Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- New FALLCHILL-like implant 2018-07-5
- Exploit: CVE-2017-8291
- PostScript method:
- -4-byte XOR encoded PostScript
- -shellcode inside PostScript
- -Shellcode parses embedded BMP looking for magic string: "F0und3g9"
- -Shellcode uses Windows Crypto APIs to decrypt x86 and x64 implants using AES-CBC mode with hardcoded 16-byte key/iv
- IOCs
- ㈜삼강엠앤티 망 분리 관련 요청사항.hwp|a5a71b23e75795fd76153fdf02e7e2ed
- ㈜삼강엠앤티 망 분리 관련 요청사항.hwp|6f1bddb3aa221635adfd8b1c465da64ab436648e3c14e44ccd118e96af50e5d7
- BIN0002.ps|42e01850b1b50eab1e8470bd263e01f4
- BIN0002.ps|843c751aeebf0890ecefddea6ab99e0a29bc9396ad8fb2c1be3eec1511fa0619
- BIN0001.bmp|719025d32c71e11b62db27b0035d66ef
- BIN0001.bmp|277b4360da713ad6a74f6f213c3ea5daa4b150824bbc290e5ed3cb1427512805
- Decrypted Implants:
- x86.bin|d08986b22d2371419dfcdf4abdb821b5
- x86.bin|d060123c21869b765b22b712a8ca47266a33464095411e2b7bdf7e327d23ed07
- x64.bin|3d0355ff78dcc979b3f83a679b6ba794
- x64.bin|c294520c1f64c77776dad6599da29bf9e825f41c647979f11e09205ff67ca117
- C2s:
- http://sdajunghwa.com/admin/data/admin_data.asp
- http://www.patentmall.net/goods/goods.asp
- http://www.orentcar.com/rental/sub06.asp
- http://www.pyeonta.com/board/news/board.asp
- http://doosungsys.com/file_bd/upload_file/file_board.asp
- Payload extraction script:
- https://pastebin.com/435bVwUw
- VirusTotal
- HWP: https://www.virustotal.com/#/file/6f1bddb3aa221635adfd8b1c465da64ab436648e3c14e44ccd118e96af50e5d7/detection
- Implants:
- https://www.virustotal.com/#/file/d060123c21869b765b22b712a8ca47266a33464095411e2b7bdf7e327d23ed07/detection
- https://www.virustotal.com/#/file/c294520c1f64c77776dad6599da29bf9e825f41c647979f11e09205ff67ca117/detection
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement