It has been long time since my last post, I have been really busy these days. But I hope this nice post would compensate for days I didn't post anything. So this post has a back story, but again, I can not go in detail, can not name any particular application or company. So I won't be disclosing any information regarding the case, but I will do my best to explain the situation.
Since it has been long time I didn't write something, I decided to find something to write about. I was planning to write about one of my findings while I was doing some penetration testing for a customer. I found an interesting vulnerability in a ColdFusion written web site of the client, it took me quite some time to successfully gain full control of the server by leveraging the bug. This portal was in use for long time and a lot of people have tested it and checked it for vulnerabilities, but it seems that all of them missed my finding.
Recently while surfing Reddit, I came across this beautiful subreddit which is dedicated to NK. While reading "mind blowing" miracles of the Supreme Leader, I clicked on several links, one link led to another and during my visits to several NK web sites, I came across the Korean Central News Agency of DPRK. Just by taking a look at very top of the HTML source code of homepage, I saw this code:
As you might have heard, Microsoft recently patched some vulnerabilities; vulnerabilities related to Sandworm CVE-2014-4114 (Powerpoint exploit) and font parsing (CVE-2014-4148). But in this article, I'm more interested to talk about CVE-2014-4113, which is a local kernel vulnerability that successful exploitation would give you SYSTEM access.
In this article, I'll show you my malware analysis environment and setup. I have to say that all software and configurations written in this article are totally my personal preference, this is my configuration and I like it, but please don't hesitate to share your ideas. So I'll start from very beginning: OS installation.
Analysis of Finfisher shell extension which is basically a keylogger DLL, driverw.sys file which they use for MBR modifications (in case \\.\PhysicalDrive0 wasn't accessible from user-mode) and mssounddx.sys which is in direct communication with MBR code and used to create thread and inject code into user-mode processes.
In previous post, I fully analyzed dropper part of FinFisher malware. In this post, I'll share with you details of FinFisher malware main component which I got it from the dropper. This part is also as interesting as dropper part and does have several techniques and tricks, but as far as I know, again, most of them was already known and used in other malwares, but I might be wrong. So stay tuned for a another very detailed step by step analysis.
As you may have heard, recently Finfisher malware sample leaked online. As I got a little free time today, I decided to take a look at it. Sample I'm going to analyze in this article is finfisher1.exe.bin: