On December 13th 2019, @nao_sec discovered a new Exploit kit targeting users in Japan and it was given the name, Bottle Exploit Kit.
@nao_sec described in their blog the details of the Exploit Kit including the two vulnerabilities (CVE-2018-8174 and CVE-2018-15982) which were exploited in this attack.
In this article, I will go into the details of the multiple stages of unpacking the payload used in Bottle Exploit Kit.
tl;dr: Multiple stages of packing are used in the payload. The XOR decryption routine used is common for all the payloads related to Bottle Exploit Kit and can be used to discover more instances.
MD5 hash of the sample discussed: ee98ef74c496447847f1876741596271
The WinMain() subroutine creates a new Thread as shown below:
The newly created Thread creates another Thread in turn as shown below:
The first stage of unpacking is performed by Thread 2 (function start address: 0x40105b). The figure highlights the important stages of unpacking:
The main stages of unpacking of the first stage are:
1. VirtualAlloc() to allocate memory to decrypt stage 1.
2. RtlMoveMemory() to copy 0x1ed8 bytes of encrypted data from 0x412db8 to memory allocated in step 1.
3. XOR decryption routine at address: 0x401000 is invoked. The XOR decryption key is 0x3c bytes in length and is passed as an argument to the XOR decryption routine.
4. VirtualAlloc() is called again to decompress the XOR decrypted output of step 3.
5. Decompression is performed using RtlDecompressBuffer()
6. A new Thread with function start address set to decompressed code in step 5 is started.
The XOR decryption routine mentioned in step 3 above is as shown below:
The next decrypted stage looks as shown below:
Another layer of XOR decryption is done by stage 2 which gives us the following decrypted data:
In the next stage of execution, it performs the System Language Check using the API, GetUserDefaultUILanguage() as shown below:
The system language code is compared with 0x411 which corresponds to Japanese System Language. The payload will execute completely only if the system language code is: 0x411.
Here is the list of decrypted strings:
0000000028DF 0000000028DF 0 shlwapi.dll
0000000028EB 0000000028EB 0 User32.dll
0000000028F6 0000000028F6 0 Advapi32.dll
000000002903 000000002903 0 ntdll.dll
00000000290D 00000000290D 0 Ws2_32.dll
000000002918 000000002918 0 Wininet.dll
000000002924 000000002924 0 Urlmon.dll
00000000292F 00000000292F 0 bcdfghklmnpqrstvwxzaeiouyT
000000002A56 000000002A56 0 DataDirectory %s
000000002A77 000000002A77 0 POST %s HTTP/1.1
000000002A89 000000002A89 0 Host: %s
000000002A93 000000002A93 0 Connection: close
000000002AA6 000000002AA6 0 Accept: */*
000000002AB3 000000002AB3 0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
000000002AE4 000000002AE4 0 Accept-Encoding: identity
000000002AFF 000000002AFF 0 Content-Type: application/x-www-form-urlencoded
000000002B30 000000002B30 0 Content-Length: %d
000000002B4C 000000002B4C 0 WSAStartup
000000002B57 000000002B57 0 socket
000000002B5E 000000002B5E 0 setsockopt
000000002B69 000000002B69 0 connect
000000002B7B 000000002B7B 0 closesocket
000000002952 000000002952 0 AppData\LocalLow
000000002974 000000002974 0 \Data\Tor
000000002988 000000002988 0 \Data\Tor\geoip
0000000029A8 0000000029A8 0 \Data\Tor\geoip6
0000000029CA 0000000029CA 0 \Tor\taskhost.exe
0000000029EE 0000000029EE 0 \Tor\tor.exe
000000002A08 000000002A08 0 \torrc
000000002A16 000000002A16 0 1.zip
000000002A22 000000002A22 0 1.exe
000000002A2E 000000002A2E 0 -o -qq "%s" -d "%s"
000000002A66 000000002A66 0 s-f "%s"
000000002B86 000000002B86 0 t.jpg
000000002B9B 000000002B9B 0 ALLUSERSPROFILE
000000002BBB 000000002BBB 0 rundll32.exe
@nao_sec described in their blog the details of the Exploit Kit including the two vulnerabilities (CVE-2018-8174 and CVE-2018-15982) which were exploited in this attack.
In this article, I will go into the details of the multiple stages of unpacking the payload used in Bottle Exploit Kit.
tl;dr: Multiple stages of packing are used in the payload. The XOR decryption routine used is common for all the payloads related to Bottle Exploit Kit and can be used to discover more instances.
MD5 hash of the sample discussed: ee98ef74c496447847f1876741596271
The WinMain() subroutine creates a new Thread as shown below:
The newly created Thread creates another Thread in turn as shown below:
The first stage of unpacking is performed by Thread 2 (function start address: 0x40105b). The figure highlights the important stages of unpacking:
The main stages of unpacking of the first stage are:
1. VirtualAlloc() to allocate memory to decrypt stage 1.
2. RtlMoveMemory() to copy 0x1ed8 bytes of encrypted data from 0x412db8 to memory allocated in step 1.
3. XOR decryption routine at address: 0x401000 is invoked. The XOR decryption key is 0x3c bytes in length and is passed as an argument to the XOR decryption routine.
