again in October 2016, Unit forty two published an preliminary analysis on a Flash exploitation framework used by way of the Sofacy threat group referred to as DealersChoice. The assault consisted of Microsoft notice delivery documents that contained Adobe Flash objects in a position to loading additional malicious Flash objects embedded in the file or directly provided through a command and control server. Sofacy endured to use DealersChoice all over the fall of 2016, which we additionally documented in our December 2016 publication discussing Sofacy’s greater crusade.
On March 12 and March 14, we observed the Sofacy neighborhood undertaking an assault on a european govt company involving an up-to-date variant of DealersChoice. The updated DealersChoice files used an identical process to gain a malicious Flash object from a C2 server, however the internal mechanics of the Flash object contained giant variations in evaluation to the fashioned samples we analyzed.
one of the vital modifications turned into a particularly clever evasion method: to our expertise this has not ever been followed in use. With the previous iterations of DealersChoice samples, the Flash object would immediately load and start malicious projects. within the March assaults, the Flash object is only loaded if the consumer scrolls during the complete content of the beginning document and views the certain page the Flash object is embedded on. also, DealersChoice requires distinctive interactions with an energetic C2 server to effectively make the most an end device.
The universal process to influence in a a success exploitation is:
- user should open the Microsoft be aware email attachment
- consumer must scroll to web page three of the document, so as to run the DealersChoice Flash object
- The Flash object must contact an energetic C2 server to download an extra Flash object containing exploit code
- The initial Flash object must contact the same C2 server to download a secondary payload
- victim host must have a inclined version of Flash put in
The attack involving this up-to-date variant of DealersChoice was focused on a ecu govt organization. The attack relied on a spear-phishing electronic mail with a field of “Defence & safety 2018 conference Agenda” that had an attachment with a filename of “Defence & safety 2018 convention Agenda.docx”. The connected doc carries a conference agenda that the Sofacy group looks to have copied directly from the web site for the “Underwater Defence & protection 2018 convention” here.
Opening the connected “Defence & security 2018 conference Agenda.docx” file does not immediately run malicious code to exploit the equipment. in its place, the user ought to scroll to the third web page of the document, with the intention to load a Flash object that incorporates ActionScript to be able to try and make the most the person’s equipment to install a malicious payload. The Flash object embedded inside this birth document is a variant of an make the most device that we call DealersChoice. This means that the Sofacy community is confident that the focused individuals would be interested ample in the content material to peruse via it.
We analyzed the document to investigate the intent that the malicious Flash object most effective ran when the consumer scrolled to the third page. in keeping with the doc.xml file, the DealersChoice loader SWF exists after the “covert-shores-small.png” picture file inside the start doc. This image file exists on the third page of the doc, so the consumer would have to scroll down in the doc to this third web page to get the SWF file to run. The consumer can also now not observe the Flash object on the web page, as observe shows it as a tiny black field in the document, as considered in figure 1. here is a captivating anti-sandbox approach, as it requires human interaction earlier than the document exhibiting any malicious endeavor.
figure 1 Flash object appearing as a small black field in beginning doc
This DealersChoice Flash object shares an analogous system to old variants; however, it appears that the Sofacy actors have made slight adjustments to its inside code. additionally, it seems that the actors used ActionScript from an open supply video participant known as “f4player”, which is freely available on GitHub with right here description:
f4Player is an open source flash (AS3) video player and library mission. it’s so small that it is simply 10kb (with epidermis file) and totally free beneath GPL license.
The Sofacy developer modified the f4player’s ActionScript to include additional code to load an embedded Flash object. The additions encompass code to decrypt an embedded Flash object and an experience handler that calls a newly introduced function (“skinEvent2”) that performs the decrypted object, as viewed in the code snippet beneath:
var skinEvent2:feature = characteristic(param1:event):void
skin2 = param1.currentTarget.content;
var mov:Loader = new Loader();
var b:ByteArray = new this.Mov();
var k:uint = 82;
var i:uint = four;
while(i < b.length)
b[i] = b[i] ^ okay;
The above code allows for DealersChoice to load a 2d SWF object, certainly loading it with an argument that contains a C2 URL of “hxxp://ndpmedia24[.]com/0pq6m4f.m3u8”.
The embedded SWF extracts the area from the C2 URL handed to it and uses it to craft a URL to get the server’s ‘crossdomain.xml’ file so as to achieve permissions to load extra Flash objects from the C2 domain. The ActionScript relies on experience listeners to name selected services when the event “event.complete” is triggered after a success HTTP requests are issued to the C2 server. The experience handlers name features with right here names, which includes an incrementing quantity that represents the order through which the features are known as:
With these experience handlers created, the ActionScript begins by way of gathering system statistics from the flash.equipment.Capabilities.serverString property (identical to in the original DealersChoice.B samples) and considerations an HTTP GET with the equipment data as a parameter to the C2 URL that changed into passed as an argument to the embedded SWF when it was in the beginning loaded. When this HTTP request completes, the experience listener will name the ‘onload1’ feature.
