FireEye released FLASHMINGO, a new open source tool designed to automate the analysis of Adobe Flash files.
Adobe Flash is one of the most exploited software components of the last decade, even if Adobe is will deprecate it in 2020 many organizations would be exposed to threats if they will continue to use it for various reasons.
The tool could be used as a stand-alone application or as a library, it allows users to expand its functionality by developing custom Python plug-ins.
“As malware analysts on the FLARE team, we still see Flash exploits within malware samples. We must find a compromise between the need to analyse Flash samples and the correct amount of resources to be spent on a declining product.” reads the post published by FireEye. “To this end we developed FLASHMINGO, a framework to automate the analysis of SWF files. FLASHMINGO enables analysts to triage suspicious Flash samples and investigate them further with minimal effort.
FLASHMINGO leverages the open source SWIFFAS library to parse Flash files (SWF). The tool uses a large object named SWFObject to store
binary data and bytecode information about the SWF. The object contains a list of tags, information about methods, strings, constants and embedded binary data, and more.
“It is essentially a representation of the SWF file in an easily queryable format. FLASHMINGO is a collection of plug-ins that operate on the SWFObject and extract interesting information,” FireEye continues.
FLASHMINGO includes several useful plug-ins that could be used to carry out a wide range of common analysis aimed at the identification of suspicious method names, constants, and loops, as well as for the retrieval of all embedded data. The tool also includes a decompiler plug-in that uses the FFDEC Flash Decompiler.
Experts explained that it is very easy to extend FLASHMINGO, the plugins are located in the plug-ins directory. At start-up, FLASHMINGO searches all plug-in directories for a manifest file and registers all the plug-in that are marked as active.
“To add your own plug-in, copy the template directory, rename it, and edit its manifest and code. The template plug-in’s manifest is written in YAML” continues the experts.
The FLASHMINGO tool is available for download on the FireEye public GitHub Repository.
“Even though Flash is set to reach its end of life at the end of 2020 and most of the development community has moved away from it a long time ago, we predict that we’ll see Flash being used as an infection vector for a while. Legacy technologies are juicy targets for attackers due to the lack of security updates.” concludes FireEye. “FLASHMINGO provides malware analysts a flexible framework to quickly deal with these pesky Flash samples without getting bogged down in the intricacies of the execution environment and file format.”