Vulnerability Focus: Cmstar Downloader - Related to Lurid and Enfal

Vulnerability Focus: Cmstar Downloader - Related to Lurid and Enfal

0
Created On 09/26/18 13:44 PM - Last Modified 07/19/22 23:08 PM


Resolution


vul-focus-large.png

 

Every week brings new vulnerabilities, threats and malware. Palo Alto Network's Unit 42 has been researching spear-phishing attacks that drops a custom downloader that is used in cyber espionage attacks. This specific downloader, Cmstar, is associated with the Lurid downloader also known as ‘Enfal’. Cmstar was named for the log message ‘CM**’ used by the downloader.

 

The Cmstar tool has several interesting features, including a previously unseen method of manually creating its import address table using an API function name character to offset mapping techniques, and a hashing algorithm used to find antivirus processes on an infected system. Both of these features are noteworthy and may provide the ability to correlate future tools to the same group and/or malware authors.

 

For more detailed information read the entire article that includes a list of the files used and SHA256 hash of those files on Unit 42's Research Center's page here:

Cmstar Downloader: Lurid and Enfal’s New Cousin

 

Thanks for reading.

Joe Delio
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cln2CAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail