4/17/2023 0 Comments Spectre ghost![]() ![]() ![]() There are C2, mutex name, nonce and other information in the Config file, ChaCha20 encryption is used, where the key is CsFg34HbrJsA圆hjBmxDd7A2Wj0Cz9s\x00 and the number of rounds is 15. If there is no Plugin for processing the corresponding instructions, it will request the required Plugin from C2.ĮLF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped The main function of Loader is to decrypt Config, obtain C2 from it, establish encrypted communication with C2, and execute the instructions issued by C2. Stage2: Loading stage, Specter_Loader analysis Release Loader to the /tmp/runtimes/hw_ex_watchdog file and run it, and later on delete itself to clean up the traces of Dropper。 Look for the written position mark in the Loader sample SpctCF, and then write Config at its subsequent address.。 The main function of the dropper is to detect the operating environment, decrypt the Loader, configure the Config, and finally release and start the Loader.ĮLF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, strippedĭecryption algorithm:XOR byte by byte 0x79, then negate.Īlong with the loaders, the runtime library, libc.so.0 and ld-uClibc.so.1 are also decrypted.Currently these two libraries have no malicious functions, but we speculate that future versions will hijack some functions of these two libraries to hide the existence of Specter from file, process and networks’ perspectives Stage1:Stage1: Release stage, Specter_Dropper analysis Stage 3: Plugin executes the instructions issued by C2.Stage 2: Loading stage, Loader loads Plugin.Stage 0: Preliminary stage, spread through vulnerabilities, implant Dropper on the device.Specter's infection process can be divided into 4 stages., Specter spread its Dropper samples through AVTECH IP Camera / NVR / DVR Devices vulnerabilities,The payload being used is as follows: GET /cgi-bin/nobody/Search.cgi?action=cgi_query
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |