Monday, November 7, 2016

QuickSand += structhash

We are pleased to announce version 2 of's structural hashing algorithm "structhash" which can be used to fingerprint the structure of an office document or RTF.

Typical weaponization of malware document's use a skeleton exploit doc as part of the exploit builder process. Usually this skeleton exploit document is specific to to the kit or group behind an attack campaign. The structural hash we've developed takes into account the different streams and any XOR or ROL encoding to build a campaign specific fingerprint. You can then search for the structhash to find additional samples likely related to your campaign.

Early 0 day usage usually follows this model with one group's zero day being outed and other groups replacing the original payload with their own - so the structhash can help find additional samples of a zero day for further analysis.

Despite changes in payloads the underlying core of a malicious document doesn't change that much, the structhash can allow you to track exploits from the same author or exploit kit and reduce your workload attributing samples to campaigns automatically.

Recent APT 28 / Sofacy group / Fancy Bear attacks used the CVE-2016-4117 exploit, looking at a known sample from Palo Alto's Unit 42 report on the "Dealer's Choice" campaign:

DealersChoice.B: SHA256:af9c1b97e03c0e89c5b09d6a7bd0ba7eb58a0e35908f5675f7889c0a8273ec81 structhash is gV9m3kqVr5qe7FY

We can then search for QuickSand structhash gV9m3kqVr5qe7FY:

We then find the second sample sha256: cc68ed96ef3a67b156565acbea2db8ed911b2b31132032f3ef37413f8e2772c5 which also has the structhash of gV9m3kqVr5qe7FY.

As you can see, the structhash can be a powerful tool to group maldocs by campaign. When you are viewing report, click the "root" stream to find the structhash and search for more samples from our sample set here.

No comments:

Post a Comment