Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Brooks Li (Threats Analyst)

    Feedback from the Trend Micro™ Smart Protection Network™ has allowed us to learn that the Angler Exploit Kit and Nuclear Exploit Pack have been updated to include the recent Hacking Team Flash zero-day. In addition, Kafeine said, Neutrino Exploit Kit also has included this zero-day.

    The existence of this particular vulnerability was just leaked from Hacking Team; Adobe has confirmed this vulnerability and released an advisory. This advisory also confirms that this flaw has been assigned a CVE number, CVE-2015-5119. Adobe’s bulletin also confirms that all versions of Flash Player in use today are potentially vulnerable.

    All Flash Player users are at risk until they can download the patch. It is expected that a patch will be delivered by Adobe sometime on July 8. We noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that pattern shows no sign of changing soon.

    Figure 1. Angler exploit kit HTTP GET header

    Figure 2. Nuclear exploit kit HTTP GET header

    We have identified one of the payloads being spread in this manner as CryptoWall 3.0, particularly by the Angler exploit kit.

    Figure 3. Cryptowall ransom page

    Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.  The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ SecurityOfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention detects exploits that target browsers or related plugins.

    Vulnerability protection in Trend Micro Deep Security  protects user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006824  – Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability

    The SHA1 hashes of the malicious Adobe Flash exploits are:

    • 03bc4a75626ca7e3c1b43b1c73d4f569c4805fcf
    • 9e3223bc016c94b5b576e3489f8d9b6d979b8965

    Update as of July 8, 2015, 7:00 PM PDT (UTC – 7)

    Adobe has released a fix for the Flash zero-day vulnerability. Information about this update has been released in APSB15-16. We recommend that users apply this update as soon as possible.

    Update as of July 9, 2015, 2:56 AM PDT (UTC – 7)

    Upon further investigation of feedback from the Trend Micro™ Smart Protection Network™, we found that the Magnitude Exploit kit now includes CVE-2015-5119 to its exploits. This leads to the infection of TROJ_CRYPWALL.XXTXM in the end.


    Timeline of posts related to the Hacking Team

    July 5 The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.
    July 7

    Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.

    The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.

    The Flash zero-day exploit (CVE-2015-5119) was added into the Angler Exploit Kit and Nuclear Exploit Pack. It was also used in limited attacks in Korea and Japan.

    July 11 Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.
    July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.
    July 14 A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.
    July 16 On the mobile front, a fake news app designed to bypass Google Play was discovered.
    July 20 A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.
    July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.
    July 28 A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team.



    We have helpful information that can help us identify the exploit kit used in the Adobe Flash zero-day attack we blogged about yesterday. Adobe states in their advisory that the related vulnerability, CVE-2015-0313, affects current versions (Adobe removed version 11.x and earlier from affected software).

    At first, we figured that the exploit kit involved was Angler Exploit Kit because of the URL’s characteristics. So we tested it using Angler HTML parameters and found that SWF_EXPLOIT.MJST can be run.

    Another clue that led us to think it was Angler is because the obfuscation method is very similar.

    Figure 1. Similar obfuscation methods between two recent zero-days.
    (Click to enlarge)

    As Kafeine, an independent researcher pointed out to me, the attack is much more similar to the Hanjuan Exploit Kit.  The said exploit kit is very much directed towards capturing US traffic from a specific domain, via a specific ad platform. While it would be difficult to identify the exact exploit kit used in this specific run, based on clues from the domain/IP, the upper level HTML and the history of the exploit kit, I think it is reasonable and appreciate his help.

    In terms of impact, however, the threat is still as potent as ever. An in-the-wild zero-day exploit added to the very effective malvertising scheme should make us think twice about how careful we think we are when we are browsing online. Malvertisements are an old style of malware delivery but they remain incredibly notorious because websites have no choice but to load ads and trust whatever content is served by third parties. Users, on the other hand, also have no choice but to accept ads as a part of their everyday browsing experience.

    Well, we say “no choice” lightly, but in reality, IT administrators have much more secure options available to them. While updating software is a baseline best practice, this will do nothing for this attack at this time. Enterprise and home users should consider disabling Flash Player at least until the new patch is released—which Adobe will be doing so within the week.

    We also tested the exploit against Google Chrome and found that it cannot escape the sandbox.

    Trend Micro products have been protecting users from this attack from the beginning through different technologies.

    The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can also be used to detect this threat by its behavior without any engine or pattern update. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ SecurityOfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention also protects against exploits that target browsers or related plugins.

