By Moony Li and Hugo Cao
In early April of this year a zero-day exploit (designated as CVE-2016-1019) was found in Adobe Flash Player. This particular flaw was soon used by the Magnitude Exploit Kit, which led to an Adobe out-of-cycle patch. This flaw was being used to lead to drive-by download attacks with Locky ransomware as the payload.
However, this did not end the threat for users. We recently saw a new variant of this attack that added an unusual twist. On top of the Flash exploit, an old escalation of privileges exploit in Windows (CVE-2015-1701) was used to bypass sandbox technologies.
Stealthy malicious behavior
To analyze this threat, we examined both captured network traffic and a downloader file (detected as TROJ_LOCKY.DLDRA). The network traffic was consistent with the use of a CVE-2016-1019 exploit. Meanwhile, the downloader used an unusual kernel exploit. It connected to a command-and-control (C&C) server located at 202[.]102[.]110[.]204:80 and installed the Locky ransomware. To do this, it would use several kernel-level system mechanisms: work items, system threads, and asynchronous procedure calls (APC). These do not require any files to be created, and allow the malware to be installed onto the system without detection.
The downloader also hides its malicious behavior at runtime and compromises svchost.exe, the system process used by Windows to host various services. It also checks the version of Windows in use and the date when the vulnerable file (win32k.sys) was modified before attempting the exploit; this may be done to reduce the risk of detection.
The exploit may have been used to avoid detection, particularly those using sandboxing technology. In addition, the cloaking behavior based on this kernel exploit adds complexity and makes analysis and sandbox detection more difficult. A code branch found during analysis suggests different kernel exploits may be used for later versions of Windows.
Overview of Locky downloader
TROJ_LOCKY.DLDRA functions like any other downloader, except for its use of kernel exploits to hide its malicious behavior. The diagram below provides an overview of its routines:
Figure 1. Downloader workflow overview
Based on our analysis, the sample has multiple anti-debug tricks as well as new packing method. This includes decrypted API strings and construction of API addresses at run time.
The parent/initial process does nothing other than create a fork/child process with a randomly generated command-line parameter. The child process then checks the running OS version and finally exploits the CVE-2015-1701 vulnerability if the system is vulnerable. If that is the case, the svchost.exe is hit with malicious APCs to connect back to the C&C server and download the Locky ransomware. The final payload is detected by Trend Micro as RANSOM_LOCKY.PUY .
When the child process is executed, it first checks the OS version to see if it the above vulnerability is still unpatched. If this is the case, it will be exploited. Otherwise, the downloader will still connect to the C&C server, except it will do so directly without the cloaking technique.
To trigger the bug, the downloader would first hook ClientCopyImage as DetourClientCopyImage in the dispatch table user32.dll!afnDispatch. As the reverse call back is provided by Microsoft, this API could be called back when USER32!CreateWindowEx is called.
Figure 2. Pseudocode of DetourClientCopyImage
When SetWindowLongA is executed, Fake_WinProc_exploit_403A90 (which contains the malicious payload code) would be executed with kernel privileges, which it should not have.
Figure 3. Pseudo-code of BeginExploit_403C42 in which the vulnerability is triggered
The pseudocode above shows how CVE-2015-1701 is triggered by calling CreateWindowExA.
Figure 4. Call stack when the payload in user mode is executed from Kernel
The call stack above shows how the prepared payload binary in user mode is executed in Fake_WinProc_exploit_403A90 by this function win32k!xxxSendMessage call from the kernel.
(Exploit) tricks of the trade
After the kernel vulnerability is triggered, the downloader will utilize various techniques to hide its malicious behavior. As seen in figure 1, the kernel exploit first queues one malicious work item by nt!ExQueueWorkItem from the child process space. These work items are managed and scheduled to improve performance.
When the malicious work item routine is called after the thread scheduler, it enumerates all system processes to find a svchost.exe process with “–k netsvcs” parameters in command-line. It then attaches to this, allocates memory, and copies malicious code under its space, and finally delivers a user mode APC for this process.
As designed, the user mode APC could only be executed in the denoted process/thread context or svchost process in this condition. When the svchost process was compromised with a malicious APC, it forks a new thread in its space. The new thread then downloads other payload using a special API call.
Figure 5. Call-stack snapshot when a remotely forked thread connects to the C&C in svchost.
This downloader used complex and subtle techniques to connect back to its C&C. server We believe that was done to hide its malicious routines under seemingly normal and benign system behavior which can be white-listed or bypass any defenses.
Relatively few people pay attention to kernel exploits, or any behavior caused by these. That may be one reason the downloader used this technique. In addition, using system provided mechanisms such as work items, APCs, and system threads are usually disregarded and not monitored for malicious behavior. Doing so is also difficult, as their structures are usually volatile and only executed at run-time.
On the other hand, the svchost process connecting to outside networks is considered perfectly normal, as the process is designed to provide many services for other Microsoft processes. Hiding network traffic here would be considered ideal.
We strongly advise users to update their systems with the latest version of Adobe Flash Player. Keeping software up-to-date is another means of securing your system against exploit attacks. It is also best to always back up your data and avoid paying any ransom as this doesn’t guarantee that you will retrieve your files back.
- 1007572 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2016-1019)
TippingPoint customers are protected from attacks exploiting the CVE-2016-1019 vulnerability with the following MainlineDV filter:
- 24253: HTTP: Adobe Flash FileReference Type Confusion Vulnerability
Trend Micro™ Deep Discovery can frequently detect zero-day attacks without an update being needed. Trend Micro endpoint solutions such as Trend Micro™ Security, Trend Micro™ Smart Protection Suites, and Trend Micro Worry-Free™ Business Security already protect user systems from Locky ransomware by detecting the malicious files.
Here is the related SHA1 hash in this attack: