When it comes to exploit kits, it’s all about the timing. Exploit kits often integrate new or zero-day exploits in the hopes of getting a larger number of victims with systems that may not be as up-to-date with their patches. We found two vulnerabilities that were now being targeted by exploit kits, with one being the recent Pawn Storm Flash zero-day.
Starting on October 28, we found that these two vulnerabilities were being targeted by the Angler and Nuclear exploit kits. (The second vulnerability was a Flash vulnerability that worked on versions up to 220.127.116.11; we are currently working with Adobe to confirm the CVE number for this exploit.)
Diffie-Hellman Protocol Misuse
Our latest research confirms that the two exploit kits abusing the Diffie-Hellman key exchange, with some minor differences from the previous usage. This is being done to hide their network traffic and to get around certain security products.
The changes are an attempt to make analysis of their key exchange by researchers more difficult. The Angler EK has made the following changes to its usage of the Diffie-Hellman protocol. They add some obfuscation to what had previously been a relatively clear and obvious process.
- It will no longer send g and p from the client to server. Instead, it sends an ssid which identified the g and p pair.
- The random key K is 128-byte, rather than 16-byte. The use of a 128-byte key makes it harder to decrypt the raw data.
Figure 4. Diffie-Hellman protocol, using SSID to identify g, p pair
Figure 5. Code snippet showing 128-byte key
Multiple payloads were downloaded onto user systems by these exploit kits. We saw instances wherein the final payload were BEDEP and CryptoLocker—at the same time. In other cases, backdoor ROVNIX malware, TeslaCrypt/CryptoWall ransomware, and KASIDET infostealers were downloaded onto user machines.
Figure 6. BEDEP C&C server activity
Feedback from the Smart Protection Network indicates that activity for the Angler exploit kit was higher in the earlier weeks of October; perhaps the addition of these vulnerabilities is an attempt to raise the traffic levels of the exploit back to the earlier levels. Users in Japan, the United States, and Australia were the most affected.
Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.
Trend Micro Deep Security and Vulnerability Protection, on the other hand, protect user systems from threats that may leverage the Pawn Storm Flash vulnerability with the DPI rule 1007119 – Identified Malicious Adobe Flash SWF File.
The SHA1 of the Flash exploits and payloads are:
Updated on November 4, 2015, 11:21 A.M. PST (UTC-8) to include relevant Trend Micro Deep Security and Vulnerability Protection DPI rule.