4. VirtualAlloc() is called again to decompress the XOR decrypted output of step 3.
5. Decompression is performed using RtlDecompressBuffer()
6. A new Thread with function start address set to decompressed code in step 5 is started.
The XOR decryption routine mentioned in step 3 above is as shown below:
The next decrypted stage looks as shown below:
Another layer of XOR decryption is done by stage 2 which gives us the following decrypted data:
In the next stage of execution, it performs the System Language Check using the API, GetUserDefaultUILanguage() as shown below:
The system language code is compared with 0x411 which corresponds to Japanese System Language. The payload will execute completely only if the system language code is: 0x411.
Here is the list of decrypted strings:
0000000028DF 0000000028DF 0 shlwapi.dll
0000000028EB 0000000028EB 0 User32.dll
0000000028F6 0000000028F6 0 Advapi32.dll
000000002903 000000002903 0 ntdll.dll
00000000290D 00000000290D 0 Ws2_32.dll
000000002918 000000002918 0 Wininet.dll
000000002924 000000002924 0 Urlmon.dll
00000000292F 00000000292F 0 bcdfghklmnpqrstvwxzaeiouyT
000000002A56 000000002A56 0 DataDirectory %s
000000002A77 000000002A77 0 POST %s HTTP/1.1
000000002A89 000000002A89 0 Host: %s
000000002A93 000000002A93 0 Connection: close
000000002AA6 000000002AA6 0 Accept: */*
000000002AB3 000000002AB3 0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
000000002AE4 000000002AE4 0 Accept-Encoding: identity
000000002AFF 000000002AFF 0 Content-Type: application/x-www-form-urlencoded
000000002B30 000000002B30 0 Content-Length: %d
000000002B4C 000000002B4C 0 WSAStartup
000000002B57 000000002B57 0 socket
000000002B5E 000000002B5E 0 setsockopt
000000002B69 000000002B69 0 connect
000000002B7B 000000002B7B 0 closesocket
000000002952 000000002952 0 AppData\LocalLow
000000002974 000000002974 0 \Data\Tor
000000002988 000000002988 0 \Data\Tor\geoip
0000000029A8 0000000029A8 0 \Data\Tor\geoip6
0000000029CA 0000000029CA 0 \Tor\taskhost.exe
0000000029EE 0000000029EE 0 \Tor\tor.exe
000000002A08 000000002A08 0 \torrc
000000002A16 000000002A16 0 1.zip
000000002A22 000000002A22 0 1.exe
000000002A2E 000000002A2E 0 -o -qq "%s" -d "%s"
000000002A66 000000002A66 0 s-f "%s"
000000002B86 000000002B86 0 t.jpg
000000002B9B 000000002B9B 0 ALLUSERSPROFILE
000000002BBB 000000002BBB 0 rundll32.exe
From the Decrypted Strings above, we can see that it will make a Network Request to download TOR browser.
The XOR decryption routine used in the payload is the same among all the samples (DLL and EXE files) related to Bottle Exploit Kit instances.
Here are more MD5 hashes of payloads used in Bottle Exploit Kit:
5c9522927945f7fde17724360e9fec64
d408c3f58c3407e5d37ec524db03deb9
d6ae17d1d8ba79de1f936092297e44f9
d1bdc7c37f66702bf72d41a9276777dc
894794945683db1e708d2e9304821b19
6c71ca4978095b24a10487a84215d5bd
ee98ef74c496447847f1876741596271
e65322b4add2e5183616ce283e99614f
c67c6f2f212ffe7d99c7238c959c95e6
972d77bd40b0acfa9c0ffaf12b7cbba4
8fdd5e90c33b4feb83b74b3922c09c6d
e753d7a35a9144dd820d4d6e9be970ee
The XOR decryption routine used in the payload is the same among all the samples (DLL and EXE files) related to Bottle Exploit Kit instances.
Here are more MD5 hashes of payloads used in Bottle Exploit Kit:
5c9522927945f7fde17724360e9fec64
d408c3f58c3407e5d37ec524db03deb9
d6ae17d1d8ba79de1f936092297e44f9
d1bdc7c37f66702bf72d41a9276777dc
894794945683db1e708d2e9304821b19
6c71ca4978095b24a10487a84215d5bd
ee98ef74c496447847f1876741596271
e65322b4add2e5183616ce283e99614f
c67c6f2f212ffe7d99c7238c959c95e6
972d77bd40b0acfa9c0ffaf12b7cbba4
8fdd5e90c33b4feb83b74b3922c09c6d
e753d7a35a9144dd820d4d6e9be970ee
The only change is the XOR decryption key.
c0d3inj3cT
No comments:
Post a Comment