Neutrino Exploit Kit is not new a member in the cyber space arena. The kit is now around for a while and has improved quite a lot over the months. This blog is a small walk through about the obfuscation methods employed by the kit.
A typical Neutrino Exploit Kit's SWF looks like below,
Neutrino uses RC4 algorithm for encrypting the inner SWF. The key and the encrypted SWF itself is embedded as binaryData in the outer SWF (as seen in the above image). To decrypt the SWF, you first need to find the binaryData that has the key and another binaryData(s) which holds the encrypted SWF. This can be achieved by looking at the actionscript, below snippet from actionscript reveals that the encrypted SWF spans across couple of binaryData files.
The decryption loop can be ported to a python script for repeated use. Pointing the script to the extracted binaryData files that has the key and the encrypted SWF's (binaryData files) will output the decrypted SWF file.
A typical Neutrino Exploit Kit's SWF looks like below,
Neutrino uses RC4 algorithm for encrypting the inner SWF. The key and the encrypted SWF itself is embedded as binaryData in the outer SWF (as seen in the above image). To decrypt the SWF, you first need to find the binaryData that has the key and another binaryData(s) which holds the encrypted SWF. This can be achieved by looking at the actionscript, below snippet from actionscript reveals that the encrypted SWF spans across couple of binaryData files.
def decrypt(param1, param2):
temp_ba1 = bytearray()
temp_ba2 = bytearray()
temp_1 = 0
while(temp_1 < 256):
temp_ba1.append(temp_1)
temp_1 += 1
temp_1 = 0
temp_2 = 0
while(temp_1 < 256):
temp_2 = temp_2 + temp_ba1[temp_1] + param1[temp_1 % len(param1)] & 255
temp_3 = temp_ba1[temp_1]
temp_ba1[temp_1] = temp_ba1[temp_2]
temp_ba1[temp_2] = temp_3
temp_1 += 1
temp_1 = 0
temp_2 = 0
temp_4 = 0
while(temp_4 < len(param2)):
temp_1 = temp_1 + 1 & 255
temp_2 = temp_2 + temp_ba1[temp_1] & 255
temp_3 = temp_ba1[temp_1]
temp_ba1[temp_1] = temp_ba1[temp_2]
temp_ba1[temp_2] = temp_3
temp_ba2.append(param2[temp_4] ^ temp_ba1[temp_ba1[temp_1] + temp_ba1[temp_2] & 255])
temp_4 += 1
return temp_ba2
def main():
param1 = bytearray(open("C:\\Temp\\binaryData\\2_c.fcvtaaslrv.bin", "rb").read())
param2 = bytearray(open("C:\\Temp\\binaryData\\5_c.rkrzaajqnespsnx.bin", "rb").read())
param3 = bytearray(open("C:\\Temp\\binaryData\\4_c.zkqctptzgek.bin", "rb").read())
for byte in param3:
param2.append(byte)
data = decrypt(param1, param2)
f = open("C:\\Temp\\binaryData\\decrypted.swf", "wb")
f.write(data)
f.close()
if __name__ == '__main__':
main()
When loading the decoded file into decompiler, it reveals the true nature of the SWF.
RC4 decrypting each of the embedded binaryData with the above highlighted key file reveals multiple other exploits. One such encrypted SWF inside inner SWF below.
No comments:
Post a Comment