Chainshot: Researchers discover new piece of malware after cracking 512-bit RSA key

• Chainshot's exploitation process begins by downloading and executing a remote Shockwave Flash (SWF) file.
• The malware can deliver the final payload on compromised systems and send the infected system’s processor details to the attacker’s command and control (C2) server.

A new malware called CHAINSHOT has been discovered by security experts. Researchers at Palo Alto Networks stumbled upon the malware while investigating the use of an Adobe Flash zero-day exploit (CVE-2018-5002) in a series of targeted malware campaigns.

CHAINSHOT is used in early stages of a chain reaction attack to deliver malicious payloads. Palo Alto Networks researchers happened to discover the malware after cracking its 512-bit RSA encryption key and unpacking its malicious content.

“Armed with these initial weaponized documents, we uncovered additional attacker network infrastructure, were able to crack the 512-bit RSA keys, and decrypt the exploit and malware payloads. We have dubbed the malware ‘CHAINSHOT’ because it is a targeted attack with several stages and every stage depends on the input of the previous one,” Palo Alto researchers said in a blog.

Modus Operandi

The exploitation process begins by downloading and executing a remote Shockwave Flash (SWF) file, which comes attached in a malicious Microsoft Excel document. This SWF file contains both RSA and AES cryptosystems that helps the malware evade detection.

“The Flash application is an obfuscated downloader which creates a random 512-bit RSA key pair in memory of the process. While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server. On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload,” explained the researchers.

CHAINSHOT’S features

Besides its ability to bypass malware detection processes, CHAINSHOT has various other functionalities including delivering the final payload to compromised systems and sending systems’ processor details to the attacker-controlled C2 server.

The researchers said that they were able to get a clear picture of the entire attack campaign because cybercriminals made the mistake of using insecure 512-bit RSA encryption. Since the attackers used the same SSL certificate for executing similar attacks, this made it easier for the researchers to uncover additional attacks on various network infrastructures. Researchers also found that the cybercriminals behind CHAINSHOT created a new toolkit to target victims in the Middle East, indicating that the attackers may likely expand their campaign in the near future.