Another week and another CobInt downloader campaign but instead of their usual kits used to deliver the downloader this time we have an embedded flash file.

Signature: FWS
Version: 36
FileLength: 12457
Width(twips): 16000
Height(twips): 12000
FrameRate: 30
FrameCount: 1


Tags:
FileAttributes
MetaData
ScriptLimits
SetBackgroundColor
ProductInfo
FrameLabel
BinaryData
BinaryData
DoABC
SymbolClass
ShowFrame
End

Decompiling the action script shows that it is pretty much the exact same as was dumped on github by prsecurity[5]. So let’s check out the code it will execute residing as BinaryData.

Executed Code

In the strings you can see the cmd.exe call that will eventually be executed and the size of the code itself is pretty small. The first thing it does is call a function which will resolve all it’s needed functions.

Start of shellcode

After resolving it’s needed functions it will setup some memory, below I’ve labeled the functions that will be resolved as they are loaded into an array that will be passed around to the rest of the code.

Functions being resolved

After resolving it’s functions a block of code will be responsible for finding an egg value of “DEADCODEABCDEFFF” by using the address in the instruction pointer[2,3,4] and walking this address to look for the egg value.

Finding data after egg

The egg value isn’t too far away either it’s actually right after the function, right after the egg is the cmd execution string.

Execution string with egg

This string will be passed to a call to CreateProcessA which will then unpack the jpg and detonate it.

Call to CreateProcess

Detection possibilties

The cmd.exe string is one obvious possibility. However if you use too much of it you could end up missing detections from different or obfuscated commands in the future. I pulled down another POC swf from github to compare with while writing detections6.

Looking for the push instructions in the shellcode inside of a flash file could be good.

rule sc
{
strings:
$loadlibrarya = {68 72 60 77 74}
$getprocaddress = {68 6f e0 53 e5}
$createprocessa = {68 9f b5 90 f3}
$rtlcapturecontext = {68 53 0c 44 26}
$memset = {68 73 e9 5a 6b}
$memcpy = {68 33 ec 82 4b}
$memcmp = {68 73 eb 3a 4b}
condition:
all of them
}

Testing against my data shows that it matches both flash files I have along with the binary data I dumped out previously.

YARA results:

sc ./1.bin
sc ./CVE-2018-15982_PoC.swf
sc ./embedded.swf

Since the actionscript code appears to remain static with the code pushed to github we can probably attack it by looking for those bytecodes as well. I used my python flash parser to dump the DoAbc block from one and figured I would start by blindly pasting a couple of large chunks just to quickly test how similar they are.

