Thursday, May 11, 2017

EPS obfuscation for MS Office exploits

We took a deeper look into a recent FireEye blog post on 2 new EPS exploits used while zero-day by the APT 28 / Turla group.  Both exploits have been patched. One of the samples used an interesting EPS based obfuscation technique to avoid detection. By using a 4 byte xor within native Postscript commands the exploit code can be obfuscated and decoded in memory at run time defeating static analysis.

CVE-2017-0262 Sample








QuickSand.io Report

The obfuscation

The PostScript code starts with a xor loop using key 0xC45D6491 using only built-in PostScript functionality


Using our Cryptam multi tool, we'll decode the EPS block manually:

$ php cryptam_multi.php eps.test -xor c45d6491
using XOR key c45d6491


$ ./quicksand.out eps.test.out
 -0> root {7}
  md5:237e6dcbc6af50ef5f5211818522c463
  sha1:228c21dff49376c0946fe2bbe21448bbdbfcf13a
  sha256:385655e10c8a7718bb50e969979cf4f08a2380f67827ce01d05874c49b3a5c13
  head:7b202f48656c7665
  size:347320
  yara:exploits:exploit_cve_2017_0262
  yara:executable:executable_win
  structhash:nO
  qsversion:01.06.004
  qstime:2017:05:11 14:08:48
  score:20
  is_malware:2


Deobfuscated PostScript





We've added a new PostScript XOR obfuscation warning_EPS_xor_exec Yara signature to our QuickSand_Lite project our GitHub.

Indicators

CVE-2017-0262 Sample [Report]
Filename Confirmation_letter.docx.bin
Size 251036 bytes
MD5 2abe3cc4bff46455a945d56c27e9fb45
SHA1 0bd354d1eea9e4864f4c17e6c22bfdb81d88ddee
SHA256 6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490


CVE-2017-0261 Sample [Report] (obfuscated)
Filename Trump's_Attack_on_Syria_English.docx
Size 268950 bytes
MD5 f8e92d8b5488ea76c40601c8f1a08790
SHA1 d5235d136cfcadbef431eea7253d80bde414db9d
SHA256 91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9





No comments:

Post a Comment