Over the past few months, Minerva Labs’ research team has received multiple alerts of possibly malicious code-unpacking from an executable named FlashHelperService.exe. We decided to investigate this binary in order to determine whether this is a false positive or an actual malware.
It appears that the binary exhibits various malicious techniques. We therefore chose to publish our findings, in hopes of benefiting the community and helping others that are investigating the same case.
It's worth mentioning that this file is signed by “Zhong Cheng Network” which is a distributor of Adobe’s software in China. There are already numerous complaints on Adobe’s site about the company and its fishy software.
Analysis of the Binary:
The binary contains an embedded DLL encrypted inside its data section, which is reflectively loaded and executed:
The in-memory DLL is internally named ServiceMemTask.dll and has numerous incriminating features:
- The capability to access the flash[.]cn website and download files.
- The ability to download encrypted DLL files from the same website, decrypting them, and reflectively loading them.
- Clear text names of various analysis tools are present inside the decrypted binary (which we did not see being used):
- An ability to profile the OS and send it back to the server.
The memory payload contacts the hardcoded URL https://cloud.flash[.]cn/fw/cz/y0fhk8csvhigbzqy9zbv7vfzxdcllqf2.dcb and XOR decrypts data downloaded from there using the hardcoded key “932f71227bdc3b6e6acd7a268ab3fa1d”.
The output is an obfuscated json file that serves as a task from the server:
- ccafb352bb3 is the URL for the next payload.
- d072df43184 is the MD5 sum of the encrypted payload.
- e35e94f6803 is the 3DES key of the payload.
The DLL file is linked against curl, which it uses to download the file “tt.eae” into the modules main directory “C:\Users\Username\AppData\LocalLow\AdobeFlash\FlashCfg”. The file is encrypted using 3DES, with an implementation similar to the one found here. After decryption and decompression (7zip) a PE file internally named "tt.dll" is revealed. The DLL file is yet again reflectively loaded and executed.
In order to determine how common this service is, we downloaded the official flash installation from flash.cn, which is signed by adobe:
After installing flash using this binary, the exact service (sha256: 8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4) was installed on our machine. Additionally, Cisco’s Talos Intelligence has listed FlashHelperService.exe as one of the most prevalent threats in the third week of January 2021.
After further reverse engineering, we managed to download and decrypt the popup producing binary, internally named “nt.dll”, that is loaded into FlashHelperService. The binary will open the browser with an annoying popup in predetermined timestamps.
An example popup:
The code uses the Windows API function ShellExecuteW to open internet explorer with a URL fetched from another encrypted json:
This flexible binary execution framework seems redundant for a service that claims to update flash player. This is highly concerning, especially considering how widespread this binary is.
After investigating its subsequent payload, we can determine that its final intent is adware-like. This functionality can be seen in the file “nt.dll”. This threat is especially concerning for two reasons:
- The general binary distribution framework described in the blog could be used by an attacker to load malicious code, effectively bypassing traditional AV disk signature checks.
- Most enterprises with a Chinese office have this service installed in their organizational network. If this framework is used with a malicious intent, an attacker can gain an initial foothold in many organizations.
Minerva Labs prevents FlashHelperService with its Memory Injection module, before it can even upload it's payload.
https://cloud.flash[.]cn/fw/cz/y0fhk8csvhigbzqy9zbv7vfzxdcllqf2.dcb - (tt.eae task)