You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Malware and Vulnerabilities
- Chainshot: Researchers discover new piece of malware after cracking 512-bit RSA key

Chainshot: Researchers discover new piece of malware after cracking 512-bit RSA key
Chainshot: Researchers discover new piece of malware after cracking 512-bit RSA key- September 7, 2018
- |
- Malware and Vulnerabilities
/https://cystory-images.s3.amazonaws.com/shutterstock_149255174.jpg)
- Chainshot's exploitation process begins by downloading and executing a remote Shockwave Flash (SWF) file.
- The malware can deliver the final payload on compromised systems and send the infected system’s processor details to the attacker’s command and control (C2) server.
A new malware called CHAINSHOT has been discovered by security experts. Researchers at Palo Alto Networks stumbled upon the malware while investigating the use of an Adobe Flash zero-day exploit (CVE-2018-5002) in a series of targeted malware campaigns.
CHAINSHOT is used in early stages of a chain reaction attack to deliver malicious payloads. Palo Alto Networks researchers happened to discover the malware after cracking its 512-bit RSA encryption key and unpacking its malicious content.
“Armed with these initial weaponized documents, we uncovered additional attacker network infrastructure, were able to crack the 512-bit RSA keys, and decrypt the exploit and malware payloads. We have dubbed the malware ‘CHAINSHOT’ because it is a targeted attack with several stages and every stage depends on the input of the previous one,” Palo Alto researchers said in a blog.
Modus Operandi
The exploitation process begins by downloading and executing a remote Shockwave Flash (SWF) file, which comes attached in a malicious Microsoft Excel document. This SWF file contains both RSA and AES cryptosystems that helps the malware evade detection.
“The Flash application is an obfuscated downloader which creates a random 512-bit RSA key pair in memory of the process. While the private key remains only in memory, the public keys’ modulus n is sent to the attacker’s server. On the server side, the modulus is used together with the hardcoded exponent e 0x10001 to encrypt the 128-bit AES key which was used previously to encrypt the exploit and shellcode payload,” explained the researchers.
CHAINSHOT’S features
Besides its ability to bypass malware detection processes, CHAINSHOT has various other functionalities including delivering the final payload to compromised systems and sending systems’ processor details to the attacker-controlled C2 server.
The researchers said that they were able to get a clear picture of the entire attack campaign because cybercriminals made the mistake of using insecure 512-bit RSA encryption. Since the attackers used the same SSL certificate for executing similar attacks, this made it easier for the researchers to uncover additional attacks on various network infrastructures. Researchers also found that the cybercriminals behind CHAINSHOT created a new toolkit to target victims in the Middle East, indicating that the attackers may likely expand their campaign in the near future.
- + Aware
Get such articles in your inbox
News
-
Previous News Russian extradited to US over massive hacks of JPMorgan Chase, other US financial firms
- September 10, 2018
- |
- Threat Actors
-
Next News British Airways hacked: Details of 380,000 payment cards compromised in major breach
- September 7, 2018
- |
- Breaches and Incidents
Popular News
Related News
-
Cybercriminals Use Green Padlock Icon to Trick Victims
- December 10, 2019
- |
- Malware and Vulnerabilities
Categories
Get such articles in your inbox
News
-
Previous News Russian extradited to US over massive hacks of JPMorgan Chase, other US financial firms
- September 10, 2018
- |
- Threat Actors
-
Next News British Airways hacked: Details of 380,000 payment cards compromised in major breach
- September 7, 2018
- |
- Breaches and Incidents
Popular News
Related News
-
Cybercriminals Use Green Padlock Icon to Trick Victims
- December 10, 2019
- |
- Malware and Vulnerabilities
Categories
