Threat Research Blog

Lessons from Operation RussianDoll

As defensive security controls raise the bar to attack, attackers will employ increasingly sophisticated techniques to complete their mission. Understanding the mechanics and impact of these threats is essential to systematically discover and deflect the coming wave of advanced attacks.

Mandiant has developed a comprehensive whitepaper that provides a multi-faceted analysis of the exploit payload "Operation RussianDoll." This payload is an exploit for CVE-2015-1701 embedded within the un-obfuscated 64-bit RussianDoll payload (MD5: 54656d7ae9f6b89413d5b20704b43b10). The whitepaper references a freely available open-source proof of concept and provides malware triage analysts, reverse engineers, and exploit analysts with tools and background information to recognize and analyze future exploits. It also covers how red team analysts can apply these principles to carve out exploit functionality or augment exploits to produce tools that will enhance effectiveness of security operations.

The whitepaper walks the reader through the payload's actions to understand how to loosely identify what it does once it has gained kernel privilege. It then discusses how to obtain higher-resolution answers from reverse engineering by using WinDbg to confirm assumptions, manipulate control flow, and observe exploit behavior. Building on this and other published sources, a technically detailed exploit analysis is assembled by examining the relevant portions of win32k.sys. Finally, the paper discusses how to extract and augment this exploit to load encrypted, unsigned drivers into the Windows 7 x64 kernel address space.

We hope this analysis will support security professionals' understanding of the malware used by Advanced Persistent Threat (APT) actors and of tools and techniques that may be used to conduct enhanced analysis.

Download the "Lessons from Operation RussianDoll" whitepaper here.