![]() Its relatively simple landing page contains a request for an SWF file and what appears to be a base64 encoded GIF file. The Neutrino EK sample analysed in this section was captured in Dec 2014. The SWF files analysis below demonstrates how ActionScript combined with base64 encoding, RC4 encryption and image files can be used to hide the data. SWF file obfuscation applications further enhance data hiding capabilities and also drastically impede reverse engineering efforts making SWF files even more attractive to malware authors. ![]() For example, Neutrino EK(aka Job314, aka Alter EK) uses Adobe Flash Player files to store exploits code, execution control logic(environment checks, exploit code selection, etc.), decryption keys for its various components and the configuration file. You could also tweak an applet, perhaps replacing a background image or the soundtrack. At a minimum you might use the program to grab images, videos or music from an SWF. Some exploit kit authors already using SWF files to be all-in-one ' solution'. JPEXS Free Flash Decompiler is an open source tool for decompiling Flash SWF files, extracting, editing or replacing their contents. ![]() ActionScript scripting language that drives SWF files execution is quite versatile and when combined with other SWF features, like, binary data containers or images embedding creates a strong application environment capable of executing relatively complex tasks. It's fair to say that the exploit kit world is spinning around Adobe Flash files lately. In the case of Neutrino EK our goal will be extraction and decryption of its configuration file and in the malvertising case we'll be after the initial payload URL + exploit shellcode. AS3 support for logical AND/OR compound operator. JPEXS Decompiler - Flash Decompiler FlashPlayer - SWF to HTML Extension swf2exe - SWF to EXE Converter. I'll be using 2 recent Neutrino EK and 1 FlashPack malvertising samples to demonstrate it. ![]() This blog post shows how malware authors use Adobe Flash files to hide their creations' ' sensitive' data. ![]()
0 Comments
Leave a Reply. |