The ‘onload1’ characteristic parses the response records from the request to the C2 URL the usage of normal expressions. in keeping with the following code snippet, it seems the standard expression is looking for a hexadecimal string after “/” and earlier than “/sec”, as well as any string between “/hls/” and “/tracks”:
var facts:String = e.goal.facts;
var p1:RegExp = /\/([0–9a–f]+)\/sec/gim;
r1 = p1.exec(facts);
var r2:Array = p1.exec(records);
var p2:RegExp = /\/hls\/(.+)\/tracks/gim;
var r3:Array = p2.exec(facts);
r4 = p2.exec(records);
The common expressions imply that the C2 server responds with content material that’s meant to resemble HTTP reside Steaming (HLS) site visitors, which is a protocol that uses HTTP to carry audio and video information for streaming. the use of HLS coincides with the use of ActionScript code from the f4player to make the site visitors appear respectable. The variables storing the consequences of the general expression suits are used inside the ActionScript for extra interaction with the C2 server. the following is a listing of these variables and their intention:
|r1||Used because the decryption key for the downloaded SWF file. This might be a 16-byte hexadecimal string.|
|r2||no longer used.|
|r3||Used because the URL inside the HTTP request inside onload1 feature, primarily because the URL to get the malicious SWF file to exploit the gadget.|
|r4||Used because the URL within the HTTP request inside onload2 characteristic, certainly because the URL to get the payload to run after successful exploitation of the system.|
The ‘onload1’ function then sends an HTTP GET request to the C2 domain the usage of the value saved in the ‘r3’ variable as a URL. When this HTTP request completes, the event listener will name the ‘onload2’ function.
The ‘onload2’ characteristic decrypts the response received from the HTTP request issued in ‘onload1’ feature. It does so by using calling a sub-feature to decrypt the content, the use of the price stored within the ‘r1’ variable as a key. The sub-characteristic to decrypt the content material skips the primary 4 bytes, suggesting that the first four bytes of the downloaded content material is in cleartext (absolutely the “FWS” or “CWS” header to appear reputable).
After decrypting the content, the ‘onload2’ function will difficulty one more HTTP GET request with the system statistics as a parameter, however this time to the C2 the usage of a URL from the ‘r4’ variable. When this request completes, the experience listener will name the ‘onload3’ characteristic.
The ‘onload3’ characteristic will take the response to the HTTP request in ‘onload2’ and deal with it as the payload. The ActionScript will study every byte of the C2 response and get the hexadecimal cost of every byte and create a textual content array of four-byte hexadecimal values with “0x” prepended and “,” appended to each and every the usage of the following code:
sh = she + (“0x” + hex.substr(i + 6,2) + hex.substr(i + four,2) + hex.substr(i + 2,2) + hex.substr(i,2) + “,”);
This hexadecimal string will certainly be a string of shellcode so that you can include and decrypt the best portable executable (PE) payload. The string of comma separated hexadecimal values is passed as a parameter when loading the SWF file downloaded in ‘onload2’. This characteristic creates an event listener for when the SWF file is effectively loaded, which will name the ‘onload5’ characteristic.
The ‘onload5’ characteristic is liable for including the newly loaded SWF object as a child object to the present running object using the following code:
This hundreds the SWF file, with no trouble working the malicious code on the device. right through our evaluation, we have been unable to coerce the C2 into featuring a malicious SWF or payload. As outlined in our outdated blogs on DealersChoice, the payload of choice for outdated editions was SofacyCarberp (Seduploader), however we don’t have any facts to suggest this tool turned into used during this assault. we’re actively learning and may update this weblog in the experience we discover the malicious Flash object and payload delivered during this assault.
Linkage to Prior campaign
The delivery doc used during this attack became final modified by means of a consumer named ‘Nick Daemoji’, which offers a linkage to outdated Sofacy connected beginning documents. The old documents that used this person identify have been macro-weighted down delivery documents that installed SofacyCarberp/Seduploader payloads, as mentioned in Talos’ blog. This overlap also elements to an identical social engineering theme between these two campaigns, as each used content material from upcoming armed forces and protection conferences as a entice.
The Sofacy threat group continues to use their DealersChoice framework to exploit Flash vulnerabilities of their attack campaigns. within the most recent variant, Sofacy modified the internals of the malicious scripts, however continues to follow the identical procedure used by using outdated editions via acquiring a malicious Flash object and payload directly from the C2 server. in contrast to previous samples, this DealersChoice used a DOCX birth doc that required the user to scroll through the document to trigger the malicious Flash object. the mandatory person interaction turned out to be a fascinating anti-sandbox method that we had now not seen this group perform in the past.
indications of Compromise
0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7 (Defence & security 2018 conference Agenda.docx)