nao_secAnalyzing Shellcode of GrandSoft's CVE-2018-8174
First
CVE-2018-8174 exploit code published in 2018-05-21.
GrandSoft Exploit Kit used to be CVE-2016-0189 before. Now, it's using CVE-2018-8174. It's almost the same as PoC, except that some obfuscation has been added. However shellcode is unique. Previously VBScript (CVE-2016-0189) code generated cryptographic keys and decoded the payload. It was changed to doing in shellcode.
Previously flow is as follows:
Random Number Generation -> Generate key Using Random Number ->
Add the key to the End of URL -> Download Encrypted Malware ->
Decode by the key
new flow is as follows:
Random key Generation -> Add the key to the End of URL ->
Download Encrypted Malware -> Decode by the key
* in shellcode
Previously flow is as follows:
Random Number Generation -> Generate key Using Random Number ->
Add the key to the End of URL -> Download Encrypted Malware ->
Decode by the key
new flow is as follows:
Random key Generation -> Add the key to the End of URL ->
Download Encrypted Malware -> Decode by the key
* in shellcode
Traffic
First let's see the recent GrandSoft traffic. The link of saz file is introduced in Kafeine's blog.https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html
Looking at this saz file, it looks like the following.
The flow of traffic is the same. It consists of Landing Page, Exploit and Malware. CVE-2018-8174 is used for exploit, which downloads and executes malware. Malware payload is encrypted. Therefore, the shellcode decrypts the malware using some numerical values of the URL.
CVE-2018-8174
For technical explanation of CVE-2018-8174 please refer to other articles.https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/
Actually the code used in GrandSoft is like this.
Dead code is included, but it is basically the same as PoC. What is different is PoC with GetShellcode part. GrandSoft's GetShellcode function has been renamed to the c111111 function, and it is such a function.
Shellcode
Shellcode calls API using hash, however this hash differs from well-known one.
Shellcode Hash Algorithm is ror14AddHash32.
pseudocode is as follows:
Shellcode uses GetTickCount function to generate keys.
Decoding algorithm was not changed as of vbs.
pseudocode is as follows:
Conclusion
GrandSoft got CVE-2018-8174. This may be a bit more powerful. Shellcode is a little characteristic. Enjoy analysis of shellcode!