2014-02-02 - Landscape

CVE-2013-5330 (Flash) in an unknown Exploit Kit fed by high rank websites



On the 2014-01-28 Nathan Fowler warned about a drive-by on eHow.net and Livestrong.com.
It was serving a payload triggering TDLv4+ traffic signatures (its check-in over SSL) connected to those reports from a 2012 campaign :
https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020497.html
https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020496.html
https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020504.html
https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-September/020431.html
Note : in the 020431, the  Exploit Kit is GrandSoft.

C&C for the payload :
95.211.169.162
16265 | 95.211.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.
https://wqgc.alphaeffects\.net

pDNS on the host
(perfectly match pattern in the alert 020496)

I checked eHow and Livestrong. Where I was expecting malicious ads, the source of the driveby was in fact an injected Iframe :

Iframe at end of  a livestrong Page
2014-01-28

Same iframe on eHow
2014-01-28
The exploit kit is unknown to me.

Successful pass in the Exploit Kit that got fed by eHow and Livestrong.
WinXP Flash 10.3.183.20 - IE 8
2014-01-28
69.172.229.216
13768 | 69.172.228.0/22 | PEER1 | US | IX.IO | DAIGER SYDES GUSTAFSON LLC

It's a Flash only Exploit kit that was serving version 10.1.x -> 11.2.x
Other version of flash would get an empty reply at the third call :

Server side decides not to serve the exploit to flash 11.7.x.x
Trying to figure out which CVE it could be based on those version number I end up with  :
CVE-2012-0779 & CVE-2012-1535 as candidates...or something newer with server side block to avoid making too much noise.

I asked for help and Timo Hirvonen from F-Secure figure out it was CVE-2013-5330.
That one was patched the 2013-11-12 with the CVE-2013-5329 which appeared recently in Angler EK

So we have something like :
CVE-2013-5330 path in Flash Only EK
2014-01-28
GET http://asmmedia .net/86df2e83.htm
200 OK (text/html)

GET http://asmmedia .net/swfobject.js
200 OK (application/javascript)

GET http://asmmedia .net/1fd67f39/11/2/
200 OK (text/html)


Call for the xml


GET http://asmmedia .net/engine/68d14faf.xml
200 OK (text/html)


Call for the Exploit


GET http://asmmedia .net/f6b5da0c.swf
200 OK (text/html)  61670074963d99b0f72a16e434e12dde


Potected by secureSWF


Flash file in FFdec
Dropped ?
A downloader : Eset : Miep.B - Microsoft : Lurk [Edit : Apparently not tied to the RU focused lurk]
85b66824a7f2787e87079903f0adebdf
e9da19440fca6f0747bdee8c7985917f

-----
This campaign raises some questions :
- It's blinking. Didn't check long enough to have some patterns but in 24 hours it was up only 6-7 hours.
- They only go Flash...Weird. Seeing the high rank website used for traff, difficult to think it can be a "working area" for a coder.
- They do not attack as widely as they could (if it's indeed a fully working CVE-2013-5330) they could serve up to 11.9.900.117 which is only few months old.

or the main goal is : staying below the radar...If so : Goal achieved. It would be still active if the payload was as stealth as the EK itself. From feedback I got there is more than 60 referers. For instance eHow (Alexa 116 US/292 world) was redirecting since at least 2013-12-09 and this exploit kit is active since beginning of November...(don't know if it was already CVE-2013-5330 at that time...if so then it was an unpatched vuln! ).

Am also wondering how they compromised those websites..


Demand Media Sites
Cracked ? how strange is that



Cracked.com Serving Malware in Drive-By Downloads - 2013-11-14 - Brian Donohue
-----

It would be nice to have some telemetry on Asmmedia .net/*.swf/js calls. Anyone ? :)

<edit1 2014-02-10>
Telemetry from Microsoft in :
A journey to CVE-2013-5330 exploit

</edit1>

Based on some data found on the C&C, owner of the payload are dealing with "decent" numbers
Installs Stats found on the C&C.
11/10/2012   -->  23982
Would say 2nd Stage installs or something else
but not Miep cause numbers can't match for January.
Files :  Miep downloader only. (CVE: md5 : 61670074963d99b0f72a16e434e12dde)
(If you happen to work on this, I'm always happy to learn more).
Thanks a lot : Nathan Fowler, Timo Hirvonen (F-Secure), Chris Wakelin and Will Metcalf (Emerging Threats) for their help

Post Publication Reading :
Malware Analysis of the Lurk Downloader - Brett Stone-Gross - Dell SecureWorks - 2014-08-07
A journey to CVE-2013-5330 exploit - MPC (Microsoft) - Chun Feng - 2014-02-10