Background
On November 29, 2018, QiAnXin Threat Intelligence Center observed two APT attacks by exploiting one Flash 0day vulnerability which is embedded in Microsoft Office Word documents. The attacks are likely targeting Ukraine entity. This is the second time this year that we found APT attack equipped with 0-day vulnerability. The attacker sends the decoy Word document with Flash 0day vulnerability to target. Once the Word document is open, the vulnerability can execute one RAT by which attacker can gain access to compromised computer. We notified Adobe at the first time after confirming the vulnerability. Adobe gives acknowledgement to us in latest security notice released today.
The attack strategy is very clever: Flash file with 0day vulnerability is inserted into decoy Word document which is compressed into one RAR file with a JPG picture. When Flash 0day vulnerability is triggered, it will extract out RAT from that JPG picture. Such trick aims to avoid detection of most security software. This RAT has same digital signature as one RAT which is very likely written by Hacking Team, latter was found August 2018. We believe that the new RAT is an upgrade version of Hacking Team’s RAT.
This vulnerability and exploitation code could be reused by cybercriminals even other APT groups for large-scale attacks, we would suggest users to take necessary protection, like applying latest Adobe Flash patch.
Timeline
| Time | Activities |
| 2018-11-29 | QiAnXin Threat Intelligence Center found APT attack traces |
| 2018-11-30 | QiAnXin Threat Intelligence Center confirmed Flash 0day vulnerability, then reported the vulnerability to Adobe |
| 2018-12-03 | Adobe confirmed vulnerability |
| 2018-12-05 | QiAnXin Threat Intelligence Center publish analysis report |
Flash Vulnerability
| Name | Adobe Flash Player Remote Code Execution Vulnerability |
| Threat Types | Remote Code Execution |
| Threat Level | High |
| ID | CVE - 2018 -15982 |
| Attack Scenario | Attacker sends malicious Office files to users by web page download, E-mail, instant messaging and other channels, which may trigger the vulnerability to execute arbitrary instructions on the users’ system. |
| Affected Product Versions | Adobe Flash Player (31.0.0.153 and earlier) |
| Fixed Product Versions | Adobe Flash Player 32.0.0.101(latest version with fixes) |
| Fix and Update Address | https://get.adobe.com/flashplayer/ |
Malware
Malware samples indicate that this is an APT attack targeting Ukraine. The first sample was uploaded to VirusTotal on November 29, with few detection by anti-virus engines. 0day vulnerability was found in the sample.
The detection result of one Word document on VirusTotal is as follows:
Attack Phases
The overall attack phases is as follows:
Delivery RAR package and document
A RAR package, including one Word document and one JPG file, is delivered to victim.
Scan042.jpg image has JPG file header, at same time, it contains file content in RAR format. Since RAR program supports both file formats, the RAR content in JPG file can be treated as normal RAR package, and inside files can be extracted out.
The delivery document’s content written in Russian is a questionnaire. When opened, it will prompt whether to play built-in Falsh. Once the user allows Flash to play, 0day vulnerability will be triggered:
Flash 0day Vulnerability
The delivery document is embedded with a vulnerable Flash object in header:
The vulnerable Flash object is as follow:
ShellCode is found in the Flash object:
ShellCode
The ShellCode can get function’s dynamic address, then call RtlCaptureContext to get current stack information, and then search the 0xDEC0ADDE, 0xFFEFCDAB flag in the stack, which is the parameters needed by CreateProcess function, finally call CreateProcess function to create the process for executing post-exploitation command:
Get function’s dynamic address:
Search for parameters needed by CreateProcess function:
Call the CreateProcess function to execute post-exploitation command:
Post-exploitation Command
After vulnerability is exploited successfully, Shellcode executes following post-exploitation command:
CMD. Exe/c set path = % ProgramFiles (x86) % \ WinRAR.C: \ Program Files \ WinRAR.Exe e-o + -r-inul *. Rar scan042.jpg & rar.exe e-o + -r-inul scan042.jpg backup.exe & backup.exe
The final purpose of this command is to extract out backup.exe from scan042.jpg file
Flash 0day vulnerability analysis
Use After Free (UAF) Vulnerability
SWF file can be extracted out as following figure. Exploitation code is shown without extra protection or confusion, which is friendly to researchers
This vulnerability is very similar to CVE-2018-4878 used by Group123 APT Group. Unlike CVE-2018-4878 which is triggered by DRMManger in com.adobe.tvsdk, the new one is related to Metadata in com.adobe.tvsdk.
Three vectors are defined by SWF file in beginning. Those vectors aim to reference free memory for type confusion. Class5 is confused to Class3 in 32-bit OS. Var15 is for 32-bit OS, and Var16 for 64-bit respectively.
Var17 function is start point of exploitation. Routine spray is executed first, then an object named Metadata is declared. Metadata likes a map.
Metadata is one class in Flash SDK. Details are following,
(https://help.adobe.com/en_US/primetime/api/psdk/asdoc-dhls_2.3/com/adobe/tvsdk/mediacore/metadata/Metadata.html)
ByteArray object is stored to Metadata via setObject. Then, corresponding key is set.
Var19() is then called. This function causes a GC garbage collector call in Flash, which leads Meatdata to be released:
After that, keySet will return the corresponding Array by key value, then store Array to _local_6. The definition of the setObject function is as follows:
The KeySet function is defined as follows:
Array in Metadata is free. Var14 is used to reference memory.
Class5 is defined as follows:
Finally, _local_6 is traversed to find Class5 object. Class5 can determine OS version (32-bit or 64 bit). Exploitation has dedicated processes for different OS version.
After entering the function Var56, since one of the Class5 objects in the previous Var14 Vector has been released, the released Class5 object is preempted by assigning a value to the Var15 Vector traversal. Class3 object is used here:
Class3, as shown below, internally defines a Class1 that is ultimately occupied by Class1:
We can see that the Class1 object is defined as follows. At this point, because both Var14 and V15 have references to the original Class5 memory, and Var14 and V15 have references to Class5 and Class3 memory respectively, which leads to type confusion:
Both Var14 and Var15 contain the reference to original Class5 memory. However, that reference is Class5 in Var 14, and Class in Var15 respectively, which cause type confusion. (This approach is similar to CVE-2018-5002)
Because Class3, Class5 is carefully designed by the attacker, at this time only need to operate Var14, Var15 reference object can obtain arbitrary address reading and writing ability:
After arbitrary address is obtained for reading or writing, function addresses for later use are obtained. Then process is same as general Flash vulnerability exploitation:
RAT - backup.exe
This RAT is packed by VMProtect. Basic information is as follows:
| MD5 | 1CBC626ABBE10A4FAE6ABF0F405C35E2 |
| File name | Exe backup. |
| Digital signature | IKB SERVICE UK LTD |
| Packer info | VMProtect v3.00-3.1.2 2003-2018 VMProtect v3.00-3.1.2 2003-2018 VMProtect v3.00-3.1.2 2003-2018 |
Pretending as NVIDIA Graphics Card Program
The RAT pretents as NVIDIA's program, and has a normal digital signature, but the signature has been revoked:
NVIDIA Control Panel Application
Certificate information
RAT can also sent DirectX debugging information like normal NVIDIA program :
The interesting thing is that RAT author made a spelling mistake as ‘Producer’ word is spelled to ‘Producet’ :
DXGI WARNING: Live Producet at 0x%08x Refcount: 2. [STATE_CREATION WARNING #0: ]
Execution of RAT Function
The RAT will create a window class named "DXGESZ1Dispatcher" after running. The window procedure function corresponding to that window class is the main function of RAT. The main function is executed by distributing window messages:
When CreateWindowExW is called, WM_CREATE message is sent to window procedure function. When the window procedure function receives the WM_CREATE message, three threads are created to detect whether the program is running in the real environment.
When the detection passes, WM_USER+1 message is sent to the window procedure to control the running process of the program. When the window procedure function receives the message, it creates another thread to initialize the API functions in shlwapi.dll and ws_32.dll:
Then OutputDebugStringA is used to output a disguised Debug message: "DXGI WARNING: Live Producet at 0x%08x Refcount: 2. [STATE_CREATION WARNING #0:]". This message is the debugging message that normal programs may output when DirectX programming interface is used by that normal program.
In addition, it will determine whether the current process ID is 4, and if so, it will terminate the process. This technique is generally used to detect the virtual machine installed with anti-virus software:
Detect Antivirus Software
The RAT also determines whether specific antivirus software is installed on the current computer, such as BitDefender by detecting avckf.sys:
Besides that, it executes a WMI command "Select*from Win32_Service WhereName='WinDefend' AND StateLIKE 'Running '" to check if any Windows Defender is running:
Persistence
RAT can copy itself to %APPDATA%\ NVIDIAControlPanel\NVIDIAControlPanel.exe:
The persistence is achieved by setting scheduled job:
Command and Control
When the RAT receives WM_USER message, the RAT can create a thread to collect various information, including a list of running processes, CPU specification, user name, time zone, etc. Collected information is encrypted and then sent to C&C address: 188.241.58.68 by the HTTP protocol. RAT then waits for commands from attacker.
- Collect info of installed software from registry:
- Execute the command SELECT*FROM Win32_TimeZone to get the time zone:
- Get disk information:
- Connect to C&C address: 188.241.58.68:
Contribution
This RAT is very likely an upgrade of Hacking Team’s RAT which is leaked out in 2015. This RAT has new features like encrypting strings, and using window messages for control flow.
Connection to Hacking Team
Due to VMProtect encryption, we cannot get perfect IDA F5 pseudocode of backup.exe, but most of its functional code and logic are consistent with the source code leaked by Hacking Team before. The following is the comparison between the IDA F5 pseudocode and Hacking Team's leaked source code:
Detection for existence of sandbox
Initialization of WINHTTP API
Closing WINHTTP HANDLE
Sample Correlation
The RAT is correlated to two similar RATs which use same digital signature and have similar functionality. Those two RATs are from Hacking Team, and one of them was found on August this year.
One RAT is disguised as NVIDIA control panel program, C&C IP is 80.211.217.149; another RAT is disguised as Microsoft OneDrive program, C&C IP is 188.166.92.212.
Hacking Team’s RAT disguised as Microsoft OneDrive program
About Hacking Team
A summary of connections of this attack and Hacking Team:
-
The RAT dropped by vulnerable Word document is an upgraded version of Hacking Team’s RAT.
-
From previous leaked data of Hacking Team, they shows their strong skills on fuzzing and exploiting Flash 0day. In this attack, new Flash 0day is exploited in similar style.
-
Hacking Team has a long history of selling cyber espionage weapons to intelligence agencies or government agencies.
Conclusion
QiAnXin Threat Intelligence Center provide evidence that Hacking Team is likely the actor of this new attack. Since Hacking Team’s leak incident happened, their new activities and new malware were disclosed by security researchers several times, which indicates that Hacking Team is still active.
Protection Suggestions
Users are expected to avoid opening documents from unknown sources, and install the latest version of Adobe Flash Player, as well as scan system by using security software.
Reference
-
Vulnerability bulletin: https://helpx.adobe.com/security/products/flash-player/apsb18-42.html
-
Path of Flash Player: https://get.adobe.com/flashplayer/
-
QiAnXin Threat Intelligence Center found Flash 0day vulnerability highly connected to Hacking Team (only Chinese): https://ti.qianxin.com/blog/articles/cve-2018-5002-flash-0day-with-apt-campaign/
-
Leaked code of Hacking Team: https://github.com/hackedteam/scout-win
5.https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/
The IOC
| Word document |
| 9c65fa48d29e8a0eb1ad80b10b3d9603 |
| 92b1c50c3ddf8289e85cbb7f8eead077 |
| Author name in Word document |
| tvkisdsy |
| Кирдакова |
| 0day Flash file |
| 8A64017953D0840323318BC224BAB9C7 |
| Compilation time of 0day Flash file |
| Sep 15, 2014 |
| Hacking Team RAT |
| 1cbc626abbe10a4fae6abf0f405c35e2 |
| 7d92dd6e2bff590437dad2cfa221d976 |
| f49da7c983fe65ba301695188006d979 |
| C&C |
| 188.241.58.68:80 |
| 188.166.92.212:80 |
| 80.211.217.149:80 |
| Digital signature of Hacking Team |
| Name: IKB SERVICE UK LTD |
| Serial number: 57 5f c1 c6 bc 47 f3 cf ab 90 0c 6b c1 8a ef 6d |
| Thumbprint: d8 7a a2 1d ab 22 c2 f1 23 26 0b 1d 7a 31 89 3c 75 66 b0 89 |