Security researchers have managed to crack the encryption used in a piece of malware to discover the framework of its attack mechanism.
Dubbed Chainshot by researchers at Palo Alto Networks, researchers managed to crack the 512-bit RSA keys and decrypt the exploit and malware payloads. The malware got its name from how the attack uses several stages, with each stage requiring input from the previous one to work.
It was discovered after researchers followed the discovery of a new Adobe Flash 0-day and found several documents using the same exploit that were used in targeted attacks.
"Armed with these initial weaponised documents, we uncovered additional attacker network infrastructure, were able to crack the 512-bit RSA keys and decrypt the exploit and malware payloads," said researchers.
Researchers studied network traffic between the hacker’s command and control (C2) servers. Here they found the 512-bit RSA key. They said that the Flash applications found with the malware is an obfuscated downloader which creates a random 512-bit RSA key pair in memory of the process.
"While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server," said researchers. "On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload."
Researchers then use a public project called Factoring as a Service which itself uses Amazon EC2’s high computing power and can factorise large integers in just a matter of hours.
Once decoded, the researchers discovered that because of the malware’s set up having stages that depend on previous stages, analysis was tricky. To enable analysis, researchers reproduced the server-side infrastructure to conduct dynamic analysis and get a better understanding of how the exploit and payload work together.
However, they did find that the malware contains code for circumventing Kaspersky and Bitdefender security software.
"It also collects and sends encrypted user system and process information data together with a unique hardcoded ID to the attacker’s server," they said.
A second stage dropper acts as a downloader for the malware’s final payload. This also collects various information from the victim system, encrypts it and sends it to the attacker’s server. The second stage dropper contains a couple of different strings. Researchers said that as the strings are different, this possibly indicated they are changed for every victim.
The malware sends user information encrypted to the attacker server and attempts to download a final stage implant. They said that another interesting aspect of the exploit code is that it sends status messages when something goes wrong at every stage of the exploitation.
Researchers said the malware was developed with the help of an unknown framework and makes extensive use of custom error handling.
"Because the attacker made another mistake in using the same SSL certificate for similar attacks, we were able to uncover additional infrastructure indicating a larger campaign," said researchers.