Research

Sykipot exploits an Adobe Flash Zero-Day

Yesterday, Adobe published an advisory about a critical vulnerability in their Flash Player that is already being actively exploited. The CVE number assigned to this bug is CVE-2010-3654. A fix is currently being prepared by Adobe. The exploit we are seeing right now has a payload which, while not being very sophisticated, holds several surprises.

When executed, the bot checks for command line options. The ‘-installkys’ option installs the bot onto the victim machine. Interestingly enough, if you use the ‘-removekys’ parameter the malware gets entirely removed from the system – a built in unistall. The malware then calls itself without any parameters and the malicious code is run. The screenshot below shows the code for parsing the command line parameters.

The binary drops a DLL, the actual malware, to the hard drive and scans the list of running processes for outlook.exe, iexplore.exe, and firefox.exe. If a matching process is found, the dropped DLL gets injected and executed as a new thread.

The injected code will send an HTTP request to news.mysundayparty.com every 5 minutes and download an encrypted configuration file. The DNS entry seems to be somewhat fluxy: it has a TTL of 1800 seconds, and the IP address it resolves to changes every now and then. A decrypted config file contains a list of commands to gather information about the infected host. This information is encrypted and sent back to the server. Here is a decoded config file:

Searching the web for strings from this file reveals an interesting connection with a piece of malware that was spreading at the beginning of this year. Similar to the current bot, this earlier virus exploits a zero-day vulnerability, collects information about the infected machine and sends it back to its master. A still earlier version is reported to exploit another Flash zero-day.

A nice thing is that each configuration download request contains all the necessary information to track down infected hosts in a network. Below is what the HTTP GET request for the config file looks like. The path contains one parameter assembled from the Windows host name and its IP address with the prefix ‘-nsunday‘ and is quite unique. Also note the Referer field, which is always set to http://www.yahoo.com/, and the characteristic Accept header. Constructing a reliable IDS signature should not be too hard.

Kaspersky detects both the installer and the DLL as Backdoor.Win32.Sykipot.an. The exploit is heuristically detected as Exploit.Script.Generic.

Sykipot exploits an Adobe Flash Zero-Day

Your email address will not be published.

 

Reports

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox