Monday, August 29, 2016

Neutrino Exploit Kit - SWF Analysis

Neutrino Exploit Kit is not new a member in the cyber space arena. The kit is now around for a while and has improved quite a lot over the months. This blog is a small walk through about the obfuscation methods employed by the kit.
A typical Neutrino Exploit Kit's SWF looks like below,



Neutrino uses RC4 algorithm for encrypting the inner SWF. The key and the encrypted SWF itself is embedded as binaryData in the outer SWF (as seen in the above image). To decrypt the SWF, you first need to find the binaryData that has the key and another binaryData(s) which holds the encrypted SWF. This can be achieved by looking at the actionscript, below snippet from actionscript reveals that the encrypted SWF spans across couple of binaryData files.



The decryption loop can be ported to a python script for repeated use. Pointing the script to the extracted binaryData files that has the key and the encrypted SWF's (binaryData files) will output the decrypted SWF file.

def decrypt(param1, param2):
    temp_ba1 = bytearray()
    temp_ba2 = bytearray()

    temp_1 = 0
    while(temp_1 < 256):
        temp_ba1.append(temp_1)
        temp_1 += 1

    temp_1 = 0
    temp_2 = 0
    while(temp_1 < 256):
        temp_2 = temp_2 + temp_ba1[temp_1] + param1[temp_1 % len(param1)] & 255
        temp_3 = temp_ba1[temp_1]
        temp_ba1[temp_1] = temp_ba1[temp_2]
        temp_ba1[temp_2] = temp_3
        temp_1 += 1

    temp_1 = 0
    temp_2 = 0
    temp_4 = 0

    while(temp_4 < len(param2)):
        temp_1 = temp_1 + 1 & 255
        temp_2 = temp_2 + temp_ba1[temp_1] & 255
        temp_3 = temp_ba1[temp_1]
        temp_ba1[temp_1] = temp_ba1[temp_2]
        temp_ba1[temp_2] = temp_3
        temp_ba2.append(param2[temp_4] ^ temp_ba1[temp_ba1[temp_1] + temp_ba1[temp_2] & 255])
        temp_4 += 1

    return temp_ba2

def main():
    param1 = bytearray(open("C:\\Temp\\binaryData\\2_c.fcvtaaslrv.bin", "rb").read())
    param2 = bytearray(open("C:\\Temp\\binaryData\\5_c.rkrzaajqnespsnx.bin", "rb").read())
    param3 = bytearray(open("C:\\Temp\\binaryData\\4_c.zkqctptzgek.bin", "rb").read())

    for byte in param3:
        param2.append(byte)

    data = decrypt(param1, param2)

    f = open("C:\\Temp\\binaryData\\decrypted.swf", "wb")
    f.write(data)
    f.close()

if __name__ == '__main__':
    main()


When loading the decoded file into decompiler, it reveals the true nature of the SWF.



The inner SWF also has a bunch of binaryDatas embedded. These binaryDatas are also RC4 encrypted and they can be decrypted by a pre-defined key specified in the inner SWF's actionscript block.



RC4 decrypting each of the embedded binaryData with the above highlighted key file reveals multiple other exploits. One such encrypted SWF inside inner SWF below.



No comments:

Post a Comment