从 BYOVD 到 0-day：揭露网络招聘骗局中的高级漏洞利用.pdf

1、#BHASIA BlackHatEventsFrom BYOVD to a 0-day:Unveiling Advanced Exploits inCyber Recruiting ScamsSpeakers:Luigino Camastra,Igor MorgensternContributor:Jan Vojtesek#BHASIA BlackHatEventsAgenda Introduction to prior research Attack chain analysis Initial ISO image Loaders RAT 0-day and vulnerability an

2、alysis Rootkit analysis#BHASIA BlackHatEventsPrior research#BHASIA BlackHatEventsAttack chain analysisThe attack is initiated by presenting a fabricated job offerContacting via LinkedIn,WhatsApp,email or other platforms#BHASIA BlackHatEventsAttack chain analysisRollFling LoaderShellcode executed in

3、memoryDiscovered a new loader we called RollFling and NLS fileMalicious DLL established as a serviceKickstart execution chainLoading next stageobtaining XOR key by calling GetSystemFirmwareTable APIXOR decryption of file with.nls extensionRollSling loader is encrypted in NLS fileLoading decrypted Ro

4、llSling into memory#BHASIA BlackHatEventsAttack chain analysisRollSling is a loader discussed in Microsoft research(Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability)Code similarities with the RollSling version discussed in the Microsoft research Gen Digitale68

5、ff1087c45a1711c3037dad427733ccb1211634d070b03cb3a3c7e836d210f Microsoft d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeaca#BHASIA BlackHatEventsAttack chain analysisRollSling LoaderLocate binary blobHolds various stages and configuration dataRollMid,2x DLL binaries and address of C&C s

6、erverLocated without file extensionExtracting the next stage from binary blobSearching for export function StartActionLoading and executing the next stage RollMid(by calling StartAction export function)#BHASIA BlackHatEventsAttack chain analysisRollMid LoaderLoading network module binary,parsing add