Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1

Earlier this week several vulnerabilities were disclosed as part of the leak of information from the Italian company Hacking Team. We’ve noted that this exploit is now in use by various exploit kits. However, feedback provided by the Smart Protection Network also indicates that this exploit was also used in limited attacks in Korea and Japan. Most significantly, these took place before the Hacking Team leak took place; we first found this activity on July 1.

The exploit code we found is very similar to the code published as part of the Hacking Team leak. As a result of this, we believe that this attack was carried out by someone with access to the Hacking Team tools and code.

According to the Adobe security bulletin, the vulnerability CVE-2015-5119 affects all of the latest Flash versions on Windows, Mac, and Linux. Adobe said they will provide patch on July 8. We recommend users to disable Flash Player temporarily before the fix is made available.

Looking into the attacks

In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year. Traffic logs indicate the user may have received spearphishing emails with attached documents. These documents contained a URL for the user to visit; this URL led to a site hosted in the United States which contained a Flash exploit, detected as SWF_EXPLOYT.YYKI. This particular exploit targets the zero-day Adobe vulnerability that was disclosed during the Hacking Team leak. We noticed that this exploit was downloaded to the user’s machine several times in a week.

The infection chain can be seen in the following pictures:

Figure 1. Accessed URLs

Figure 2. Created processes (highlighted in red)

The first picture shows the URLs that were accessed during the attack. The second picture shows the process that was created by this malware.

The zero-day exploit is hosted at hxxp://{malicious domain}/img_h/ims2/icon.swf. After a successful exploit, a binary file will be downloaded from hxxp://{malicious domain}/img_h/ims2/icon.jpg. This file, detected as TROJ_NETISON.AB, is actually an XOR encrypted PE file. The shellcode in the exploit decrypts this and saves it to C:\Users\{user name}\AppData\Local\Temp\RealTemp.exe and executes it. (Note that while there is a legitimate Real Temp application designed to monitor system temperatures that also uses this exact same file name, it has nothing to do with this attack.)

This file acts as a downloader; it downloads a malicious payload and creates a process, mshta.exe, which is a legitimate system file, but its code is already patched in memory with malicious routine. The second payload is a picture like the ones below:

Figures 3 and 4. Downloaded images

We also found that other users had also visited the domain that hosted the exploit code. While many of these users were also in Korea, one of them was located in Japan. This activity started as early as June 22. We cannot confirm that they too were the subject of exploit attempts, but this is likely.

There are several interesting aspects to this attack. The exploit we found here has a similar structure to those we analyzed as part of the initial Hacking Team leak. The only difference is the sample from this attack has a malicious payload, whereas the code that was part of the leaks did not.

We believe this attack was generated by Hacking Team’s attack package and code. From a purely engineering perspective, this code was very well written. Some attackers may be able to learn how to deploy and manage targeted attacks to different victims from the leaked code.

We will continue to monitor for further threats that are linked to the vulnerabilities disclosed as part of the Hacking Team leak.

Related posts

Hacking Team Flash Zero-Day Integrated into Exploit Kits

A Look at the Open Type Font Manager Vulnerability from the Hacking Team Leak

Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1

Read more: Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1

Story added 8. July 2015, content source with full text you can find at link above.