• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Flash Greets 2015 With New Zero-Day

Flash Greets 2015 With New Zero-Day

  • Posted on:January 22, 2015 at 3:16 am
  • Posted in:Exploits
  • Author:
    Weimin Wu (Threat Analyst)
0

Since January 20, we have obtained copies of malicious SWF files used by the Angler exploit kit via feedback provided by the Smart Protection Network. These samples were obtained from users in the United States; we believe that one of the samples we obtained is the same zero-day Flash exploit reported by the security researcher Kafeine, but from an infection chain different from the one reported by Kafeine.

The Angler exploit kit is believed to have been responsible for distributing this exploit. The past day has seen a significant uptick in the activity of the Angler exploit kit server related to the zero-day, as can be seen in the chart below:

Figure 1. Number of hits to the Angler exploit kit server landing page related to the zero-day

The graph clearly shows a significant increase in Angler activity in the past day, which is roughly the same time since the existence of this vulnerability was first revealed. Most of these users are in the United States, as the chart below shows:

Figure 2. Geographic distribution of users affected by Angler

Figure 2. Geographic distribution of users affected by Angler

Infection Chain

Analysis of the feedback provided by our products suggests that malvertisements are being used to deliver these exploits to end users. While we have not completed our analysis of the exploit itself, it is clear that a current version of Adobe Flash Player is affected:

Figures 3 and 4. Infection chain of Flash exploit

Exploit Method and Obfuscation

Until a patch is issued by Adobe, we will refrain from discussing the details of the exploit. However, we do note that the overall method is similar to earlier Flash zero-days like CVE-2014-0515.

We also note that the samples we’ve seen are heavily obfuscated. Firstly, it uses the loadByte() function to load and execute an embedded Flash file. The function name loadByte is obfuscated using string operations, and the parameter (i.e., the content of the embedded Flash file) is also obfuscated using byte array obfuscation.

The embedded Flash file itself uses multiple control flow obfuscation techniques.

The Shell Code

The shell code in the sample enumerates the needed API function address first. It then creates a new thread to download the payload from exploit kit server.

The payload is encrypted, which the shell code will decrypt in memory. From the obtained API, we can see there is no CreateProcess and WriteFile. Thus, it will not drop the final PE file onto the disk like other exploit kits do. This is the typical behavior of Angler exploit kit.

Figure 5. Screenshot of function addresses saved in memory by the shellchode

Recommendations and Best Practices

In the absence of an Adobe bulletin, users may consider disabling Flash Player until a fixed version is released. We also note that Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat.

The Browser Exploit Prevention feature in our endpoint products (Trend Micro Security, OfficeScan, and Worry-Free Business Security) blocks the exploit upon accessing the URL it is hosted in. Browser Exploit Prevention also protects against exploits that target browsers or related plugins. The existing Sandbox and Script Analyzer engine that is part of Deep Discovery can also be used to detect this threat, without any engine or pattern update.

We will update this post with further updates as necessary.

Additional thanks to Joseph C. Chen for providing the sample and additional data, as well as Brooks Li, Jack Tang, Moony Li, Michael Du, Peter Pi for further analysis.

Update as of January 22, 2015, 11:00 AM PST

Trend Micro™ Deep Security and Vulnerability Protection (formerly the Defense Firewall plug-in for OfficeScan) protects user systems from threats that may leverage this zero-day vulnerability following the DPI rule:

  • 1006460 – Adobe Flash Player Buffer Overflow Vulnerability

Update as of January 22, 2015, 9:30 PM PST

Since we published this post, there have been several developments surrounding this exploit. First, this exploit is now being targeted at Firefox as well. Currently, users of Internet Explorer and Firefox are being affected by this exploit kit.

Secondly, Adobe released an update to Flash, bringing the latest version to 16.0.0.287. However, this does not patch the vulnerability described in this post. Instead, it fixes a separate vulnerability (CVE-2015-0310). A patch for the vulnerability described here (now designated as CVE-2015-0311) will be released sometime next week.

In the mean time, we note that Chrome is still unaffected by this vulnerability. Users of other browsers who are unable to disable Flash Player (due to usability issues) can consider downloading ad blocking software or extensions, which would held in reducing the exposure to this threat.

Trend Micro products continue to detect these threats as described above. We detect the malicious Flash files used in these attacks as SWF_ANGZIA.A.

 Update as of January 24, 2015, 7:30 PM PST

Products with the ATSE (Advanced Threats Scan Engine), such as Deep Discovery,  have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFMSTR.A with ATSE pattern 9.755.1253 since January 24.

 Update as of January 25, 2015, 8:00 PM PST

Adobe has started rolling out updates to Flash Player that fixes this vulnerability. Currently, only users with automatic updates turned on will receive the newest version (16.0.0.296). Others will have to wait for a manually downloadable version, or for updates to be released by their browser vendor (for Chrome and some Internet Explorer users).

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: adobe flashzero day

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.