Skip to main content

Posts

Showing posts from May, 2017

EPS obfuscation for MS Office exploits

We took a deeper look into a recent FireEye blog post on 2 new EPS exploits used while zero-day by the APT 28 / Turla group.  Both exploits have been patched. One of the samples used an interesting EPS based obfuscation technique to avoid detection. By using a 4 byte xor within native Postscript commands the exploit code can be obfuscated and decoded in memory at run time defeating static analysis.

CVE-2017-0262 Sample






QuickSand.io Report

The obfuscation The PostScript code starts with a xor loop using key 0xC45D6491 using only built-in PostScript functionality


Using our Cryptam multi tool, we'll decode the EPS block manually:
$ php cryptam_multi.php eps.test -xor c45d6491 using XOR key c45d6491

$ ./quicksand.out eps.test.out  -0> root {7}   md5:237e6dcbc6af50ef5f5211818522c463   sha1:228c21dff49376c0946fe2bbe21448bbdbfcf13a   sha256:385655e10c8a7718bb50e969979cf4f08a2380f67827ce01d05874c49b3a5c13   head:7b202f48656c7665   size:347320   yara:exploits:exploit_cve_2017_0262   yara:executable…