![]() ![]() The IRemoteEndpoint used to create a channel factory object is an interface implemented in the C2 server program.New EndpointAddress ( " address "/" ) The following is a code segment that creates such a channel.ĬhannelFactory channelFactory = new ChannelFactory It builds a channel between the client and server, with the data being transferred on that channel sealed inside an XML-SOAP (Simple Object Access Protocol) protocol by a class ChannelFactory. By going through its code, I determined that the communication between Redline and its C2 server was built based on the WCF (Windows Communication Foundation) service. Net framework-based program without any obfuscation. I dumped the Redline payload file from memory for deeper analysis. Once that is done, the Redline loader that extracts and runs the Redline payload will be executed by the Windows Task Scheduler every minute. After executing the abo ve command-line command, it performed a DOS “copy” command to duplicate the Redline loader itself and was saved as “%AppData%/packtracer.exe” file, which is a hardcoded constant string in the Redline loader. Some may wonder what this “packtracer.exe” file is. Figure 2.1 is the screenshot of this added Redline task. It executes “schtasks.exe” with parameters to create a new task item with a task named “Nafdfnasia”, which is triggered by the Task Scheduler every minute to execute a file called “packtracer.exe”. An involved website (hxxp//lutanedukasicoid/wp-includes/\AppData\Roaming\ packtracer.exe'" /f ![]() Part I of my analysis explained how this crafted Excel document exploits CVE-2017-11882 and what it does when exploiting that vulnerability. The embedded file with a randomized file name exploits a particular vulnerability - CVE-2017-11882-to execute malicious code to deliver and execute malware on a victim’s device. FortiGuard Labs recently captured an Excel document with an embedded malicious file in the wild. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |