astrorest.blogg.se

1. #Eazydraw trojan malware update
2. #Eazydraw trojan malware upgrade
3. #Eazydraw trojan malware software
4. #Eazydraw trojan malware download
5. #Eazydraw trojan malware windows

When the loader runs, the backdoor DLL is decrypted and loaded for running. The DLL version of the backdoor is encrypted and saved in the data section of a loader program. At first, it was simply an executable, but that was changed to a DLL version in 2018.

#Eazydraw trojan malware software

Interestingly, we found this backdoor malware always uses a Chinese-native software name to lure a victim to execute it. In this campaign, it tries to connect to the following C2 address: 122.112.24578.

This backdoor malware reads its C2 IP address from a constant RVA address.

#Eazydraw trojan malware download

It can also download files and create a reverse shell for further attacks. This malware contains stealthy functionalities designed to collect system information and send information to its C2 server.

It then saves its installation path from the registry “Software\Microsoft\Windows\CurrentVersion\Run” file to the file “/Destro”. It triggers the Microsoft Equation Editor, runs regsvr32.exe to connect to 154.222.14049, and then downloads the next stage - a malicious script named 123.sct. The extracted “.doc” file is really an “.rtf” file. RTF (cve-2017-11882) exploit downloads backdoor When conf.exe is executed, both the backdoor payload in conf.exe and the Sality infector shellcode will be executed at the same time.Ģ. Interestingly, we also found that conf.exe is infected by Sality, an infamous file infector malware. However, this seems like a mistake or a test, because conf.exe is extracted correctly only when the username is “test”. The file uses the WinRAR exploit to extract conf.exe to the Startup folder so it can be executed at system booting. We can observe that this “.rar” file is really an “.ace” file, and that it has a corresponding unpacking path located in the blue square of figure 4. WinRAR (cve-2018-20250) exploit extracts backdoor There are two routes for this backdoor malware to infect the system.ġ. This exploit extracts another exploit for the vulnerable RTF file (cve-2017-11882). Malware Analysis Dual Exploits UsedĪn attack begins with an exploit targeted at a vulnerable WinRAR file (cve-2018-20250). However, we didn’t observe attacks with this script during our research.įor more details, here is the report.

#Eazydraw trojan malware update

We also found an analysis report mentioning a fake update campaign related to this URL. This injected script is then able to execute arbitrary JS script delivered from the URL. It then dynamically downloads a script from hxxps://click. If found, it would mean the actor wants fresh access to victim1. Second, it checks for the existence of “_utma”, a cookie used to distinguish users and sessions in Google Analytics.

#Eazydraw trojan malware windows

If we normalize and deobfuscate the JavaScript script, as seen in Figure 3, we find that this script first checks cookie data to ensure that access is coming from a Windows system. We will also refer to it as victim1 in the remaining parts of this article.

To protect the news site, we will obscure any related identifying information. The originally hacked Chinese news site mentioned above is located in the US, where it is used to distribute Chinese news to Chinese-speaking individuals living overseas. We will then analyze the functionalities and C2 connection of the malware, and describe its development. In this article, we will first analyze how this malware is delivered.

#Eazydraw trojan malware upgrade

We first discovered this backdoor malware campaign in 2017, and over the years it has continued to upgrade its functionalities. Based on our analysis, the campaign also appears to be experimental because it uses so many different techniques and tools to target this end user community. This attack uses a watering hole attack strategy to target Chinese-speaking users by delivering malware through a hacked Chinese news site. FortiGuard Labs uncovered a new campaign targeted at Chinese-speakers using malware that bypasses normal authentication by exploiting known WinRAR file (cve-2018-20250) and RTF file (cve-2017-11882) vulnerabilities.