var _local3:int = _local2[IlllI.1lIIlI1lI1];
var _local4:int = _local2[IlllI.Ill1lI1];
var _local5:uint;
var _local6:uint = (10 - (5 * 2));
var _local7:int;
while (_local7 < _local3) {
  _local8 = 0;
  while (_local8 < _local4) {
   _local9 = _local2[IlllI.11lIlI](_local7, _local8);
   if ((((_local7 == 0)) && ((_local8 == 0)))){
     _local5 = (_local9 & 0xFFFFFF);

I thought I'd take a stab at de-obfuscating this code, and I was decently successful with unraveling the first layer of obfuscation I thought. I pasted partial deobfuscated code here and thought I'd review some of it below. I deobfuscated it by renaming variables and functionings, removing unnecessary variable declarations and string concatenations, removing unnecessary nested function calls, etc.

public class Document extends MovieClip {
   public function Document(){
    if (this["stage"]){
    } else {
      this["addEventListener"]("addedToStage", this.functionStartExploit);

Per the above code, when the SWF file loads in the user's browser, it does the standard start for a flash file. It basically waits for the stage (the main area of the SWF) to load, and if it's not loaded yet it adds a listener which will trigger an event as soon as the stage has loaded. Once it's loaded the attacker starts the exploit.

public function functionStartExploit():void{
   this["removeEventListener"]("addedToStage", this.functionStartExploit);
   var _localEmbeddedSWF:* = new flash.display.Loader();

First the attacker removes the stage listener since it's already loaded now. Then the attacker creates a place holder for a nested SWF file (yes there is essentially a SWF within a SWF). There was an initial layer of obfuscation that involved all the renaming of variables, creating unnecessary string concatenations, etc. But there is a secondary layer of obfuscation that is occurring by loading an embedded SWF file inside this one. So the actual exploit isn't occurring in this SWF that I'm analyzing but in a nested one that appears to have been hidden in a Bitmap file as you'll see below. Once that embedded SWF is loaded, then it's added as a child to this SWF file so that it will load also.

private function functionEmbeddedSWFFromBitmap(){
   var _localMaliciousByteArray:* = new flash.utils.ByteArray();
   var _localBitmap:* = new BitmapAsset()["bitmapData"];
   while (_localCounter2 < _localBitmap["width"]) {
     while (_localCounterNested < _localBitmap["height"]) {
       _localPixel = _localBitmap["getPixel"](_localCounter2, _localCounterNested);
       _localMaliciousByteArray["writeByte"]((_localPixel & 0xFF));
       _localMaliciousByteArray["writeByte"](((_localPixel >> 8) & 0xFF));
       _localMaliciousByteArray["writeByte"](((_localPixel >> 16) & 0xFF));
   _localMaliciousByteArray["position"] = 0;
   return (_localMaliciousByteArray);

Finally above when loading that embedded SWF from a BitMap file there is some additional altering or messing with the bytes before it's returned back and loaded into that nested location.

I found it interesting to see this nested obfuscation technique in action and it definitely makes it harder to analyze as a security researcher because the exploit you're looking for doesn't even actually exist in this SWF file that we spotted.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. php injection ali.txt walk-thru

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment