Figure 1. Compressed malwareFigure 1 shows the malware in its compressed form, which allows it to evade detection. To decompress the content, we used a SWFCompression Python script.
Figure 2. The shellcode has been extracted in ASCII form
Figure 3. ASCII shellcodeAfter converting it to hex code, we see a URL that it most likely accesses. Unfortunately, we cannot acquire the code it is supposed to download as the URL is no longer accessible at the time of analysis.
Figure 4. Binary shellcodeLoading the code into a debugger software produces the following outcome.
Figure 5. Code executionAs you can see in Figure 5, this malware uses a different approach for executing its payload. Typically, malware is often downloaded and executed, which means a physical copy of the malware is dropped in the infected machine. This allows security solutions to detect the malware. However, this particular malware allots memory using VirtualAlloc and executes it, acting like a backdoor. Doing so makes it harder to trace the routines of the malware as there is no physically dropped file; instead the payload is copied directly into memory. This is the reason why this malware is able to evade most security solutions, even those that support ZWS compression. We urge users to regularly install security updates as soon as they are made available. These patches can mean the difference between protection and infection. For example, the vulnerability used in this attack was patched by Adobe in December 2013. Trend Micro detects all threats related to this attack.