New FALLCHILL-like implant 2018-07-5

1. New FALLCHILL-like implant 2018-07-5
2.  
3. Exploit: CVE-2017-8291
4. PostScript method:
5. -4-byte XOR encoded PostScript
6. -shellcode inside PostScript
7. -Shellcode parses embedded BMP looking for magic string: "F0und3g9"
8. -Shellcode uses Windows Crypto APIs to decrypt x86 and x64 implants using AES-CBC mode with hardcoded 16-byte key/iv
9.  
10. IOCs
11. ㈜삼강엠앤티 망 분리 관련 요청사항.hwp|a5a71b23e75795fd76153fdf02e7e2ed
12. ㈜삼강엠앤티 망 분리 관련 요청사항.hwp|6f1bddb3aa221635adfd8b1c465da64ab436648e3c14e44ccd118e96af50e5d7
13. BIN0002.ps|42e01850b1b50eab1e8470bd263e01f4
14. BIN0002.ps|843c751aeebf0890ecefddea6ab99e0a29bc9396ad8fb2c1be3eec1511fa0619
15. BIN0001.bmp|719025d32c71e11b62db27b0035d66ef
16. BIN0001.bmp|277b4360da713ad6a74f6f213c3ea5daa4b150824bbc290e5ed3cb1427512805
17. Decrypted Implants:
18. x86.bin|d08986b22d2371419dfcdf4abdb821b5
19. x86.bin|d060123c21869b765b22b712a8ca47266a33464095411e2b7bdf7e327d23ed07
20. x64.bin|3d0355ff78dcc979b3f83a679b6ba794
21. x64.bin|c294520c1f64c77776dad6599da29bf9e825f41c647979f11e09205ff67ca117
22.  
23. C2s:
24. http://sdajunghwa.com/admin/data/admin_data.asp
25. http://www.patentmall.net/goods/goods.asp
26. http://www.orentcar.com/rental/sub06.asp
27. http://www.pyeonta.com/board/news/board.asp
28. http://doosungsys.com/file_bd/upload_file/file_board.asp
29.  
30.  
31. Payload extraction script:
32. https://pastebin.com/435bVwUw
33.  
34. VirusTotal
35. HWP: https://www.virustotal.com/#/file/6f1bddb3aa221635adfd8b1c465da64ab436648e3c14e44ccd118e96af50e5d7/detection
36. Implants:
37. https://www.virustotal.com/#/file/d060123c21869b765b22b712a8ca47266a33464095411e2b7bdf7e327d23ed07/detection
38. https://www.virustotal.com/#/file/c294520c1f64c77776dad6599da29bf9e825f41c647979f11e09205ff67ca117/detection