- Blisk destruction virus how to#
- Blisk destruction virus archive#
- Blisk destruction virus rar#
- Blisk destruction virus code#
- Blisk destruction virus windows#
At this point, the Snake payload is unpacked and starts running the modules configured by the attacker. We found a C# implementation of this function on GitHub. These replace the context of the newly-created process with the malware and then launches it.
Blisk destruction virus windows#
This is followed by calls to Windows APIs GetThreadContext, ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext and ResumeThread. First, the file path passed as the first argument is used to start a new process in suspended mode. The Snake payload is hidden inside a legitimate process using RunPE, a well-known process hollowing technique.
The second encrypted resource in CapIt.dll is decrypted in the same way as CaptIt.dll, using DES in ECB mode with a key passed to the method as an argument.įigure 10 – Call to DES decryption method with resource and key as argument. This method, which is started in a new thread, expects two arguments: a file path and payload name (Figure 9). In addition to decrypting the DLL, the function decrypts a string that corresponds to the method name of the DLL that has just been unpacked.
Again, a SHA256 hash of a string is used as the key. This time, AES in ECB mode is used to decrypt another DLL file in CapIt.dll. Before decrypting these files, CaptIt.dll copies the packed executable to the user’s start-up folder ( C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) so that it runs whenever the device is restarted.įigure 7 – DLL decryption and string decryption calls. The first is the Snake keylogger payload, and the other is an executable file that is used to run and hide the malware’s presence. This file contains two encrypted files as resources, which are unpacked and executed at runtime. The decrypted file is a dynamic link library (DLL) called CaptIt.dll, which is loaded. Snake’s packer uses electronic codebook (ECB) as its mode, meaning no initialisation vector is required and therefore only the ciphertext and the key are needed.
Blisk destruction virus how to#
Since DES is a block cipher, a mode of operation needs to be specified so that the decryption method knows how to process multiple blocks of ciphertext. Figure 5 shows the key (a string of Unicode characters) being passed as the second argument to the PerSec function. Since the UTF-16 encoded so you need to choose the correct encoding when calculating the hash to decrypt the file. The key used to decrypt the file are the first 8 bytes of the SHA256 hash of a string in the source code. NET file using DES, a common block cipher.įigure 5 – Call to decryption method with.
Shortly after execution, the malware unpacks itself by following the process in Figure 4.įigure 4 – Snake’s unpacking and execution process.įirst, the malware decrypts and loads an encrypted file in the resources section of the. To reduce chances of detection by endpoint security tools, the Snake samples we analysed were packed.
Blisk destruction virus rar#
We found Snake being distributed in IMG, ZIP, TAR, Z, GZ, ISO, CAB, 7z and RAR attachments.įigure 3 – A malicious IMG email attachment delivering Snake Keylogger isolated by HP Wolf Security.
Blisk destruction virus archive#
When the recipient opens the archive file, it contains a packed copy of Snake, requiring the user to double click the executable to run it. With the second method, attackers send spam with archive files attachments containing packed Snake executables. This file is a packed version of Snake keylogger.įigure 2 – A malicious RTF email attachment exploiting CVE-2017-11882 isolated by HP Wolf Security. If the recipient runs a vulnerable version of Microsoft Office, the exploit downloads an executable from a remote server and executes it. DOC file extensions and attached to emails themed as legitimate business communications. The first type of downloader we’ve seen used to deploy Snake are RTF documents containing the well-known Microsoft Office Equation Editor exploit (CVE-2017-11882). Infection ChainĬampaigns delivering Snake in 2021 used malicious spam to distribute the malware, either in RTF or archive attachments.
Blisk destruction virus code#
This article describes Snake’s capabilities, its infection chain and code similarities with four other commodity keyloggers.įigure 1 – Publicly reported Snake keylogger detections over time. For this reason, the capabilities of samples found in the wild can vary. Using the malware’s builder, a threat actor can select and configure desired features then generate new payloads. Snake’s name was derived from strings found in its log files and string obfuscation code. Since then, we’ve seen campaigns spreading this malware almost daily. NET keylogger and credential stealer first spotted in late November 2020.
0 kommentar(er)
