© All rights reserved.
Cyber Struggle Cyber Struggle
  • Home
  • Company
    • About Us
    • CS Manifesto
    • Open Letter for Ranger Grads
    • Careers
    • Press and Media
    • Contact Us
    • GDPR Notification
  • Products
    • Simulation Core
  • Courses
    • Ranger Certification
      • Ranger Certification
      • Ranger Grad Feedbacks
    • Aegis Certification (New)
      • Aegis Certification
      • Aegis Grad Feedbacks
    • Contemporary Certifications
      • Cyber Struggle Tactical Pistol Operator
  • For Corporates
  • Resources
    • Articles
    • Threat Reports
    • Tools
    • Announcements
  • Community
    • Community Programs
      • Ribbon Program
    • Delta Group
0
Cyber Struggle

Bankshot Dropper Analysis

By cyberstruggle inArticles, Delta Group

Summary

This is the analysis report of a malicious Word document used in a Phishing campaign targeting financial organizations and cryptocurrency exchanges. This dropper file is exploiting a vulnerability in Adobe Flash in order to download & execute the second stage malware. The components and general outline is shown in the image below.

SECURITY ANALYSIS OF THE MOST POPULAR CRYPTOCURRENCY EXCHANGES.DOCX

This is the initial document which is delivered over a Phishing E-mail. Its main task is to drop the 2nd stage payload. It contains a second document file with the name of “activeX1.bin”. Contents are shown in the screenshot below.

Contents of File

 

Content of Docx File

ACTIVEX1.BIN

This file is the type of “Word Processing Document”. We discovered that there is a Flash object embedded in this document. We have successfully extracted and analysed the aforementioned SWF file as seen below.

Flash Object Found

FLASH EXPLOIT CVE-2018-4878

This file exploits an use-after-free vulnerability in Adobe Flash (CVE-2018-4878 *) in order to gain arbitrary code execution. If successful it connects to domain “falcancoin.io” to download the 2nd stage payload, and executes it. Basic code obfuscation techniques are present and the shellcode is contained under the “binaryData” section. We have managed to extract and analyze the shellcode as seen below.

Shellcode Contained in binaryData Section

Shellcode Strings

 

The initial procedure of this shellcode is to search through the memory for a constant value (hexadecimal: AABBCCDD). We believe that this constant value is a separator for different sections of the shellcode.

Searching Procedure

 

While this being similar to an exploitation technique calledEgg Huntingwe consider it to be a characteristic of this shellcode. So below we have created a YARA signature to detect this payload.

$find_signature = {8B 4D 04 31 C0 81 3C 08 ?? ?? ?? ?? 74 0A 40 3D 00 01 00 00 72 EF 5D C3}

Section A of Shellcode

 

Section B of Shellcode

 

PACKAGE32.ZIP

This is the second stage payload dropped by the aforementioned shellcode. It’s identified that this is indeed the BankShot implant of the threat actor group dubbed as HiddenCobra or Lazarus. Common anti-analysis measures are present. This implant also carry abilities like persistence and command execution, and communicating via a custom protocol built on HTTP. Screenshots regarding some of our findings are below.

Filenames C2 domains and Windows Commands

Common anti-analysis trick leveraging timing attack

Initial communication with C2

Implant querying host’s User-Agent string in order to use it in communications, therefore, its traffic will look less suspicious

 

You can read the full analysis report written by McAfee on this implant here: https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/

INDICATORS OF COMPROMISE

Type Signature Description
Domain falcancoin.io Host of Hidden Cobre
Domain 530hr.com C2 Domain
Domain 028xmz.com Backup C2
Domain 168wangpi.com Backup C2
MD5 b99e5cf00d084aadb938b8db721c026a activeX1.bin
MD5 9e819a142e1287a9fd72b317b575ad17 CVE-2018-4878.swf
MD5 0e3e891d5235a7880bd4c7bb04430185 Exploit Payload
MD5 12c786c490366727cf7279fc141921d8 package32.zip
MD5 1b3ebec6ce48241c6715e19713a95f1b Security analysis of the most popular cryptocurrency exchanges.docx
YARA $find_signature = {8B 4D 04 31 C0 81 3C 08 ?? ?? ?? ?? 74 0A 40 3D 00 01 00 00 72 EF 5D C3} Signature searching routine of exploit payload
application securitycybersecuritycyberstrugglenodejsnodejs securitySecure development
  • APT37 New Year Attack
    Previous PostAPT37 New Year Attack
  • Next PostAnalysis of APT37 New Year Attack
    APT37 New Year Attack

Related Posts

Ratelimit Bypass Tool: Whitepass
Announcements Articles Delta Group

Ratelimit Bypass Tool: Whitepass

Credential Dumping Tool: Chalumeau
Announcements Articles Delta Group

Credential Dumping Tool: Chalumeau

Microsoft ATA Evasion (Over PTH, Golden Ticket)
Articles Delta Group

Microsoft ATA Evasion (Over PTH, Golden Ticket)

Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796
Articles Delta Group

Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796

Leave a Reply (Cancel reply)

Your email address will not be published. Required fields are marked *

*
*

twenty + eighteen =

image
F.A.Q
Support Forum
Video Tutorials

Search panel can contain any widgets and shortcodes.

Call us: 0 800 255 22 55
Copy