rule test
{
strings:
$a1 = {cb8ac9f204c598cd9103c188d98a04d092cd9103d6d2c9a307f4ca8da307d68ac99a05d392bdf20480800200030000e0ffffffef4100000000e0ffef417b0004766f69640475696e7406436c617373300c666c6173682e6576656e7473054576656e7406537472696e6703696e74044d61696e0d666c6173682e646973706c6179065370726974650456617235045661723607426f6f6c65616e0456617237045661723804566172390556617231300556617231310556617231320556617231330556617231340b5f5f4153335f5f2e76656306566563746f7206436c6173733505566172313506436c6173733305566172313606436c61737334055661723139055661723230055661723233055661723235055661723236055661723332055661723432055661723338055661723430055661723433055661723531055661723536055661723736055661723137064f626a656374086d5f436c6173733106436c61737331055661723339055661723232076d782e636f72650a49466c657841737365740e42797465417272617941737365740b666c6173682e7574696c7309427974654172726179166d782e636f72653a427974654172726179417373657406436c6173733606436c6173733705566172393805566172393908746f537472696e67066f666673657406436c61737332065661723939370656617239393806566172393933065661723939340656617239393506566172393936045661723105436c6173730456617232045661723304566172340556617231382a687474703a2f2f7777772e61646f62652e636f6d2f323030362f666c65782f6d782f696e7465726e616c0756455253494f4e0b342e362e302e32333230310b6d785f696e7465726e616c21687474703a2f2f61646f62652e636f6d2f4153332f323030362f6275696c74696e14666c6173682e646973706c61793a53707269746524666c6173682e646973706c61793a446973706c61794f626a656374436f6e7461696e65721f666c6173682e646973706c61793a496e7465726163746976654f626a6563741b666c6173682e646973706c61793a446973706c61794f626a6563741c666c6173682e6576656e74733a4576656e7444697370617463686572057374616765106164644576656e744c697374656e65720e41444445445f544f5f535441474509666c6173682e6e65740f4c6f63616c436f6e6e656374696f6e014107636f6e6e656374054572726f7201650c666c6173682e73797374656d0c4361706162696c69746965730a69734465627567676572066c656e6774680776657273696f6e012c0573706c69740541727261790120087061727365496e740463616c6c056170706c7908706f736974696f6e0f72656164556e7369676e6564496e7404707573681372656d6f76654576656e744c697374656e657206456e6469616e0d4c4954544c455f454e4449414e06656e6469616e22636f6d2e61646f62652e747673646b2e6d65646961636f72652e6d65746164617461084d65746164617461097365744f626a656374066b65795365740a63686172436f646541740f4576656e74446973706174636865720d446973706c61794f626a65637411496e7465726163746976654f626a65637416446973706c61794f626a656374436f6e7461696e657202307801602216011605160a180916170500181d1819163116341836183718381804183d181b182e084a05001701084e1a091a4f1a501a511a521a531657165d1670050005001a1b0601090d060113141504161718191a1b050c060113141504161718191a1b0101071f0120141510217507010207010307010407020607010707010807010907030b07010c07010d07010e07010f0701100701110701120701130701140701150701160705180701191d14011507011a07011b1d14011807011c07011d1d14011b07061e07061f07062007062107062207062307062407062507012607062707062807062907062a07062b07012c07012d07012e07012f070130070932070933070a3509320107013707013807013907013a07013b07013c07013d07013e07013f07014007014107014207014307014407014507014607014707014807014907124b07094d091802070154070155070156071c5807015a07015b07015c1b03071d5e07015f0701601d14010207016107156307016409630307016607156707156807016907016a07156b1d14013a07016c070a6d07016e07016f1d14010507153b071e71070172070173071574070275070376070377070378}
$a3 = {74d51010000009d06617d15d184a18006151d19174d5d1d0660e15e8ffff240074d5103d000009d06613d16651662e2418ab962a120c000029d06613d16651662e2d09af12170000d0d16811d0d06613d16651662f680fd026680a100c0000d19174d5d1d0660e15bbffffd0660a1101000047d06613d066116651d06613d066116651662e93612f240074d51021000009d06617d16651662c663d2f01130c0000d0d16812d027680a100c0000d19174d5d1d0660e15d7ffffd0660a1201000047d06613d066116651d0660f612fd0d06613d066116651662e93461e0174d6d0d246200174d724007463046052665312120000d02d0a2d0b2404d3462104746304101d0000d02d0c2d0d2404d3462104746318d02d0a2d0b24046218462104746304d02d0e2d0f240a6204462204746305646c01664466542408a0258020a0746306604960025301620642018055630724007463086052665312090000241c746308100500002418746308d06617d0661266516207613cd0d06613d066116651662e936208a0461e01742a63092404a0746309d06617d0661266516046613cd06613d066116651662e9374630a240074630b240074630c60526656852a630d2c6246570180582a630e240066512c654659018058630f5d5a620f24016651465a01752a6310241e0f1c000060526653120a000025c40174630c1006000025b80174630c1018000060526653120a000025bc0174630c1006000025b00174630cd0d0d0d0620a2408a0461e012414a0461e012404a0461e01620ca0461e0174630bd0620b461e01746311d0620a241ca0461e01746312d0620a2420a0461e01746313240074d51022000009d062092408a0d12404a2a0d06211258001a1d12404a2a0461e014f1f02d19174d5d125800215d6ffffd062092408a0258001a0241ca062054f1f02d0620b62092408a0258001a04f1f02d0620a241ca062094f1f02d0620a2420a0620766542404a24f1f025d5824414a5801805863146046665b2062144f5c0220805863152080556316560080586315646c0166442400615d2400746317240074631710160000096215646c016644465e004f5f0162172404a07463176217646c016644665415ddffff604960025301646215410180556316240074d51013000009620725f403d1a06216d166516151d19174d5d16216665415e4ffffd062092408a0258001a0241ca0620925f4032404a2a04f1f02d0620b62092408a0258001a04f1f026046665b20204f5c02d0620a241ca062124f1f02d0620a2420a062134f1f02d0620b62114f1f024700000f0625090ac50ed03020800363042080036305208003630624007463246049603a5301d0660e42018060d5646c016646802bd6240074d71015000009d1d35d3a4a3a006151d1d36651d2613bd39174d7d3d0660e15e3ffff5d5824044a580180586307646c0166456654258020a07463086049600253016208420180556309240074630a60526653120c0000241c2402a274630a1008000024182402a274630a240074d710c0000009d06613d36651662e2418ab962a120c000029d06613d36651662e2d09af129a00005d03d06613d36651662e93d06613d36651662f4a03028003630424007463241010000009d1622466516209613b6224917463246224d0660e15e7ffff5d03d06613d36651662e93d06613d36651662f4a03028003630524007463241010000009d1622466516207613b6224917463246224d0660e15e7ffff5d03d06613d36651662e93d06613d36651662f4a030280036306d026680a100c0000d39174d7d3d0660e1538ffffd0660a1101000047d124006154208060d5d04f1d00240074d71010000009d0661ad35d1b4a1b006151d39174d7d3d0660e15e8ffff}
condition:
all of them
}

The results were pretty surprising, so the flash file used by CobaltGroup is basically just a POC file with a new command perhaps.

YARA results:

test ./CVE-2018-15982_PoC.swf
test ./embedded.swf

Tools used

JPEXS Flash decompiler
IDA Pro
Radare2
py_flash_parser[1]
YARA

IOCS

Rar file:
1232402bef625dc8328ece768e9943667389aed97207cf24f5215fe88b5f88ec
Doc:
9c6fbe25429d177fcac4cb53f85dacc58d84a618e3bddd1181cd0e604cb522ce
ActiveX1.bin object:
cc146e473f27064b059e425bdc095ea257445decfecafbe973d4626b104defaa
Embedded Flash file exploit:
1f2d731ba8c86b277d234a8bf95c31aa943f28f0d456be4a6a60f18625c46f79
32bit shellcode from BinaryData:
0aca0a8da932b34c3357909eb38712f21607e83f7912766330d9b695681cd353

References:

  1. https://github.com/sysopfb/py_flash_parser
  2. https://github.com/tpn/winsdk-10/blob/master/Include/10.0.14393.0/km/ntddk.h
  3. https://www.winehq.org/pipermail/wine-cvs/2011-February/074839.html
  4. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-rtlcapturecontext
  5. https://github.com/prsecurity/CVE-2018-15982
  6. https://github.com/Dreametion/CVE-2018-15982_PoC