Security researchers exploited a threat actor’s poor choice for encryption and discovered a new piece of malware along with network infrastructure that links to various targeted attacks.
The new piece of malware, which received the name Chainshot, is used in the early stages of an attack to activate a downloader for the final payload in a malicious chain reaction.
Researchers from of Palo Alto Networks Unit 42 found Chainshot after following the trails of an Adobe Flash zero-day exploit (CVE-2018-5002) used in a series of targeted malware campaigns.
Cracking the encryption
By studying network captures of traffic exchanged with the attacker’s command and control (C2) servers, Unit 42 malware analysts noticed that the malware payload was encrypted with a 512-bit RSA key. The RSA (Rivest–Shamir–Adleman) cryptosystem uses an asymmetric key algorithm, where a public key is used to encrypt data and a private one is required to decrypt it.
Cracking a 512-bit key is possible since 1999 when factoring the modulus required 300 computers working for a period of seven months. Today, all you need is money to rent cloud computing power and a few hours of waiting time.
In a technical report today, the researchers explain how they were able to crack the private key that decrypted Chainshot.
“While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server. On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload,” they write.
Using Factoring as a Service (FaaS), the researchers were able to calculate the decryption key and access the Chainshot malware.
Chainshot is multipurpose
Apart from being part of a chain reaction that makes it difficult to analyze components individually, Chainshot contains code designed to search for and bypass Kaspersky and Bitdefender antivirus solutions for both x86 and x64 platforms.
Palo Alto told BleepingComputer that the attack occurred in May, and that they couldn’t verify at the time of the analysis that the bypass code worked against Kaspersky and Bitdefender defenses. Bitdefender confirmed us that their users are protected against Chainshot since July. Kaspersky’s Artem Baranov said that he would test the exploit with the Automatic Exploit Prevention component.
Chainshot’s task is to push another malware on the compromised machine, which drops the final payload. The dropper is also responsible for fingerprinting the system, sending details about the user and the processes running on the machine. Because the adversary made the mistake of using insecure encryption and recycling an SSL certificate in other attacks, security researchers were able to correlate the campaign with other incidents and paint a more clear picture of the entire operation.