A malicious Excel document is sent with a small Shockwave Flash Active X object. The object downloads an obfuscated downloader flash application. It utilizes URLs in the object to download a payload encrypted with 512-bit RSA key. Thankfully, researchers at Paloalto were able to crack the encryption in a matter of hours. The 512-bit key length is insecure and able to be broken with some effort. Rather than throwing a personal supercomputer at the issue, researchers can use cloud computing to discover the decrypted AES key.
Kaspersky and BitDefender Bypasses
As a result, more information is known about the exploit, which Palo Alto Network’s Dominik Reichel and Esmid Idrizovic describe below: “After the exploit successfully gains RWE permissions, execution is passed to the shellcode payload. The shellcode loads an embedded DLL internally named FirstStageDropper.dll, which we call CHAINSHOT, into memory and runs it by calling its export function ‘__xjwz97’. The DLL contains two resources, the first is x64 DLL internally named SecondStageDropper.dll and the second is a x64 kernelmode shellcode.” The two additional DLL resources contain code to bypass Window’s EMET toolkit, as well as Kapersky and Bitdefender. Despite their discovery, the team was unable to figure out the final payload of CHAINSHOT, though they did discover the three domains it comes from. The malware appears to be targeting users in the Middle East, specifically Qatar. It collects information about the victim before sending it back to the attacker, encrypted. It’s also been seen in a series of targeted malware campaigns. However, by searching for domains with the same SSL certificate, Palo Alto was able to find ‘large number’ of domains, indicating a wider attack. BitDefender says that its users have been safe from CHAINSHOT since July, while Kapersky is looking into the issue. For all the technical details, you can read Palo Alto Network’s blog post.