This is the analysis report of a malicious Word document used in a Phishing campaign targeting financial organizations and cryptocurrency exchanges. This dropper file is exploiting a vulnerability in Adobe Flash in order to download & execute the second stage malware. Components and general outline is shown in image below.

SECURITY ANALYSIS OF THE MOST POPULAR CRYPTOCURRENCY EXCHANGES.DOCX

This is the initial document which is delivered over a Phishing E-mail. Its main task is to drop the 2nd stage payload. It contains a second document file with the name of “activeX1.bin”. Contents are shown in the screenshot below.

ACTIVEX1.BIN

This file is the type of “Word Processing Document”. We discovered that there is a Flash object embedded in this document. We have successfully extracted and analysed the aforementioned SWF file as seen below.

FLASH EXPLOIT CVE-2018-4878

This file exploits an use-after free vulnerability in Adobe Flash (CVE-2018-4878 *) in order to gain arbitrary code execution. If successful it connects to domain “falcancoin.io” to download the 2nd stage payload, and executes it. Basic code obfuscation techniques are present and the shellcode is contained under the “binaryData” section. We have managed to extract and analyse the shellcode as seen below.

Initial procedure of this shellcode is to search through the memory for a constant value (hexadecimal: AABBCCDD). We believe that this constant value is a seperator for different sections of the shellcode.

While this being similar to an exploitation technique calledEgg Huntingwe consider it to be a characteristic of this shellcode. So below we have created a YARA signature to detect this payload.

$find_signature = {8B 4D 04 31 C0 81 3C 08 ?? ?? ?? ?? 74 0A 40 3D 00 01 00 00 72 EF 5D C3}

PACKAGE32.ZIP

This is the second stage payload dropped by the aforementioned shellcode. It’s identified that this is indeed the BankShot implant of the threat actor group dubbed as HiddenCobra or Lazarus. Common anti analysis measures are present. This implant also carry abilities like persistency and command execution, and communicating via a custom protocol built on HTTP. Screenshots regarding to some of our findings are below.

You can read the full analysis report written by McAfee on this implant here: https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/

INDICATORS OF COMPROMISE

This is the analysis report of a malicious Word document used in a Phishing campaign targeting financial organizations and cryptocurrency exchanges. This dropper file is exploiting a vulnerability in Adobe Flash in order to download & execute the second stage malware. Components and general outline is shown in image below.

SECURITY ANALYSIS OF THE MOST POPULAR CRYPTOCURRENCY EXCHANGES.DOCX

This is the initial document which is delivered over a Phishing E-mail. Its main task is to drop the 2nd stage payload. It contains a second document file with the name of “activeX1.bin”. Contents are shown in the screenshot below.

ACTIVEX1.BIN

This file is the type of “Word Processing Document”. We discovered that there is a Flash object embedded in this document. We have successfully extracted and analysed the aforementioned SWF file as seen below.

FLASH EXPLOIT CVE-2018-4878

This file exploits an use-after free vulnerability in Adobe Flash (CVE-2018-4878 *) in order to gain arbitrary code execution. If successful it connects to domain “falcancoin.io” to download the 2nd stage payload, and executes it. Basic code obfuscation techniques are present and the shellcode is contained under the “binaryData” section. We have managed to extract and analyse the shellcode as seen below.

Initial procedure of this shellcode is to search through the memory for a constant value (hexadecimal: AABBCCDD). We believe that this constant value is a seperator for different sections of the shellcode.

While this being similar to an exploitation technique calledEgg Huntingwe consider it to be a characteristic of this shellcode. So below we have created a YARA signature to detect this payload.

$find_signature = {8B 4D 04 31 C0 81 3C 08 ?? ?? ?? ?? 74 0A 40 3D 00 01 00 00 72 EF 5D C3}

PACKAGE32.ZIP

This is the second stage payload dropped by the aforementioned shellcode. It’s identified that this is indeed the BankShot implant of the threat actor group dubbed as HiddenCobra or Lazarus. Common anti analysis measures are present. This implant also carry abilities like persistency and command execution, and communicating via a custom protocol built on HTTP. Screenshots regarding to some of our findings are below.

You can read the full analysis report written by McAfee on this implant here: https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/

INDICATORS OF COMPROMISE