Earlier this week several vulnerabilities were disclosed as part of the leak of information from the Italian company Hacking Team. We’ve noted that this exploit is now in use by various exploit kits. However, feedback provided by the Smart Protection Network also indicates that this exploit was also used in limited attacks in Korea and Japan. Most significantly, these took place before the Hacking Team leak took place; we first found this activity on July 1.

The exploit code we found is very similar to the code published as part of the Hacking Team leak. As a result of this, we believe that this attack was carried out by someone with access to the Hacking Team tools and code.

According to the Adobe security bulletin, the vulnerability CVE-2015-5119 affects all of the latest Flash versions on Windows, Mac, and Linux. Adobe has since provided a security update for this vulnerability.

Looking into the attacks

In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year. Traffic logs indicate the user may have received spearphishing emails with attached documents. These documents contained a URL for the user to visit; this URL led to a site hosted in the United States which contained a Flash exploit, detected as SWF_EXPLOYT.YYKI. This particular exploit targets the zero-day Adobe vulnerability that was disclosed during the Hacking Team leak. We noticed that this exploit was downloaded to the user’s machine several times in a week.

The infection chain can be seen in the following pictures:

Figure 1. Accessed URLs

Figure 2. Created processes (highlighted in red)

The first picture shows the URLs that were accessed during the attack. The second picture shows the process that was created by this malware.

The zero-day exploit is hosted at hxxp://{malicious domain}/img_h/ims2/icon.swf. After a successful exploit, a binary file will be downloaded from hxxp://{malicious domain}/img_h/ims2/icon.jpg. This file, detected as TROJ_NETISON.AB, is actually an XOR encrypted PE file. The shellcode in the exploit decrypts this and saves it to C:\Users\{user name}\AppData\Local\Temp\RealTemp.exe and executes it. (Note that while there is a legitimate Real Temp application designed to monitor system temperatures that also uses this exact same file name, it has nothing to do with this attack.)

This file acts as a downloader; it downloads a malicious payload and creates a process, mshta.exe, which is a legitimate system file, but its code is already patched in memory with malicious routine. The second payload is a picture like the ones below:

Figures 3 and 4. Downloaded images

We also found that other users had also visited the domain that hosted the exploit code. While many of these users were also in Korea, one of them was located in Japan. This activity started as early as June 22. We cannot confirm that they too were the subject of exploit attempts, but this is likely.

There are several interesting aspects to this attack. The exploit we found here has a similar structure to those we analyzed as part of the initial Hacking Team leak. The only difference is the sample from this attack has a malicious payload, whereas the code that was part of the leaks did not.

We believe this attack was generated by Hacking Team’s attack package and code. From a purely engineering perspective, this code was very well written. Some attackers may be able to learn how to deploy and manage targeted attacks to different victims from the leaked code.

We will continue to monitor for further threats that are linked to the vulnerabilities disclosed as part of the Hacking Team leak.

Update as of July 8, 2015, 2:48 P.M. PDT (UTC-7)

Adobe has released a fix for the Flash zero-day vulnerability. Information about this update has been released in APSB15-16. We recommend that users apply this update as soon as possible.

Update as of July 9, 2015, 8:53 PM PDT (UTC – 7)

Trend Micro is already able to protect users against this threat out of the box, without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention detects against exploits that target browsers or related plugins.

Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

1006824 – Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability

Timeline of posts related to the Hacking Team