Since January 20, we have obtained copies of malicious SWF files used by the Angler exploit kit via feedback provided by the Smart Protection Network. These samples were obtained from users in the United States; we believe that one of the samples we obtained is the same zero-day Flash exploit reported by the security researcher Kafeine, but from an infection chain different from the one reported by Kafeine.
The Angler exploit kit is believed to have been responsible for distributing this exploit. The past day has seen a significant uptick in the activity of the Angler exploit kit server related to the zero-day, as can be seen in the chart below:
Figure 1. Number of hits to the Angler exploit kit server landing page related to the zero-day
The graph clearly shows a significant increase in Angler activity in the past day, which is roughly the same time since the existence of this vulnerability was first revealed. Most of these users are in the United States, as the chart below shows:
Figure 2. Geographic distribution of users affected by Angler
Analysis of the feedback provided by our products suggests that malvertisements are being used to deliver these exploits to end users. While we have not completed our analysis of the exploit itself, it is clear that a current version of Adobe Flash Player is affected:
Figures 3 and 4. Infection chain of Flash exploit
Exploit Method and Obfuscation
Until a patch is issued by Adobe, we will refrain from discussing the details of the exploit. However, we do note that the overall method is similar to earlier Flash zero-days like CVE-2014-0515.
We also note that the samples we’ve seen are heavily obfuscated. Firstly, it uses the loadByte() function to load and execute an embedded Flash file. The function name loadByte is obfuscated using string operations, and the parameter (i.e., the content of the embedded Flash file) is also obfuscated using byte array obfuscation.
The embedded Flash file itself uses multiple control flow obfuscation techniques.
The Shell Code
The shell code in the sample enumerates the needed API function address first. It then creates a new thread to download the payload from exploit kit server.
The payload is encrypted, which the shell code will decrypt in memory. From the obtained API, we can see there is no CreateProcess and WriteFile. Thus, it will not drop the final PE file onto the disk like other exploit kits do. This is the typical behavior of Angler exploit kit.
Figure 5. Screenshot of function addresses saved in memory by the shellchode
Recommendations and Best Practices
In the absence of an Adobe bulletin, users may consider disabling Flash Player until a fixed version is released. We also note that Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat.
The Browser Exploit Prevention feature in our endpoint products (Trend Micro Security, OfficeScan, and Worry-Free Business Security) blocks the exploit upon accessing the URL it is hosted in. Browser Exploit Prevention also protects against exploits that target browsers or related plugins. The existing Sandbox and Script Analyzer engine that is part of Deep Discovery can also be used to detect this threat, without any engine or pattern update.
We will update this post with further updates as necessary.
Additional thanks to Joseph C. Chen for providing the sample and additional data, as well as Brooks Li, Jack Tang, Moony Li, Michael Du, Peter Pi for further analysis.
Update as of January 22, 2015, 11:00 AM PST
Trend Micro™ Deep Security and Vulnerability Protection (formerly the Defense Firewall plug-in for OfficeScan) protects user systems from threats that may leverage this zero-day vulnerability following the DPI rule:
- 1006460 – Adobe Flash Player Buffer Overflow Vulnerability
Update as of January 22, 2015, 9:30 PM PST
Since we published this post, there have been several developments surrounding this exploit. First, this exploit is now being targeted at Firefox as well. Currently, users of Internet Explorer and Firefox are being affected by this exploit kit.
Secondly, Adobe released an update to Flash, bringing the latest version to 220.127.116.117. However, this does not patch the vulnerability described in this post. Instead, it fixes a separate vulnerability (CVE-2015-0310). A patch for the vulnerability described here (now designated as CVE-2015-0311) will be released sometime next week.
In the mean time, we note that Chrome is still unaffected by this vulnerability. Users of other browsers who are unable to disable Flash Player (due to usability issues) can consider downloading ad blocking software or extensions, which would held in reducing the exposure to this threat.
Trend Micro products continue to detect these threats as described above. We detect the malicious Flash files used in these attacks as SWF_ANGZIA.A.
Update as of January 24, 2015, 7:30 PM PST
Products with the ATSE (Advanced Threats Scan Engine), such as Deep Discovery, have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFMSTR.A with ATSE pattern 9.755.1253 since January 24.
Update as of January 25, 2015, 8:00 PM PST
Adobe has started rolling out updates to Flash Player that fixes this vulnerability. Currently, only users with automatic updates turned on will receive the newest version (18.104.22.1686). Others will have to wait for a manually downloadable version, or for updates to be released by their browser vendor (for Chrome and some Internet Explorer users).