rokrat

CVE-2018-4877 and the ROKRAT Payload

February 5, 2019, 5:17 PM

We started our Summer Studio on Cyber Security by presenting our own research on a recently exploited vulnerability, it’s avenues of attack, it’s impact and it’s remediation.

Adobe Flash Exploit CVE-2018-4877

The CVE-2018-4877 exploit was first reported on the 6th of February 2018, and at the time, Flash was still a core component of most browsers.
The vector of attack for this exploit originated via an error in the code module dealing with Media Player handling of listener objects.

A pointer was used in the code to reference a specific memory address. After this memory is freed, and allocated to another pointer, the original pointer was not freed correctly (IE Probably just set to “” instead of NULL), and thus deferencing this pointer points to somewhere within the new allocation, and corrupts the memory contained within the address.

This corruption can be manipulated into pointing instead to valid memory address, which could contain the location of valid shellcode, thus allowing the execution or arbitrary code remotely.

This exploit was leveraged via an Encapsulated PostScript (EPS) object that was found within a word processor document. The shellcode connects and downloads a payload called ROKRAT from an internet source,
disguised as .jpg files.

The ROKRAT Payload

ROKRAT was a HTTP based payload that gathered information about the victim such as keystrokes (via a Keylogger), Running processes, Machine information and
BIOS information.
It also listened to the attacker’s social media for commands, and was able to receive orders by checking the last message on a Twitter timeline.

The orders could be either execute a command, move a file, remove a file, kill a process or download and execute a file.

Yandex, a Russian internet platform was also used by the attackers in this payload as a source of downloadable/executable files as well as the destination to
upload any stolen documents.

Mediafire, a file hosting platform, was used in the same way as Yandex.

ROKRAT’s impact was significant due to being a completely HTTP based RAT. This is in contrast to a typical RAT which communicates via RDP (Remote Desktop Protocol), which can
easily be identified by a corporate firewall and blocked naturally. The 3 social media avenues that ROKRAT used would seldom be blocked by corporate policies, as companies
may have a justifiable business case in the use of these networks.

Forensic Analysis

ROKRAT actively attempted to hide from analysis by running a fake subroutine if it detected a running process that was flagged.

These flagged processes are below:

If ROKRAT detected any of these processes running, then it would generate fake HTTP traffic by sending HTTP GET requests to 2 sources:
. https://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg
. http://www[.]hulu[.]com/watch/559035/episode3.mp4

These would display a image from an Amazon game called Men of War, whilst the Hulu URL would attempt to stream an episode of an anime called Golden Time.

It is thought that the purpose of this fake subroutine would be to trick any surface level analysis, or network logging done on the host machine.
Sources
https://blog.talosintelligence.com/2018/02/group-123-goes-wild.html">https://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/">https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/
https://blog.talosintelligence.com/2017/04/introducing-rokrat.html">https://blog.talosintelligence.com/2017/04/introducing-rokrat.html
http://cwe.mitre.org/data/definitions/416.html">http://cwe.mitre.org/data/definitions/416.html
https://nvd.nist.gov/vuln/detail/CVE-2018-4878#vulnCurrentDescriptionTitle">https://nvd.nist.gov/vuln/detail/CVE-2018-4878#vulnCurrentDescriptionTitle