Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
We at SpiderLabs investigate many suspicious webpages on adaily basis. Occasionally we run intosomething that seems new and unfamiliar to us, which is generally when things becomeinteresting.
A recent discovery of ours began just like that and ended withour identification of an Internet Explorer 8 vulnerability being actively exploitedin the wild. Through collaboration with the Microsoft Security Response Center(MSRC) Team we confirmed that the newzero- day (CVE-2013-3897) has been in the wild for a month (the new CVE-2013-3897 and the previous zero-day CVE-2013-3893). The patch was just released today, and users need time to install it. So we can't reveal the full technical analysis of this vulnerability yet, but we can share some interesting details about the attack.
The attackers distributed the zero-day exploit via thefollowing URL hxxp://1.234.31.152/mii/guy2.html (currently offline). It turnsout that this isn't the first time we have encountered this kind of URL. One monthearlier a similar URL on the same class-C IP address:hxxp://1.234.31.142/mii/guy2.html (currently offline) served an older zero-day(CVE-2012-4792).We continued to track this IP class segment and a few days ago found a new liveinstance of this attack serving the new zero-day on a different IP address withthe same URL path.
The zero-day campaign seems to have launched in the firsthalf of September 2013 targeting Japanese and Korean users:
The attacker uses navigator.userLanguage to identify theend-user machine's language. If the user machine's language is neither Koreannor Japanese, the JavaScript redirects the page to google.com therebyterminating the attack on that machine.
The attacker also checks the operating system and InternetExplorer versions as can be seen in the image below:
The code validates that the user's machine runs Windows XP withInternet Explorer 8. If it doesn't, the attack will once again terminate. Fromtests conducted in our lab, we determined that the exploit also works on Windows7 with an adjustment to the shellcode: using valid ROP chains (a technique tobypass DEP by taking advantage of existing commands) for each Windows environmentand overcoming ASLR which is part of the operating system.
The last check the attackers perform before invoking theexploit itself is making sure that the exploit will only execute once per machineto avoid detection. It does so by setting a cookie named "Cookie1=KK20130912;".
After performing the checksdiscussed above, the attack also uses ROP chains targeting Korean/Japanesebrowser language packs to further validate the targets of the attack, but thistime implicitly:
The attack also uses the "DOMElement Property Spray," a technique alsoused in the last Internet Explorer zero-day (CVE-2013-3893) a couple of weeksago. A Metasploitmodule has already been written for this specific vulnerability(CVE-2013-3893).
The code above creates a new Array and fills it with newelements (DIV elements in this case) and proceeds to change the titleattribute of each element with many NOPs.
After successfulexploitation the attacker uses an XORed shellcode. After XORing the shellcodewith 0x94 we get the following payload:
This payload results in the downloading and execution of thefollowing file:
As you may have guessed, this file is not a GIF at all but rather a WindowsPE file. Upon execution the malware begins dropping a number of maliciousfiles and drivers on the system.
For the sake of brevity, we have included ahigh level analysis of each file. In short, the payload is quite messy droppingat least ten drivers, executables and DLLs on the victim machine.
In short, this payload is responsible for a number ofmalicious activities. It attempts to disable any security products that may berunning on the victim machine, redirects banking sites to a malicious IPaddress and tries to steal credentials for popular on-line games.
The various techniques used indicate that thispayload is not meant for any targeted scenario but instead will simply try to target any Korean or Japanese users it stumbles upon.
Special thanks go to mySpiderLabs colleague Josh Grunzweig for his contribution for this blog post.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.