![]() ![]() ![]() Then, using WriteProcessMemory(), the malicious sample writes the first-stage shellcode into the memory of the newly created wabmig.exe system process using the memory address previously requested as a parameter. ![]() This confirms that the attacker has tampered with the main Navicat program and placed the malicious code in the logic of database connection.Įxtraction and Analysis of First-Stage ShellcodeĪfter locating the approximate position of the backdoor code, analysis shows that the malicious sample injects the code through thread hijacking (navicat.amdc6766net/3.log).ĭuring dynamic debugging, the network request function is intercepted and the network traffic package for DNS resolution of navicat.amdc6766net is captured, revealing that the network request function downloads navicat.amdc6766net/3.log as shown in the figure.ĭirectly accessing the remote address allows the shellcode file to be downloaded directly.ĭynamic debugging confirms that this code logic involves the malicious sample using VirtualAlloc() to request memory to save the first-stage shellcode content retrieved by an InternetReadFile() request for the /3.log link. Dynamic debugging confirms that database connection operations need to be performed to trigger the execution of the malicious code. There are many files in the sample installation directory, but based on the modification date of the files and the timestamp information of the signature (which is relatively close to the current time), it is initially speculated that the malicious code is in the main Navicat program.ĭuring the sample analysis, according to the clues obtained from the QiAnXin product device logs, the sample will be injected into the system process wabmig.exe. The attack process of the malicious sample is as follows:ġ、Attackers create a fake official website for operation and maintenance tools to induce victims to download the bundled Navicat installation package with a backdoor.Ģ、After the installation package is executed, the main Navicat program with the implanted remote control backdoor is released.ģ、When the victim uses Navicat to connect to the database, the malicious code is triggered.Ĥ、The Navicat process pulls the first-stage shellcode (3.log) from the first-stage C2 () and injects it into the system program wabmig.exe by thread hijacking.ĥ、The first-stage shellcode runs a DLL loader to reflectively load and run the CcRemote RAT shellcode (second-stage shellcode) and connect to the second-stage C2 server ().Ħ、Attackers issue control instructions through the second-stage C2 server.Ĭonfirmation of Malicious Code Logic Trigger Conditions We downloaded the Navicat Premium 16.exe installation package file from this site. Through the QiAnXin Tianqing Dawai data, we found a download source for the installation package: hxxps:///zh/navicat/. With the increasing use of software information in various industries in China, operation and maintenance tools are commonly used by operations personnel and network management users to improve work efficiency, making it an easy target for attackers. Attackers take advantage of the needs of this user group to build counterfeit official website points, induce users to download counterfeit operation and maintenance tools, and steal confidential information by remotely controlling victim hosts. The above-mentioned counterfeit operation and maintenance tools are commonly used software tools by domestic operations personnel and network management users. Therefore, we conducted a detailed analysis of the attack event as soon as possible. Based on the QiAnXin Tianqing Network data, the installation package of this malicious sample has already controlled the hosts. Subsequently, multiple counterfeit operation and maintenance tools, such as xshell, LNMP, and Baota Linux panel, were traced and identified based on the malicious sample certificate. Multiple download links for this sample were found through Tianqing Network Data, and the homepage of the download link was spoofed to imitate the official website of netsarang. Recently, QiAnXin Threat Intelligence Center and QiAnXin Network Security Department discovered a sample of a malicious installation package disguised as Navicat.exe through daily monitoring. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |