News

Killing a Zero-Day in the Egg: Adobe CVE-2016-1019

Proofpoint researchers discovered that the Magnitude exploit kit (EK) [1] was successfully exploiting Adobe Flash version 20.0.0.306. Because the Magnitude EK in question did not direct any exploits to Flash 21.0.0.182, we initially suspected that the exploit was for CVE-2016-1001 as in Angler [2], the combination exploit “CVE-2016-0998/CVE-2016-0984” [3], or CVE-2016-1010.

In the course of our investigation, we shared our findings with fellow researchers in the security community in order to accelerate identification of the exploit. A colleague at FireEye determined  [4] that the exploited vulnerability was unknown. Adobe was promptly notified of the issue, and they verified that although  a mitigation integrated in 21.0.0.182 appeared to cause the exploit to fail, it was a previously unreported vulnerability and assigned it CVE-2016-1019. An emergency patch for the vulnerability was released on April 7 [5].

Despite the fact that this new exploit could potentially work on any version of Adobe Flash, including a fully patched instance of Flash, the threat actors implemented it in a manner that only targeted older versions of Flash. In other words, equipped with a weapon that could pierce even the latest armor, they only used it against old armor, and in doing so exposed to security researchers a previously unreported vulnerability. We refer to this type of faulty implementation as a “degraded” mode, and it is something that we have observed in the past with CVE-2014-8439 [6] [7] and CVE-2015-0310 [8] in Angler. While there will be a period of time when systems are not yet patched for CVE-2016-1019 and thus vulnerable to new exploits, “degraded” implementations of potential zero-day exploits offer security researchers and vendors a valuable opportunity to identify and mitigate previously unknown vulnerabilities.

Let’s look at this ‘degraded’ implementation of CVE-2016-1019 in action:


Figure 1: 2016-04-02 Magnitude exploiting CVE-2016-1019 in “degraded” mode to spread Cerber ransomware


Figure 2 : 2016-04-06 Magnitude exploiting CVE-2016-1019 in “degraded” mode on Windows 10 build 1511 (Feb 2016) with Flash 20.0.0.306

Payloads

In recent months, Magnitude seems to be used by only one actor, who was spreading Cryptowall crypt1001 until the middle of March 2016. The actor then switched to distributing Teslacrypt ID=39, and since the end of March has switched to distributing Cerber [9].

We looked back at a Nuclear Pack Flash exploit move we spotted on March 31, 2016. As we did not witness a new Flash version being exploited, we did not investigate before but the embedded exploit is the same as that discovered in Magnitude (CVE-2016-1019) according to Anton Ivanov (Kaspersky), and researchers at ESET and FireEye.


Figure 3: 2016-03-31 Nuclear Pack not exploiting Flash 20.0.0.306 despite integrating CVE-2016-1019 code (that is, not dropping the expected Locky or Necurs from the actor behind this infection chain [10])

Figure 4: Intriguing CVE-2016-1001 string spotted by Denis O’Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploit

Summarizing the main findings of this analysis:

  • Magnitude EK was found to be exploiting a previously unreported vulnerability in Adobe Flash, now assigned CVE-2016-1019.
  • Due to a faulty implementation of the exploit, it was not targeting the latest, fully patched versions of Adobe Flash in a way that could result in infection.
  • The exploit has been in the wild since at least March 31, 2016.
  • The exploit was observed spreading the Cerber and Locky ransomware, among others.
  • There is evidence that Nuclear Pack was also equipped with code to exploit CVE-2016-1019 but did not run it against fully patched systems.
  • Adobe has issued an emergency patch and advisory (APSA16-01) for this vulnerability.

If Adobe Flash Player is required in your environment, we advise an immediate installation of the update.

References

[1] – http://malware.dontneedcoffee.com/2013/10/Magnitude.html

[2] – http://malware.dontneedcoffee.com/2016/03/flash-up-to-2000306.html

[3] – https://googleprojectzero.blogspot.fr/2016/03/life-after-isolated-heap.html

[4] – https://www.fireeye.com/blog/threat-research/2016/04/cve-2016-1019_a_new.html

[5] – https://helpx.adobe.com/security/products/flash-player/apsa16-01.html

[6] – http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html

[7] – https://www.f-secure.com/weblog/archives/00002768.html

[8] – http://malware.dontneedcoffee.com/2015/01/cve-2014-9162-flash-1500242-and-below.html

[9] – https://blog.malwarebytes.org/intelligence/2016/03/cerber-ransomware-new-but-mature/

[10] – https://www.proofpoint.com/fr/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky

Indicators of Compromise (IOC’s)

md5sha256Comment
b3ce4f4e70a8e750205f1452d4820d3397a9d1feb495e7514602554918b582d5Zip with most of the content mentioned below
6591857d49cae0d2976a60160e7f7fee301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90CVE-2016-1019 Nuclear Pack 2016-03-31
db953d3847e3c1ff63d6eed54e9fb0460a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5CVE-2016-1019 Magnitude

2016-04-02

5a59b3fa1dbb5849cec4cc84d386b5d37f31af42154cfc3609ca8e7b185a43c9a1d9704e6faf56b2928e32d5190592f0CVE-2016-1019 Magnitude

2016-04-03

da9fa0250214891ecf0539d04fdbfa3f32557944d18cc3b3d80de1597b74dc505297751d9440e4a9d8064cf329dd7141CVE-2016-1019 Magnitude

2016-04-04

575e7b41d4dcb0e181f289d82f6f7c79f7c5a855dd17ac50c8de364117a96ab711daa5c723d471c19a92bf5b9e5bd2aeCVE-2016-1019 Magnitude

2016-04-05

9b79b29d7914ad09066b8f1bdbfea92d9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3cCerber
8bcafee60ef0101891494f16348a3e2d57032a0c84b6ed24fca740f9ff0f4cb183c78eeb87e0f7f386849f0b92b49816Cerber
ac193f297233d7efe1236da311affad3ea71c1eec6e2f2f14a643f90fd4efcec10a0f6aae43950171f7b0384572a74dfCerber
6a8ff8f206511a1d95c46741a2e008947229ab31adc3184f399be4f453d5a9d61f3c7e1347d5464d4de63a56d4762c7fCerber

Domain/IPComment
37.46.195.0/24IP Range hosting some Magnitude proxies
188.138.71.0/24IP Range hosting some Magnitude proxies
85.25.79.0/24IP Range hosting some Magnitude proxies
62.75.197.0/24IP Range hosting proxies redirecting (mostly but not exclusively) to Magnitude
futuremygames[.]comRedirector to EK
my-playcity[.]comRedirector to EK
goodsandgames[.]comRedirector to EK
playenjoymy[.]comRedirector to EK
nextdaysgame[.]comRedirector to EK
orealore[.]comRedirector to EK

Select ET Signatures that would fire on such traffic:

2816837 || ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Mar 30 M3

2816832 || ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Mar 30 M2

2816800 || ETPRO CURRENT_EVENTS Magnitude EK Landing Mar 29 2016

2816329 || ETPRO CURRENT_EVENTS Possible Magnitude EK Flash Exploit URI Struct Feb 19 2016

2816339 || ETPRO CURRENT_EVENTS Magnitude EK Flash Payload Feb 19 2016

7016687 || ET LUAJIT WEB_CLIENT Suspicious Adobe Flash file (Compressed)

2012088 || ET SHELLCODE Possible Call with No Offset TCP Shellcode

2000419 || ET POLICY PE EXE or DLL Windows file download

2009897 || ET MALWARE Possible Windows executable sent when remote host claims to send html content

2016538 || ET INFO Executable Retrieved With Minimal HTTP Headers – Potential Second Stage Download

2021076 || ET INFO SUSPICIOUS Dotted Quad Host MZ Response

2816505 || ETPRO TROJAN Cerber Ransomware UDP Scanning

2816506 || ETPRO TROJAN Possible Cerber Ransomware IP Check

2816763 || ETPRO TROJAN Ransomware/Cerber Checkin 2

2816764 || ETPRO TROJAN Ransomware/Cerber Checkin Error ICMP Response

2816772 || ETPRO TROJAN Ransomware/Cerber Onion Domain Lookup

2814492 || ETPRO CURRENT_EVENTS Nuclear EK Landing Oct 20 2015 M1

2814493 || ETPRO CURRENT_EVENTS Nuclear EK Landing Oct 20 2015 M2

2814389 || ETPRO CURRENT_EVENTS possible Nuclear EK DHE traffic client to server

2815818 || ETPRO CURRENT_EVENTS Possible Nuclear EK Flash URI Struct Jan 14 M2

2815810 || ETPRO CURRENT_EVENTS Possible Nuclear EK Payload VarLen XOR (Nulls)

Source:https://www.proofpoint.com


You Might Also Like