The NSIS unpacking scripts don’t seem to contain any maliciousness, so it seems likely that this stage was present just to package the resulting infector and the encrypted DLL (and probably to cause even more confusion than ultimately necessary).īoth samples, once decompressed, yielded an encrypted DLL and an infector. One binary was wrapped in a C++ protector (MD5: D4A38E03010E1DA7DE7D1B942FF222BA), while the other appeared in a Visual Basic 6 wrapper (MD5: B999D1AD460BD367275A798B5F334F37).īoth executables derived from this infection came as NSIS (Nullsoft Scriptable Install Systems) packed binaries. What made this case particularly interesting were the different runtime packers that protect Miuref against being analysed. That malicious library was identified as Miuref, a rather popular clickjack trojan. Both samples were dropped as NSIS-packed binaries containing an infector and an encrypted file which, once unpacked, resulted in a malicious DLL. Within a day, we had determined that two binaries of the same malware family were being spread via the Fiesta Exploit Kit (EK), in both cases using the same exploit for the CVE-2013-2551 vulnerability. Basing our assumption on the structure and the final payload of the infection, let’s assume there was not. I thought it was a nice coincidence that I had been assigned to that analysis, and wondered if there was any further motivation for the attack beyond just infecting anyone. A while ago, our lab spotted an infection coming from the website of a popular men’s lifestyle magazine.
0 Comments
Leave a Reply. |