    Trend Micro™ Deep SecurityVulnerability Protection (formerly the Defense Firewall plug-in for OfficeScan) and Deep Discovery customers with the latest rules also have an additional layer of protection against this vulnerability. Specifically, Trend Micro releases the following rules and patterns:

    • Deep Security rule DSRU15-004
    • Deep Packet Inspection (DPI) rule 1006468 for Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan)

    More information about Trend Micro solutions for this threat are available in our support portal.

    Update as of February 4, 2015 12:53 A.M. (PST) – The entry has been edited to expound on the Trend Micro solutions for this threat.


    Around this time in 2013, the most commonly used exploit kit – the Blackhole Exploit Kit – was shut down after its creator, Paunch, was arrested by law enforcement. Since then, a variety of exploit kits has emerged and have been used by cybercriminals.

    The emergence of so many replacements has also meant that there are now some key technical differences between these various exploit kits. In this post, we shall go over some of these differences.

    Exploits used

    Exploits targeting Internet Explorer, Silverlight, and Adobe Flash vulnerabilities were frequently used by exploit kits in the past year. The four vulnerabilities below were some of the most frequently targeted by exploit kits:

    1. CVE-2013-0074 (Silverlight)
    2. CVE-2014-0515 (Adobe Flash)
    3. CVE-2014-0569 (Adobe Flash)
    4. CVE-2013-2551 (Internet Explorer)

    The most notable change in this list is the relative absence of Java vulnerabilities. Exploit kits have been removing Java because of the increasing use of click-to-play for Java applets, rendering Java a far less attractive target for exploits.

    The tables below shows which exploits are in use by exploit kits:

    Table 1. Exploits used by various exploit kits
    (Click thumbnail to enlarge)

    Plugin Detection

    Almost all exploit kits run some sort of software that detect the browser platform a would-be victim is running in order to determine which exploit to send to the user.

    The code necessary to do this varies from one exploit kit to another, and is actually fairly complex due to the number of permutations of browsers and plugins that are possible.

    Two exploit kits – Nuclear and FlashPack – use a legitimate JavaScript library, PluginDetect. This minimizes the work the creators of the exploit kit need to do, as well as providing a complete set of features. However, this also means that this library has known characteristics: this makes it more visible to security vendors looking for sites used by exploit kits.

    By contrast, most exploit kits write their own library to perform this task. This makes detection harder, but it also reduces the capabilities of the libraries. Many of these libraries, for example, will only function under Internet Explorer. The Magnitude exploit kit uses a third method – server-side code – to detect plugins.

    The following table summarizes which libraries are used.

    Table 2. Plug-in detection methods used

    The following screenshot shows the PluginDetect library as used in exploit kits:

    Figure 1. PluginDetect library in use

    The following screenshot shows one of the custom libraries in use:

    Figure 2. Custom library in use

    Antivirus Detection

    A new feature that has been added to exploit kits is the ability to detect installed security software. If certain specific security products are installed, the exploit kit will stop itself from running. Both antivirus products and virtual machine software can be targeted in this manner.

    This behavior is possible due to a vulnerability in Internet Explorer (CVE-2013-7331). This vulnerability allows an attacker to check for the presence of files and folders on an affected system. It was first reported to Microsoft in February 2014, but was only patched in September of the same year as part of MS14-052.

    The following table summarizes the products that each exploit kit detects:

    Table 3. Software products detected by exploit kits

    Obfuscation Techniques

    Exploit kits regularly use various techniques to obfuscate their activity, but some exploit kits have added new techniques. In both of these cases, the attackers are using legitimate tools to obfuscate their files.

    The Angler exploit kit now uses the Pack200 format to help avoid detection. Pack200 is a compactive archive format that was developed by Sun (Java’s original developers) to compress .JAR files significantly. Tools to uncompress these files are provided as part of the Java development kit, but many security products don’t support these formats (so they are unable to scan the said malicious file).

    Figure 3. HTTP request and reply headers

    When compressed, one can see that we do not encounter the “PK” header expected of standard Java files:

    Figure 4. Binary examination of Java file

    Meanwhile, Flash files are also being protected by the FlashPack and Magnitude exploit kits. These use a commercially available tool called DoSWF to hide their files. This tool was meant to allows developers to hide the ActionScript contents of their Flash file from people who would copy or pirate the contents. Unfortunately, this also works against security software, which are unable to decrypt the DoSWF encryption.

    Figure 5. Code calling DoSWF in ActionScript


    The chart below shows the monthly traffic (as measured in number of hits) we detected each month for various exploit kits. No one exploit kit dominated the market, with fierce competition leading to changes in the landscape. Magnitude, Angler, and Sweet Orange were the most frequently encountered kits throughout the entire year.

    Figure 6. Traffic seen to various exploit kits
    (Click thumbnail to enlarge)


    Exploit kit developers have not been idle in the year since the collapse of the Blackhole exploit kit. They have made various improvements that help improve the capabilities of these tools.

    The defenses against these tools on the part of users remains the same. We highly recommend that users implement all updates to their software as is practical, since many of the vulnerabilities targeted by attackers have long been fixed by software vendors.

    Posted in Exploits | Comments Off on What’s New in Exploit Kits in 2014

    Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil.

    We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that bypasses a Google security feature checks third party extensions.  For this blog entry, we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe.

    The Ins and Outs of the Browser Plugin

    The malicious Chrome plugin (detected as BREX_KILIM.LL)  is composed of two files, manifest.json and background.js. The file manifest.json will inform Chrome where to load background.js:


    Figure 1. Two files behind the malicious plugin

    The file background.js will execute the following routines:

    1. It prevents the removal of the malicious plugin. If  users open a tab to chrome://extensions to check for malicious browser extensions, the plugin will close this tab immediately.


    Figure 2. Code showing the closing of said tab

    2. It prevents access to antivirus websites. Any attempts to visit antivirus software websites will be blocked.


    Figure 3. Code showing the blocking of specific sites


    Figure 4. Notification showing access was blocked by the extension

    3. It removes the security option from HTTP response header. This security option is typically used to avoid cross site scripting attacks. The plugin removes this as it will will inject script that does not belong to Facebook.


    Figure 5. Code removing portions of the HTTP header

    4. It runs a JavaScript code when users visit Facebook. When users go on Facebook, the plugin will run a JavaScript code into the tab where the site is open. Doing so will allow the cybercriminals to control the users’ accounts; users will unwillingly follow, like, or subscribe to Facebook accounts as dictated by the cybercriminals behind this attack. These commands are performed automatically by the included JavaScript code. The affected users’ friends will also see these actions on their feed and may possibly inadvertently install the plugin as well.


    Figure 6. Screenshot of the malicious JavaScript that triggers users to follow, like, subscribe a Facebook account owned by cybercriminals

    Evasion Tactics

    To avoid having their extensions detected and removed from computers, cybercriminals are using the following evasion methods:

    1. They use malicious multi-script  files that work together.


    Figure 7. Malicious plugin using multi-script

    The malicious behavior is separated into multiple files. If each script file is analyzed independently, the overall malicious behavior may not be spotted and the files may be (mistakenly) thought to be clean.

    2. They encode the JavaScript content.

    Hackers use HEX to encode strings as seen in the screenshot below:


    Figure 8. Encoded strings via Hex

    After decoding the Hex string, they appear like in the screenshot below, showing that it’s the same as the original. This behavior helps to avoid detection by security products.


    Figure 9. Decoded string

    3. They use HTTPs and a known, good domain to host malicious JavaScript.


    Figure 10. A good domain used by the malicious plugin

    For instance, is a free cloud application platform where everyone can upload APP to it, and cybercriminals can use this site to host the malicious JavaScript. This tactic is also used to prevent URL detection and blocking by security solutions.

    4. They use Twitter to hide malicious URLs.


    Figure 11. Code communicating with Twitter servers


    Figure 12. Twitter profile that houses the URL

    A malicious plugin runs a JavaScript into the user’s browser tab and downloads content from a Twitter user’s profile. The cybercriminals use the affected Twitter user’s profile content to hide the malicious URL that  the plugin connects to. Once cybercriminals change the profile content, they can change the behavior of the malicious plugin.

    5. They use fake file extensions.


    Figure 13. The plugin uses .DLL as its supposed extension

    Infections and Protection

    Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.

    Figure 14. Top affected countries

    We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall to secure their systems from online threats, including those that may leverage or abuse Facebook.  Trend Micro and Facebook are working closely together to combat this threat.

    Below is the SHA1 hash of the malicious file:

    • 4733c4ea00137497daad6d2eca7aea0aaa990b46



    Exploit kits have long been part of a cybercriminal’s arsenal. One of the most notorious exploit kits in recent years is the Blackhole Exploit Kit. Coverage over this particular exploit kit reached a fevered pitch with the arrest of its author in 2013.

    The Blackhole Exploit Kit may have met its demise, but this hasn’t deterred cybercriminals from using other exploit kits for their schemes. In fact, other exploit kits are still in use, often with improvements or upgrades. An example is the Nuclear Exploit Kit.

    We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit).

    The Silverlight exploit

    Like other targeted software, the Nuclear Exploit Kit’s landing page will check if the victim’s system has Silverlight installed. If the check passes, it will then attempt to use the Silverlight exploit to drop malware into the system.


    Figure 1. The payload

    Upon closer analysis, it appears that an error exists in the version checking the JavaScript code. Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice