Chain reaction of Chainshot malware can bypass antivirus!
Security researchers exploited a threat actor’s poor choice for encryption and discovered a new piece of malware along with network infrastructure that links to various targeted attacks.
The new piece of malware, which received the name Chainshot, is used in the early stages of an attack to activate a downloader for the final payload in a malicious chain reaction.
Researchers from of Palo Alto Networks Unit 42 found Chainshot after following the trails of an Adobe Flash zero-day exploit (CVE-2018-5002) used in a series of targeted malware campaigns.
Cracking the encryption of Chainshot
By studying network captures of traffic exchanged with the attacker’s command and control (C2) servers, Unit 42 malware analysts noticed that the malware payload was encrypted with a 512-bit RSA key.
The RSA (Rivest–Shamir–Adleman) cryptosystem uses an asymmetric key algorithm, where a public key is used to encrypt data and a private one is required to decrypt it.
Cracking a 512-bit key is possible since 1999 when factoring the modulus required 300 computers working for a period of seven months. Today, all you need is money to rent cloud computing power and a few hours of waiting time.
In a technical report today, the researchers explain how they were able to crack the private key that decrypted Chainshot.
“While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server. On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload,” they write.
Using Factory as a Service (FaaS), the researchers were able to calculate the decryption key and access the Chainshot malware.
Chainshot is multipurpose
Apart from being part of a chain reaction that makes it difficult to analyze components individually, Chainshot contains code to search for and bypass Kaspersky and Bitdefender antivirus solutions for both x86 and x64 platforms.