In June, infobandarpkr.com’s infobandarpkr.comas a Service team in Singapore uncovered a phishing campaignexploiting an Adobe Flash Player zero-day vulnerability(CVE-2015-3113). The attackers’ emails included link to compromisedwebsite servers that served either benign nội dung or a malicious AdobeFlash Player file that exploits CVE-2015-3113.

Bạn đang xem: Angler ek exploiting adobe flash cve


Hear what our experts have to lớn say.

Join us for a live sầu webinar Friday, June 26, 2015 8:00 am PDT/11:00 am EDT


Adobe has already released a patch for CVE-2015-3113 with an out-of-b& security bulletin (https://helpx.adobe.com/security/products/flash-player/apsb15-14.html). infobandarpkr.com recommends that Adobe Flash Player users update to the latest version as soon as possible.

infobandarpkr.com MVX detects this threat as a website infection, the IPS engine reports the attaông xã as CVE-2015-3113, & the SHOTPUT backdoor is reported as Backdoor.APT.CookieCutter.

APT3

The China-based threat group infobandarpkr.com tracks as APT3, aka UPS, is responsible for this exploit và the activity identified in our previous blog post, Operation Clandestine Fox. This group is one of the more sophisticated threat groups that infobandarpkr.com Threat Intelligence tracks, & they have a history of introducing new browser-based zero-day exploits (e.g., Internet Explorer, Firefox, và Adobe Flash Player). After successfully exploiting a target host, this group will quickly dump credentials, move laterally to lớn additional hosts, & install custom backdoors. APT3’s command and control (CnC) infrastructure is difficult khổng lồ traông chồng, as there is little overlap across campaigns.

Activity Overview

In the last several weeks, APT3 actors launched a large-scale phishing campaign against organizations in the following industries:

Aerospace & DefenseConstruction and EngineeringHigh TechTelecommunicationsTransportation

Upon clicking the URLs provided in the phishing emails, targets were redirected khổng lồ a compromised server hosting JavaScript profiling scripts. Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file và an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by infobandarpkr.com as Backdoor.APT.CookieCutter, being delivered lớn the victim’s system.

The payload is obscured using xor encoding and appended lớn a valid GIF file.

*

Attaông xã Vector

The phishing emails used by APT3 during this chiến dịch were extremely generic in nature, almost appearing lớn be spam. An example gmail body:

Save between $200-450 by purchasing an Apple Certified Refurbished iMac through this link. Refurbished iMacs come with the same 1-year extendable warranty as new iMacs. Supplies are limited, but update frequently.

Don"t hesitate . . .>Go khổng lồ Sale

The string “>Go lớn Sale” was a links that used the following URL structure:

hxxp://..//.html

Exploit Details

The attachồng exploits an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files. The exploit uses comtháng vector corruption techniques khổng lồ bypass Address Space Layout Randomization (ASLR), và uses Return-Oriented Programming (ROP) to lớn bypass Data Execution Prevention (DEP). A neat trick lớn their ROP technique makes it simpler to exploit & will evade some ROPhường detection techniques.

Xem thêm: Đẽ Mặt Nghĩa Là Gì ? Nghĩa Của Từ Đê Mạt Trong Tiếng Việt Đẽ Mặt Là Gì

Shellcode is stored in the packed Adobe Flash Player exploit tệp tin alongside a key used for its decryption. The payload is xor encoded và hidden inside an image.

Exploit Packaging

The Adobe Flash Player exploit is packed with a simple RC4 packer. The RC4 key và ciphertext are BinaryData blobs that the packer uses khổng lồ decrypt the layer 2 Adobe Flash Player tệp tin. Once decrypted, layer 2 is executed with loader.loadBytes.

Vector Corruption

Layer 2 uses a classic Adobe Flash Player Vector corruption technique khổng lồ develop its heap corruption vulnerability lớn a full relative read/write available to ActionScript3. In this technique, the attacker sprays Adobe Flash Player Vectors lớn the heap, & triggers a write vulnerability khổng lồ change the form size of one of the vectors. The attacker can then perform subsequent reads & writes lớn memory outside the intended boundaries of the corrupted Vector object from AS3. For more details on this technique, see Flash in 2015.

Once the attacker has limited read/write access to lớn memory, they choose khổng lồ corrupt a second Vector lớn increase their access khổng lồ a range of 0x3fffffff bytes. This second Vector is used for the remainder of the exploit.

Return-Oriented Programming

The attackers use a ROP.. chain lớn điện thoại tư vấn kernel32!VirtualAlloc to lớn mark their shellcode as executable before jumping to lớn their shellcode.

