Continuing our analysis of the recent Adobe zero-day exploit, we find that the infection chain does not end with the Flash exploit, detected as SWF_EXPLOIT.MJST. Rather, the exploit downloads and executes malware belonging to the BEDEP family.
Ties to BEDEP Malware
This detail is rather interesting as this is not the first time an Adobe zero-day has used BEDEP malware as its final payload. Near the last days of January, we came across a Flash zero-day vulnerability that leads to the download of BEDEP malware in the affected computer.
And as mentioned earlier, the latest vulnerability (CVE-2015-0313) also features BEDEP malware as its final payload.
Figure 1. Infection chain for the CVE-2015-0313 exploit
Based on our analysis, the infection chain begins with a site that hosts malvertisements. As the name implies, these are infected online advertisement. Often, if a user clicks on a malvertisement, the user’s system becomes infected with a malware. However, in this particular case, the user doesn’t need to do anything to become affected as the site had previously been compromised.
Once the user visits the site, the malvertisement leads to what appears to be the Hanjuan exploit kit landing page. This landing page then executes the Flash exploit SWF_EXPLOIT.MJST. This exploit then downloads and executes two encoded payloads, detected as BKDR64_BEDEP.E and TROJ64_BEDEP.B.
The fact that the payloads are encoded can be seen as one way of evading detection. An encoded payload will be difficult to identify when passing through the network layer, or when scanned in any layer in an encoded state.
Key Observations on the BEDEP Malware Family
We noticed that the number of BEDEP malware family detections increased during the first few weeks of 2015. Its most affected country is the United States, followed by Japan.
BEDEP initially came undetected and unnoticed due to its heavy encryption and use of Microsoft file properties for its disguise as well as the use of seemingly legitimate export functions. Our recent findings also show that the malware’s main purpose is to turn infected systems into botnets for other malicious intentions. Additionally, BEDEP is known for carrying out advertising fraud routines and downloading additional malware.
BEDEP may pose problems in debugging due to its heavy encryption especially with the 64-bit variant. Fortunately, its file structure and physical properties may help in identifying the malware. Below are some of the file properties used by this malware for its disguise:
Figure 2. File properties used by BEDEP in order to disguise itself
Its export functions use random set of words to make it seem legitimate although upon looking closely, the words don’t appear to make any sense and are incoherent. Furthermore, we observed that BEDEP’s file structure is similar to that VAWTRAK’s.
Figure 3. Export functions seen in BEDEP malware
We will continue to update this blog post with any notable developments about the BEDEP malware.
With additional analysis and input by Lenart Bermejo, Jed Valderama, and Nazario Tolentino II