In our last post, we warned of a new Windows local privilege escalation vulnerability being used in the wild. We noted that the Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox. CVE-2013-3346 was exploited to execute the attacker’s code in the sandbox-restricted Reader process, where CVE-2013-5065 was exploited to execute more malicious code in the Windows kernel.
In this post, we aim to describe the in-the-wild malware sample, from initial setup to unrestricted code execution.
CVE-2013-3346: Adobe Reader ToolButton Use-After-Free
CVE-2013-3346 was privately reported to ZDI by Soroush Dalili, apparently in late 2012. We could fine no public description of the vulnerability. Our conclusion that the sample from the wild is exploiting CVE-2013-3346 is based upon the following premises:
- CVE-2013-3346 is a use-after-free condition with ToolButton objects.
- The Adobe Reader patch that addresses CVE-2013-3346 also stops the in-the-wild exploit.
CVE-2013-3346 Exploitation: Technical Analysis
- Make a parent ToolButton with a callback CB
- Within the callback CB, make a child ToolButton with a callback CB2
- Within the callback CB2, free the parent ToolButton
FireEye Labs has identified a new Windows local privilege escalation vulnerability in the wild. The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP.
This local privilege escalation vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability. The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3. Those running the latest versions of Adobe Reader should not be affected by this exploit.
Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it.
The following actions will protect users from the in-the-wild PDF exploit:
1) Upgrade to the latest Adobe Reader
2) Upgrade to Microsoft Windows 7 or higher
This post was intended to serve as a warning to the generic public. We are collaborating with the Microsoft Security team on research activities. Microsoft assigned CVE-2013-5065 to this issue.
We will continue to update this blog as new information about this threat is found.
[Update]: Microsoft released security advisory 2914486 on this issue.
FireEye recently identified a malicious mobile application that installs a fake banking application capable of stealing user credentials. The top-level app acts as a bogus Google Play application, falsely assuring the user that it is benign.
FireEye Mobile Threat Prevention platform detects this application as Android.KorBanker. This blog post details both the top-level installer as well as the fake banking application embedded inside the top-level app.
The app targets the following banks, all of which are based in Korea.
- Hana Bank
- IBK One
- KB Kookmin Bank
- NH Bank
- Woori Bank
- Shinhan Bank
Once installed, the top-level application presents itself as a Google Play application. It also asks the user for permission to activate itself as a device administrator, which gives KorBanker ultimate control over the device and helps the app stay hidden from the app menu.
Vulnaggressive Characteristics in Mobile Apps and Libraries
FireEye mobile security researchers have discovered a rapidly-growing class of mobile threats represented by popular ad libraries affecting apps with billions of downloads. These ad libraries are aggressive at collecting sensitive data and able to perform dangerous operations such as downloading and running new code on demand. They are also plagued with various classes of vulnerabilities that enable attackers to turn their aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. We have published some of our findings in our two recent blogs about these threats: “Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions” and “Update: Ad Vulna Continues”.
As we reported in our earlier blog “Update: Ad Vulna Continues”, we have observed that some vulnaggressive apps have been removed from Google Play, and some app developers have upgraded their apps to a more secure version either by removing the vulnaggressive libraries entirely or by upgrading the relevant libraries to a more secure version which address the security issues. However, many app developers are still not aware of these security issues and have not taken such needed steps. We need to make a community effort to help app developers and library vendors to be more aware of these security issues and address them in a timely fashion.
To aid this community effort, we present the data to illustrate the changes over time as vulnaggressive apps are upgraded to a more secure version or removed from Google Play after our notification. We summarize our observations below, although we do not have specific information about the reasons that caused these changes we are reporting. Continue reading
Last week, we blogged about a zero-day vulnerability (CVE-2013-3906) that was being used by at least two different threat groups. Although it was the same exploit, the two groups deployed it differently and dropped very different payloads. One group, known as Hangover, engages in targeted attacks, usually, against targets in Pakistan. The second group, known as Arx, used the exploit to spread the Citadel Trojan, and we have found that they are also using the Napolar (aka Solar) malware. 
Looking at the time of the first known use of the exploit, we noted that the Arx group appeared to have had access to this exploit prior to the Hangover group. Subsequent research by Kaspersky has found that this exploit was used in July 2013 to spread a cross-platform malware known as Janicab. Interestingly, the Janicab samples have exactly the same
ModifyDate as the Arx samples. However, the
ZipModifyDate is different. They also contain the same embedded TIFF file (aa6d23cd23b98be964c992a1b048df6f). Continue reading
Today, we released a new report from FireEye Labs entitled Supply Chain Analysis: From Quartermaster to Sunshop.
The report details how many seemingly unrelated cyber attacks may, in fact, be part of a broader offensive fueled by a shared development and logistics infrastructure — a finding that suggests some targets are facing a more organized menace than they realize. Our research points to centralized planning and development by one or more advanced persistent threat (APT) actors. Malware clearly remains a desired cyber weapon of choice. Streamlining development makes financial sense for attackers, so the findings may imply a bigger trend towards industrialization that achieves an economy of scale.
The report is available for download here: http://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdf
Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic Web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy. We have identified relationships between the infrastructure used in this attack and that used in Operation DeputyDog. Furthermore, the attackers loaded the payload used in this attack directly into memory without first writing to disk – a technique not typically used by advanced persistent threat (APT) actors. This technique will further complicate network defenders’ ability to triage compromised systems, using traditional forensics methods.
On November 8, 2013 our colleagues Xiaobo Chen and Dan Caselden posted about a new Internet Explorer 0-day exploit seen in the wild. This exploit was seen used in a strategic Web compromise. The exploit chain was limited to one website. There were no iframes or redirects to external sites to pull down the shellcode payload.
Through the FireEye Dynamic Threat Intelligence (DTI) cloud, we were able to retrieve the payload dropped in the attack. This payload has been identified as a variant of Trojan.APT.9002 (aka Hydraq/McRAT variant) and runs in memory only. It does not write itself to disk, leaving little to no artifacts that can be used to identify infected endpoints. Continue reading
FireEye Labs has identified a new IE zero-day exploit hosted on a breached website based in the U.S. It’s a brand new IE zero-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution.
The information leak uses a very interesting vulnerability to retrieve the timestamp from the PE headers of
msvcrt.dll. The timestamp is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of
msvcrt.dll. This vulnerability affects Windows XP with IE 8 and Windows 7 with IE 9.
The memory access vulnerability is designed to work on Windows XP with IE 7 and 8, and on Windows 7. The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages. Based on our analysis, this vulnerability affects IE 7, 8, 9, and 10. This actual attack of this memory access vulnerability can be mitigated by EMET per Microsoft’s feedback.
This exploit has a large multi-stage shellcode payload. Upon successful exploitation, it will launch
CreateProcess), and inject and execute its second stage (with
CreateRemoteThread). The second stage isn’t written to a file as with most common shellcode, which usually downloads an executable and runs it from disk.
In summary, this post was intended to serve as a warning to the generic public. We are collaborating with the Microsoft Security team on research activities.
We will continue to update this blog as new information about this threat is found. FireEye would like to acknowledge and thank iSIGHT Partners for their assistance in this research.
[Update 11-12-2013]: Microsoft release a security bulletin and assigned CVE-2013-3918 to this issue.
A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in “attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.”
Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover, which adds India and Pakistan into the mix of targets. Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan.
However, we have found that another group also has access to this exploit and is using it to deliver the Citadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before the Hangover group did. Information obtained from CnCs operated by the Arx group revealed that 619 targets (4024 unique IP addresses) have been compromised. The majority of the targets are in India (63 percent) and Pakistan (19 percent).
Between Oct. 24–25 FireEye detected two spear-phishing attacks attributed to a threat actor we have previously dubbed admin@338. The newly discovered attacks targeted a number of organizations and were apparently focused on gathering data related to international trade, finance, and economic policy. These two attacks utilized different malware families and demonstrate an ability to quickly adapt techniques, tactics, and procedures (TTPs).
Investor Guide and Contact List Lure
On Friday Oct. 25, 2013, FireEye detected an attempted targeted campaign against the following:
- The Central Bank of a Western European government
- An International organization involved in trade, economic, and financial policy
- A U.S.-based think tank
- A high-ranking government official for a country in the Far East
This spear-phish email, shown in Figure 1, contained a malicious Word document attachment that exploited the CVE-2012-0158 vulnerability.
Figure 1: Spear-phish email used in a recent admin@338 attack
The malicious Word document had the following properties:
- File: Investor Relations Contacts.doc
- MD5: 875767086897e90fb47a021b45e161b2