Recently security researchers were able to figure out the exploit of a malware. The malware has been named as CHAINSHOT due to the multiple chain of commands that it carries out to a targeted system. The program has been found to be exploiting Adobe Flash zero-day vulnerability which is also known as (CVE-2018-5002). The malware carries itself through a Microsoft Excel file which has a Shockwave Flash ActiveX object and also a property known as Movie which contains a URL to download the flash application.
The CHAINSHOT malware uses RSA 512-bit to encrypt its payload which was easily decrypted by researchers. The flash application was used to create a random 512-bit encryption key in memory of the system. It was found that the private key remains in the memory while the public key is sent to remote servers to encrypt the AES key which was used to encrypt the payload. Then the encrypted payload was sent to the downloader and the private key was used for decryption of AES 128-bit key and the payload.
The researchers were able to decrypt the payload after they successfully decrypted the 128-bit AES key. The payload gains RWE permissions which is followed by the execution being passed to the shellcode payload. This process then loads an embedded DLL which is named as FirstStageDropper.dll, this is commonly referred to as the CHAINSHOT. The malware is then loaded into the memory and executes itself by calling its export function ‘_xjwz97’. The DLL has two components, one is x64 DLL named as SecondStageDropper.dll and second is a x64 kernelmode shellcode.
The initial samples of the attack seems to have been located to middle east. The malware has been identified to be targeting individuals and organizations in the middle east. It uses Microsoft office document to download Adobe Flash remote SWF file. It has been found that the document features all SWF content from remote servers instead of embedding them within the document.
The use of asymmetric cryptography like RSA helps to deceive replay based network security and also to evade scrutiny by security related applications. After the initial stage is successfully implemented, it executes the second stage using the same encryption methods to run shellcode commands which enables attackers to take control of the system that gets targeted. In the final stage CHAINSHOT may even be used to open backdoor channels in the system that allows implementation of additional modules. These can be used to carry out specific attacks. The malware constantly monitors that system and the data can be shared on remote servers which is routinely used by hackers to design specif attacks to exploit the network of the host system.
Researchers were able to understand the operations of CHAINSHOT malware due to the fact that the RSA 512-bit encryption algorithm is easy to crack. It has been pointed out that the algorithm can be cracked using cloud computing techniques. The malware was also related to other attacks that have used the same resources and therefore many infrastructure related to the domain that are correlated to the servers have been identified. This will also help to shed light on other similar attacks related to the zero hour vulnerability and in providing users with appropriate solution.