Another new exploit pack has been found in the wild. This pack uses two interesting methods to obfuscate its contents. Both methods aren’t brand new but interesting nonetheless. Let’s have a closer look…
Here’s the infection chain:
The first two URLs are redirectors to the main landing page which is “qrsop326821”. When I first looked at this HTML page, I thought the file got corrupted in Wireshark but it’s actually not.
And this is what the deobfuscated code looks like:
Here’s what the transformation looks like since it’s rather difficult to describe.
As you can see from the landing page, there’s two sets of exploits — Java and PDF. The PDF contains the LibTiff exploit and shellcode which does a download and execute of the final payload file. When the Java applet appears to use two exploits and if successful then it downloads a JPEG file that doesn’t have the correct magic number.
Opening the file with a hex editor shows that every other byte is a garbage character and that this is really an executable.
I updated a program I wrote earlier to extract every other byte and dump it to a file.
These are the results I got:
File: rke80886.jar (CVE-2012-4681, CVE-2012-1723)
VT: 1 / 43
File: lib1.pdf (CVE-2010-0188)
VT: 4 / 44
File: EXE Payload
VT: 27 / 44
This pack hasn’t been identified yet so if anyone knows its name, please drop me a note.