The Equation Strikes Back – DIFAT overflow

As promised in our last tech blog, we are disclosing additional unique variants of the exploit of this Microsoft Equation vulnerability, which circumvents many security solutions and vendors attempting to protect your valuable data from infestation, including leading sandbox and anti-malware providers.

On this article we will show how another bug, in OLE32.dll, which incorrectly handles integer overflow, is then used to bypass security solutions and fool parsers.

 

Solebit Tech Blog P1

According to the format specifications, the OLE stream header contains a table called DIFAT that is an array of numbers. Each sector has an ID, which can be any 32 bit unsigned number under 0xFFFFFFA. The DIFAT table contains all the section id’s and some special numbers. To access the sector Nin the table, it’s offset computed using the following formula: sector_size * (sector ID + 1), when sector ID is DIFAT[N].

The relevant parts from the official spec is presented below [Pages 15-20]:

Solebit Tech Blog P6

...

Solebit Tech Blog P7

...

Solebit Tech Blog P2

...

Solebit Tech Blog P8

Solebit Tech Blog P9

It's seems that when a big sector ID exist, the formula mentioned above lead to Integer-overflow that will finally results in a relatively small offset.

The following screenshots the code snippets doing the overflow.

Solebit Tech Blog P3

Solebit Tech Blog P10

Section size is 512, and the first sector ID is 0xFF000000. Let’s apply the above formula (as in the official specification): (0xFF000000+1) * 512 = 2190433321472, or 0x1fe00000200in hex. 

It’s easy to notice that the result is more than 32 bits (integer overflow), so when the code above will perform the calculation, the only lowest 32 bits will be the product. Or in other words, the calculated offset will be 0x200 = 512, as can be seen in the following debug screenshot.

Solebit Tech Blog P4

This result make sense, because it points just after the header, which is the natural place for the first section.

This behavior is not documented by Microsoft, but it can confuse high-level parsers which will not notice the overflow, and the calculation results will point into impossible offset, which will lead to ignoring of the section that contains the exploit in the good case, or crash in the bad case.

In this case the dropped malware is a new variant of Java Jacksbot. The trojan is a remote access backdoor, that can only be active or infect you if you have Java installed. JACKSBOT is capable of taking complete control of the compromised system.

Malware code reveals that it is capable of visiting URLs, creating files and/or folders, running shell commands as well as executing and ending programs. It can also steal information by logging keystrokes and mouse events.

General Capabilities:

  • collect keystrokes
  • steal cached passwords and grab data from web forms
  • take screenshots
  • take pictures and record video from the webcam
  • record sound from the microphone
  • transfer files
  • collect general system and user information
  • steal keys for cryptocurrency wallets
  • manage SMS (for Android)
  • steals VPN certificates

IOCs:

Description

IOC Type

IOC

Document

Sha256

d5df2386a2a405a9d664d4b423a8a9d31e8288b1202a82977dae445a9a6526cd 

Dropped hta

Sha256

A7AC436359CB8F5E6A5B8B59DDB7C5E9F56D88882F52B031EB50E6A8F47599A7

Dropped jar (1)

Sha256

9F64401359151AD1E3EB7B52C91291CB7FA2F1D591FD3DF7E995F9D41B55FAAD

Dropped jar (2)

Sha256

D808B528489EDF4F26B40676253EF9CA7827EC7227BC0BB3F86C3F06625B70EA

Dropped vbs

Sha256

CCD30B0C19B9AA21EC79E3234A9FE579540EDC110527DBF07D4935AF20439BA5

Malware Names

File Name

Presh.jar,pr.hta,mtfsmgr.jar,gvxfatoymt.vbs

C&C

IP

184.117.72.28

C&C

URL

Hxxp://etnografskimuzej.rs/presh.jar

C&C

IP

46.183.221.12

C&C

URL

isajra52ali20loggm.duckdns.org

Malware installation path

Path

C:\Users\USERNAME\AppData\Roaming\ntfsmgr.jar

C:\Users\USERNAME\AppData\Local\Temp\presh.jar

C&C Dropper

URL

http://anvietpro.com/pr.hta

AutoStart Path

Registry Key

Key:HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Value: ntfsmgr

Data: "C:\Program Files\Java\jre1.8.0_144\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\ntfsmgr.jar"

 

Conclusion

In both samples, our analysis tools not affected by those tricks, as they based on finding forms of code within the data, without taking care of the wrapping objects.

Solebit Tech Blog P5

SoleGATE detects machine code (x86) in the file

SoleGATE malware detection capabilities is a signature-less patented solution, that can detect those types of malware without the need to sandbox or run any behavioral inspection, hence immune to sandbox evasion techniques.

Get Solebit’s whitepaper on a transformative, evasion-proof approach against modern cyber attacks that doesn’t require sandboxing. It will outline how to strengthen your cyber defenses dramatically by preventing attacks before they enter and harm your organization, your customers and your brand. Remediation is costly, prevention is not.

 Download Whitepaper Now

 

Recent Posts