noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Cozen O'Connor PC

Eleven Cozen O’Connor Attorneys Recognized as Washington, D.C., Super[...]
Duke Energy Corporation

Duke Energy to hold annual shareholders' meeting online May 9
U.S. Department of Defense

Readout of Under Secretary of Defense Dr. William LaPlante's Visit to[...]

Technology

Fortinet Inc.

10/05/2022 | Press release | Distributed by Public on 10/06/2022 21:59

Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II

FortiGuard Labs recently captured an Excel document with an embedded malicious file in the wild. The embedded file with a randomized file name exploits a particular vulnerability -CVE-2017-11882-to execute malicious code to deliver and execute malware on a victim's device.

Part I of my analysis explained how this crafted Excel document exploits CVE-2017-11882 and what it does when exploiting that vulnerability. An involved website (hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/{file name}) was found storing and delivering numerous malware family samples, like Formbook and Redline. I dissected a recent Formbook sample from that website in part I of my analysis, including but not limited to how that Formbook was downloaded and deployed on a victim's device and what C2 servers it contains in that Formbook variant.

Redline (also known as Redline Stealer) is a commercial malware family designed to collect sensitive information from infected devices, such as saved credentials, autocomplete data, credit card information, and more.

Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Collect Sensitive Information from Victim's Device.
Severity level: Critical

I start part II of my analysis by examining a Redline sample collected from that same website. In this report, you will learn how the Redline payload is extracted from the sample, how it maintains persistence on the infected device, what sorts of sensitive information are stolen from the victim's device, and how that stolen information is submitted to its C2 server.

Redline Loader

The Redline sample I selected is "hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/almac.exe", which is a Redline loader. It is obfuscated by a .NET Obfuscator called SmartAssembly 6.9.0.114. When I analyzed this sample using a .Net debugger, I found that it has a comprehensive set of obfuscation features, such as obfuscated names (class names, function names, variable names, and more), control flow obfuscation, strings encoding, and declarative obfuscation.

Figure 1.1 shows the sample in a debugger with obfuscated names and entry point function (main() function) shown using SmartAssembly.

Sharing and Personal Tools

Please select the service you want to use: