We observed a bug in the persistence module for this payload, which resulted in an incorrect path getting added to the registry entry created by the malware. The DLL’s code is responsible for decrypting and running the Zegost Backdoor payload from the fafentuqiang.png file in the same memory space of the benign executable. This technique is also known as DLL Hijacking which ensures that the fake display driver DLL gets loaded by abusing the Windows DLL load order. The data.dll that gets loaded in this case, will be a fake VirtualBox display driver DLL file present in the same directory and it will patch the entry point of the main executable ( DATA.exe) file with a jump instruction to run the DLL’s code instead. The legitimate binary contains the data.dll in the import table, ensuring that the DLL will be loaded before it runs. The Zegost installer is responsible for dropping the above three files and running the legitimate Ping_Master_Pro utility DATA.exe. The downloaded installer was svhost.exe, which has following file structure:įigure 5: APT RAT like Zegost installer archive The Zegost payload was being delivered as part of an installer archive, which is similar in structure to the APT RAT PlugX and HttpBrowser as detailed here. Payload Type #1 - APT RAT like Zegost Installer Upon successful exploitation, the embedded shellcode will trigger the download and execution of the Zegost executable from a predetermined location.įigure 3: Hacking Team's Adobe Flash Exploitįigure 4: Embedded shellcode to download & install Zegostĭuring the course of our monitoring we observed the attackers switch the malware payload multiple times. The Flash exploit payload (CVE-2015-5119) involved here is from the Hacking Team's leaked archive with updated shellcode. Attackers are abusing the Chinese URL shortening service t.cn to redirect victims to the attack server and also Baidu's URL shortening service dwz.cn to deliver the Adobe Flash exploit payload as seen below: The site is still infected but the exploit server appears to be down at the time of writing this blog. The majority of users were led to the original compromised site following a Baidu search.įigure 1: Compromised Chinese real estate & shopping site The injected script will cause a series of redirects leading to Hacking Team's exploit payload as seen in Figure 1. The infection cycle starts with a legitimate Chinese real estate and shopping site which appears to have been compromised by the attackers and contains an injected script. These attacks do not appear to be targeted, but the payload involved in the infection cycle has some resemblance to recent APT payloads from HttpBrowser & the PlugX RAT family. In past two months, we've spotted multiple instances of Zegost Backdoor Trojan installation attempts leveraging Hacking Team's Adobe Flash exploit (CVE-2015-5119) payload. Zscaler ThreatLabZ has been closely monitoring the usage of Hacking Team's leaked exploits in the wild since July, 2015 and recently uncovered the Emissary Panda APT attack leveraging these exploits.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |