Its relatively simple landing page contains a request for an SWF file and what appears to be a base64 encoded GIF file. The Neutrino EK sample analysed in this section was captured in Dec 2014. The SWF files analysis below demonstrates how ActionScript combined with base64 encoding, RC4 encryption and image files can be used to hide the data. Skip to main content Due to a planned power outage on Friday, 1/14, between 8am-1pm PST, some services may be impacted. SWF file obfuscation applications further enhance data hiding capabilities and also drastically impede reverse engineering efforts making SWF files even more attractive to malware authors. This is the Windows installer for version 11.3.0 of the JPEXS Free Flash Decompiler. For example, Neutrino EK(aka Job314, aka Alter EK) uses Adobe Flash Player files to store exploits code, execution control logic(environment checks, exploit code selection, etc.), decryption keys for its various components and the configuration file. Some exploit kit authors already using SWF files to be all-in-one ' solution'. ActionScript scripting language that drives SWF files execution is quite versatile and when combined with other SWF features, like, binary data containers or images embedding creates a strong application environment capable of executing relatively complex tasks. It's fair to say that the exploit kit world is spinning around Adobe Flash files lately. In the case of Neutrino EK our goal will be extraction and decryption of its configuration file and in the malvertising case we'll be after the initial payload URL + exploit shellcode. Always available from the Softonic servers Free & fast download Always available Tested virus-free Free Download for PC Alternative JPEXS Free Flash Decompiler download from external server (availability not guaranteed) Free alternative apps 3. I'll be using 2 recent Neutrino EK and 1 FlashPack malvertising samples to demonstrate it. JPEXS Free Flash Decompiler free download. This blog post shows how malware authors use Adobe Flash files to hide their creations' ' sensitive' data.
0 Comments
Leave a Reply. |