“Chainshot Malware” Discovered, Encrypted with 512-bit RSA Key

Chain reaction of Chainshot malware can bypass antivirus!

Security researchers exploited a threat actor’s poor choice for encryption and discovered a new piece of malware along with network infrastructure that links to various targeted attacks.

The new piece of malware, which received the name Chainshot, is used in the early stages of an attack to activate a downloader for the final payload in a malicious chain reaction.

Researchers from of Palo Alto Networks Unit 42 found Chainshot after following the trails of an Adobe Flash zero-day exploit (CVE-2018-5002) used in a series of targeted malware campaigns.

Cracking the encryption of Chainshot

By studying network captures of traffic exchanged with the attacker’s command and control (C2) servers, Unit 42 malware analysts noticed that the malware payload was encrypted with a 512-bit RSA key.

The RSA (Rivest–Shamir–Adleman) cryptosystem uses an asymmetric key algorithm, where a public key is used to encrypt data and a private one is required to decrypt it.

Cracking a 512-bit key is possible since 1999 when factoring the modulus required 300 computers working for a period of seven months. Today, all you need is money to rent cloud computing power and a few hours of waiting time.

In a technical report today, the researchers explain how they were able to crack the private key that decrypted Chainshot.

“While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server. On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload,” they write.

Using Factory as a Service (FaaS), the researchers were able to calculate the decryption key and access the Chainshot malware.

private key of chainshot malware
The private key of Chainshot Malware
Chainshot is multipurpose

Apart from being part of a chain reaction that makes it difficult to analyze components individually, Chainshot contains code to search for and bypass Kaspersky and Bitdefender antivirus solutions for both x86 and x64 platforms.

Its task is to push another malware on the compromised machine, which drops the final payload. Chainshot is also responsible for fingerprinting the system, sending details about the user and the processes running on the machine.
Because the adversary made the mistake of using insecure encryption and recycling an SSL certificate in other attacks, security researchers were able to correlate the campaign with other incidents and paint a more clear picture of the entire operation.
Credit: BleepingComputer
CEH Course In pune | Slink

Leave a Reply

Your email address will not be published. Required fields are marked *