A Closer Look at the Exploit Kit in CVE-2015-0313 Attack

We have helpful information that can help us identify the exploit kit used in the Adobe Flash zero-day attack we blogged about yesterday. Adobe states in their advisory that the related vulnerability, CVE-2015-0313, affects current versions (Adobe removed version 11.x and earlier from affected software).

At first, we figured that the exploit kit involved was Angler Exploit Kit because of the URL’s characteristics. So we tested it using Angler HTML parameters and found that SWF_EXPLOIT.MJST can be run.

Another clue that led us to think it was Angler is because the obfuscation method is very similar.

Figure 1. Similar obfuscation methods between two recent zero-days.
(Click to enlarge)

As Kafeine, an independent researcher pointed out to me, the attack is much more similar to the Hanjuan Exploit Kit.  The said exploit kit is very much directed towards capturing US traffic from a specific domain, via a specific ad platform. While it would be difficult to identify the exact exploit kit used in this specific run, based on clues from the domain/IP, the upper level HTML and the history of the exploit kit, I think it is reasonable and appreciate his help.

In terms of impact, however, the threat is still as potent as ever. An in-the-wild zero-day exploit added to the very effective malvertising scheme should make us think twice about how careful we think we are when we are browsing online. Malvertisements are an old style of malware delivery but they remain incredibly notorious because websites have no choice but to load ads and trust whatever content is served by third parties. Users, on the other hand, also have no choice but to accept ads as a part of their everyday browsing experience.

Well, we say “no choice” lightly, but in reality, IT administrators have much more secure options available to them. While updating software is a baseline best practice, this will do nothing for this attack at this time. Enterprise and home users should consider disabling Flash Player at least until the new patch is released—which Adobe will be doing so within the week.

We also tested the exploit against Google Chrome and found that it cannot escape the sandbox.

Trend Micro products have been protecting users from this attack from the beginning through the Script Analyzer engine in Trend Micro™ Deep Discovery, for enterprises and the Browser Exploit Prevention feature in endpoint products.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

A Closer Look at the Exploit Kit in CVE-2015-0313 Attack

Read more: A Closer Look at the Exploit Kit in CVE-2015-0313 Attack

Story added 3. February 2015, content source with full text you can find at link above.