We are working with Adobe and have jointly decided not to share more technical information on the vulnerabilities at this time. Instead, let's start with the shellcode. To bypass ASLR and DEP, the shellcode is in a format of ROP chain. It will create a new DLL file on the disk and execute it by calling LoadLibraryA(). Here is the sequence of the ROP shellcode:
Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.
Eventually the malicious library will load the payload. The payload involved in this exploit ultimately installs what appears to be a first stage downloader in the form of a DLL posing as a “language bar addin,” using the registry key “HKCU\Software\Microsoft\CTF\LangBarAddIn” to persist after reboot. It further attempts to legitimize this disguise in its file properties.
As a precautionary measure, it checks which process it is loaded into against a list of processes that would normally consider loading a language bar and refrains from certain behaviors if there is no match, likely to disrupt analysis.
It employs other anti-analysis tricks as well. It makes use of a TLS callback in order to start a thread before the entry point is reached, and it filled its Export Table with over 200 fake entries that are named after Windows Property System functions but point to invalid memory locations. The latter is particularly effective at muddying up sandbox analysis reports that enumerate exports in a DLL and attempt to call each of them.
We have identified a set of registry values under “HKCU\Software\Microsoft\Multimedia\Other” that are used for certain functionality in the malware. One value “UI” is a bool value that when set to 1 will trigger the malware to uninstall itself. Another value “SD” holds a date formatted as “YYYYMMDD” that is used for a long term sleep feature.
The compile times for the various payloads dropped are very recent as seen in Table 1.
|D.T (dropped) D.T (dropped)||01/24/2013 14:13:52 01/24/2013 14:13:52|
|L2P.T (dropped) L2P.T (dropped)||02/04/2013 14:36:29 02/04/2013 14:36:29|
|langbar32.dll (dropped) langbar32.dll (dropped)||02/04/2013 14:36:06 02/04/2013 14:36:06|
|lbarext32.dll (downloaded) lbarext32.dll (downloaded)||02/04/2013 16:02:01 02/04/2013 16:02:01|
|lbarhlp32.dll (downloaded) lbarhlp32.dll (downloaded)||02/04/2013 16:02:22 02/04/2013 16:02:22|
After the initial beacon with a GET request we shared yesterday, it also makes various POSTS. In response to the POST we observed
additional payloads being downloaded. The two of note are libarext32.dll and libarhlp32.dll which it downloads and loads. It also creates a data file called “kmt32.pod”. It is unclear what the contents of this file are so far.
A Peculiar Image Base Address
The author chose "666C" as the preferred Image Base, likely in reference to the verse from Revelation in the bible from which the popular heavy metal band “Iron Maiden” drew
inspiration for their album and song "The Number of the Beast." Hence, the name of this blog post. We also named this malware "Trojan.666" based on this discovery.
We will continue our analysis and will provide updates as we discover more.
This blog is written by FireEye researchers James Bennett, Yichong Lin, and Thoufique Haq.