The recent trio of Flash zero days has not only caused a lot of scrambling at Adobe—which yesterday released a patch for the last in that line of vulnerabilities—but also shined light on a fairly unknown exploit kit, exposed the evolving danger associated with malvertising, and made clear the pains which attackers take with malware to evade detection.
“It’s really odd seeing three zero days in Flash in such a short period of time,” said Karl Sigler, threat intelligence manager at Trustwave.
It’s almost consensus that there’s some sort of connection between the three zero days with researchers agreeing that the same group is behind discovery of the flaws and development of the exploits, two of which were folded into exploit kits in short order. While one exploit kit, Angler, is fairly well established with the criminal underground, the other known as Hanjuan, is a stripped down kit that’s managed to stay under the wire.
“One of the interesting things about it is that it’s very stripped down compared to Angler or Magnitude, both of which are pretty complex,” Sigler said. “Hanjuan is hyper-focused on specific exploits and browser types. That simplicity makes it harder to detect on the wire. With Angler or Blackhole, you would see a lot of communication on the wire, with Hanjuan, it’s basically yes or no. Either the browser is vulnerable or it will pass it by.”
Trustwave this week discovered an exploit for the third Flash Player zero-day being delivered by Hanjuan, using similar exploitation techniques as a Flash zero day found in Angler last week by French researcher Kafeine, leading both parties to believe there’s possibly a connection between the two.
“What’s changed with Hanjuan is that this is the first zero-day vulnerability tracked back to them,” Zigler said. “The fact they are using this zero day made them stick out like a sore thumb.”
Adobe on Monday said in its advisory that the Hanjuan exploit was being distributed in drive-by downloads and malvertising attacks with ad networks used by major websites redirecting visitors to click-fraud malware, and in some cases, ransomware.
Researchers at Invincea yesterday published a report on one such ransomware campaign it has called FessLeak that could also be part of this puzzle. The FessLeak campaign is being spread by Russian criminal gangs, Invincea CEO and founder Anup Ghosh said, who are using real-time ad bidding to specify on which sites their malicious ads and Flash exploits appear.
They managed to land their ads on massively trafficked websites such as Huffington Post, DailyMotion, CBS Sports, Plenty of Fish, and dozens of others, using a relatively small number of compromised domains.
“It’s beautiful from an adversarial point of view; they don’t have to exploit websites anymore,” Ghosh said, whose company published a report last fall on Operation Death Click an ad-bidding campaign used in targeted attacks against defense firms. “The same tools advertisers use to target people and demographics, adversaries are able to use to target specific companies. They would bid for their ads to appear specifically at certain companies. I can be selective about who and where I drop code on.”
Hanjuan, is a stripped down exploit kit that’s managed to stay under the wire.
With FessLeak, the attacks are file-less; the malicious code lives in memory in order to elude signature-based defenses. With traditional attacks, exploits target IE or Java vulnerabilities and drop a file on the compromised computer, which the exploit often then executes. Antivirus, for example, can then scan files on the machine and if there’s a signature, the attack will be blocked.
“File-less means the exploit and malware stays resident in memory and runs from memory,” Ghosh explained. “It gives a pointer to the exploit that runs in memory. Eventually, it will use system programs to extract the malicious file and run it. The exploit runs in memory which means no file system scan will reveal it.”
There are also many other evasion and obfuscation steps taken in order to keep researchers at bay. The attackers register domains, for example, for only a day and then burn them before security technology is on to them. They’re being used for both click-fraud and ransomware.
Ghosh said that a recent Windows patch has put an end to the file-less portion of the FessLeak campaign.
“Now Fessleak drops a temp file via Flash and makes calls to icacls.exe, the file that sets permissions on folders and files,” Ghosh wrote in the report. “At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid AV detection.”