Instead of writing their ROPhường chain to lớn the heap along with their shellcode and payload, they used a different technique. Usually, exploit developers will corrupt a built-in Adobe Flash Player object such as a Sound object. Instead, the attackers chose to lớn define their own class in AS3 with a function that takes a lot of arguments:

class CustomClass public function victimFunction(arg1:uint, arg2:uint, …, arg80:uint):uint

Then, the attackers can simply overwrite the function pointer with a gadget that adds khổng lồ the staông xã pointer and returns lớn pivot lớn ROP. They have sầu no need to identify the absolute address of the ROP. chain and preserve sầu it in a register for a typical xchg reg32, esp pivot. Additionally, storing the ROPhường chain on the staông xã will evade ROPhường. detection mechanisms designed around detecting when the staông xã pointer points outside of a thread’s staông chồng region.

this.customObj.victimFunction(6f73b68b, // ret; (ROPsled)…,6f73b68a, //pop eax1f140100,6fd36da1, //Hotline Kernel32!VirtualAlloc(0x1f140000, 0x10000, 0x1000, 0x40)1f140000, // Address00010000, // Size00001000, // Type00000040, // Protection = RWX6f73b68b*9 // ret (ROPsled)6fd36da7*2 // ret6f73aff0 pop ecx6fd36da76fd36da7 jmp …)this.customObj.victimFunction pointer modified to:00000000`6de533dc 5e pop rsi00000000`6de533dd 83c448 add esp,48h00000000`6de533e0 c3 ret

Lastly, the ROP chain has a ROPsled following the call khổng lồ VirtualAlloc. This could just be an artifact of development, or it could be designed to bypass detection mechanisms that kiểm tra for valid return addresses up lớn a limited depth at calls lớn VirtualAlloc.

Xem thêm: Giá Rumor Là Gì ? Giá Rumor Bất Động Sản Là Gì

Full Exploit Flow

1. Create a new Video object

2. Fetch the payload

3. Attach the đoạn phim to lớn a new NetStream

4. Spray the heap with Adobe Flash Player Vectors

a. Create a Vector containing 98688 Vectors containing 1022 uints

b. Set the first two dwords in each Vector lớn 0x41414141, 0x42424242

5. Create holes for the controlled FLV object

a. Free approximately every 3rd Vector in the spray

6. Spray custom class objects for future control transfer

a. Define a new class CustomClass

i. Define a function victimFunction with lots of arguments

b. Create a Vector of 0x100 Vectors of 1007 references to an CustomClass instance

7. Fetch & play the FLV exploit

a. The FLV tệp tin will allocate an attacker controlled object in one of the holes from step 5

b. The attacker controlled object will overwrite the length field of an adjacent vector

8. Re-fill holes from step 5 with Vectors as in step 4

9. Find the corrupted vector

a. Search through Vectors from step 4

b. Cheông chồng the length of each Vector lớn find one that is abnormally large

10. Corrupt a second Vector (Vector2)

a. Using the corrupted Vector from step 9 to lớn read/write relative sầu memory addresses

i. Search memory for an adjacent vector

ii. Overwrite the length field with 0x3fffffff

iii. Verify that a corrupted vector with length 0x3fffffff now exists in the spray

1. If not, unvì chưng corruption & attempt to corrupt the next vector

11. Decrypt shellcode và store it và the payload on the heap

12. Overwrite the CustomClass.victimFunction function pointer

a. Find the sprayed CustomClass object instance references from step 6

b. The new function is a khung of “pivot” that transfers control lớn the attacker

13. Build ROPhường chain on the staông chồng and call it

a. Find ROPhường gadgets in memory using Vector2

i. Including a Gọi to kernel32!VirtualAlloc

b. Gọi the corrupted CustomClass.victimFunction from step 6.a.i

i. Arguments to the function are the gadgets of the ROP chain

ii. They are conveniently pushed onlớn the stack

iii. Corrupted vtable from step 12 calls a pivot

1. The “pivot” just adds khổng lồ khổng lồ the stack pointer and returns because the ROPhường chain is on

the stack

14. ROPhường chain calls shellcode

a. Hotline kernel32!VirtualAlloc

b. jmp khổng lồ shellcode

15. Shellcode calls payload

a. Shellcode searches memory for the payload, which is stored inside an image

b. Shellcode decodes the payload by xoring each byte (that is not 0 or 0x17) with 0x17

Conclusion

Once APT3 has access to a target network, they work quickly and they are extremely proficient at enumerating & moving laterally lớn maintain their access. Additionally, this group uses zero-day exploits, continually updated custom backdoors, & throwaway CnC infrastructure, making it difficult to traông chồng them across campaigns.

Acknowledgements

Thank you to the following contributors lớn this blog!

· Joseph Obed, Ben Withnell, Kevin Zuk, Genwei Jiang, & Corbin Souffrant of infobandarpkr.com