Threat Research & Response Blog
'Eleonore' is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run. Eleonore is purchased by an attacker from an underground website. The attacker then gains access to Internet web servers and installs the exploit by modifying webpages, which are then served to the public. The malware pack also contains functionality for the tracking and management of compromised computers.
Image 1 - Remote attacker purchases the exploit pack, retrieves web pages from Internet servers and installs EleonoreEleonore is developed and released as version updates. This blog post focuses on the shellcode exploit from one of the releases, version 1.2. At a high level, the Eleonore shellcode locates kernel32.dll in an exploited process space. It uses the spatially efficient hash lookup to find the absolute address of key Kernel32 APIs:
Image 2 - FindFuncHash routine
With access to these functions, the shellcode creates a file in the temporary files folder (%TEMP%) and calls URLDownloadToFile with a URL that is 0x67 bytes after the shellcode. The shellcode then executes that file.
The exact URL is dependent on bytes included in the exploit payload and is beyond the scope of this analysis. The exploit then decrypts bytes right after the shellcode for another URL and calls URLDownloadToFile for a second time, copying the file from a URL such as the following:
<website domain with Eleonore installation>/path/getexe.php
This URL was obtained by looking at the entire exploit payload from an Eleonore installation - that data is not included in this article. The "getexe.php" file creates a server-side response that returns a file named "load.exe". The contents of this file are put into a secondary file, decrypted in memory, written back to the file and finally executed.
Image 3 - DecryptBytes routine
The shellcode ends here as "load.exe" begins, with the affected computer now compromised.
Eleonore v1.2 contained numerous exploits and attack code that targets several programs including:
To protect against Eleonore and other threats, the MMPC recommends maintaining security updates across all products, not only those serviced by Microsoft Windows updates, and using security software with active scanning enabled.
-- Nik Livic & Patrick Nolan, MMPC