darienhuss

New FALLCHILL-like implant 2018-07-5

Jul 5th, 2018
1,348
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. New FALLCHILL-like implant 2018-07-5
  2.  
  3. Exploit: CVE-2017-8291
  4. PostScript method:
  5. -4-byte XOR encoded PostScript
  6. -shellcode inside PostScript
  7. -Shellcode parses embedded BMP looking for magic string: "F0und3g9"
  8. -Shellcode uses Windows Crypto APIs to decrypt x86 and x64 implants using AES-CBC mode with hardcoded 16-byte key/iv
  9.  
  10. IOCs
  11. ㈜삼강엠앤티 망 분리 관련 요청사항.hwp|a5a71b23e75795fd76153fdf02e7e2ed
  12. ㈜삼강엠앤티 망 분리 관련 요청사항.hwp|6f1bddb3aa221635adfd8b1c465da64ab436648e3c14e44ccd118e96af50e5d7
  13. BIN0002.ps|42e01850b1b50eab1e8470bd263e01f4
  14. BIN0002.ps|843c751aeebf0890ecefddea6ab99e0a29bc9396ad8fb2c1be3eec1511fa0619
  15. BIN0001.bmp|719025d32c71e11b62db27b0035d66ef
  16. BIN0001.bmp|277b4360da713ad6a74f6f213c3ea5daa4b150824bbc290e5ed3cb1427512805
  17. Decrypted Implants:
  18. x86.bin|d08986b22d2371419dfcdf4abdb821b5
  19. x86.bin|d060123c21869b765b22b712a8ca47266a33464095411e2b7bdf7e327d23ed07
  20. x64.bin|3d0355ff78dcc979b3f83a679b6ba794
  21. x64.bin|c294520c1f64c77776dad6599da29bf9e825f41c647979f11e09205ff67ca117
  22.  
  23. C2s:
  24. http://sdajunghwa.com/admin/data/admin_data.asp
  25. http://www.patentmall.net/goods/goods.asp
  26. http://www.orentcar.com/rental/sub06.asp
  27. http://www.pyeonta.com/board/news/board.asp
  28. http://doosungsys.com/file_bd/upload_file/file_board.asp
  29.  
  30.  
  31. Payload extraction script:
  32. https://pastebin.com/435bVwUw
  33.  
  34. VirusTotal
  35. HWP: https://www.virustotal.com/#/file/6f1bddb3aa221635adfd8b1c465da64ab436648e3c14e44ccd118e96af50e5d7/detection
  36. Implants:
  37. https://www.virustotal.com/#/file/d060123c21869b765b22b712a8ca47266a33464095411e2b7bdf7e327d23ed07/detection
  38. https://www.virustotal.com/#/file/c294520c1f64c77776dad6599da29bf9e825f41c647979f11e09205ff67ca117/detection
RAW Paste Data