Posts

Magnitude Exploit Kit using HTM5 canvas element to hide Iframe (Nov 17, 2014)

The Dell SonicWALL Threats Research team analyzed a drive by attack involving the Magnitude exploit kit which leads to the download of additional malware on the target system upon successful exploit run. The malware in this case is Trojan Downloader.

Magnitude Exploit kit is an old kit present in the wild from more than a year. But recently we have observed an update in the way it redirects the victims from compromised websites to its landing page. In this update, this kit redirects the users using iframe, which is generated from a specially crafted image file, in order to evade detection from AV.

This kit uses HTML5 canvas element to read the image file byte by byte and extracts the iframe, as shown below

Fig-1 : Javascript code to extract data from image file

Below is the screenshot of crafted image file and its decode data.

Image 1 Image 2
Fig-2 : Encoded image file Fig-3 : Decoded Iframes from image file

On successful decryption, kit redirects users to its landing page. Landing Page contains HTML code to run Java applet, Flash and an iframe, which are exploits. Unlike other kits, this kits landing page doesn’t check for the browser plugins or software installed on the system.

Fig-4 : Magnitude Exploit kit’s landing page

Currently we observed that it is serving CVE-2013-2465 (Java vulnerability) & CVE-2013-2551 (IE10 vulnerability). On successful exploitation, these exploits download further malicious binaries.

Having up to date software will help in mitigating this Exploit Kit.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • Upatre.AA_14 (Trojan)
  • Injector.BLVV (Trojan)
  • Simda.B_61 (Trojan)

Yet another attack targeting Java vulnerability CVE-2013-2465 (Feb 5, 2014)

Dell SonicWALL threat research team has observed another live malware exploiting CVE-2013-2465 in the wild. The vulnerability allows remote attackers to bypass the Java sandbox via vectors related to “Incorrect image channel verification” in 2D.

When a victim is lured to visit malicious website http://sxxxxxxxxxxxxxxxx.br, the browser will download obfuscated javascripts, for example:

De-obfuscated javascript looks like:

, which determines JRE version. Other javascripts utilize different functions and eventually different malicious files got downloaded according to configuration of the victim’s machine.

We’ve analyzed the downloaded jnlp file and Java applet. The jnlp file itself is leveraging another exploit, Unsigned Applet Restriction Bypass Weakness, which bypass Java security warning. This flaw is fixed with Java 1.7.21 update.

The Java applet is highly obfuscated too:

It first tries to exploit the vulnerability in SinglePixelPackedSampleModel. The decompiled code looks like:

Successful exploit will set SetSecurityManager null.

Then it tries to download copy.exe.

In the end, copy.exe got executed by calling:

rundll32 url.dll,FileProtocolHandler “C:\DOCUME~1\USERNAME\LOCALS~1\Temp\Copy.exe”

Dell SonicWALL has released several signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • Anti-SPY: Malformed-File class.TL.39
  • GAV: Malformed.class.MT.3
  • GAV: Malformed.jar.TL.4
  • GAV: Malformed.jar.TL.5
  • GAV: Pakes.ADDS

Oracle Java CVE-2013-2465 attacks spotted in the wild (Nov 1, 2013)

Dell SonicWALL threat team has observed live malware exploiting CVE-2013-2465 in the wild. The vulnerability referred by CVE-2013-2465 is related to Incorrect image channel verification in Java Runtime Environment (JRE)’s 2D component in Oracle Java SE, and the vulnerable versions include Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7. By exploiting the issue, an attacker can inject and execute arbitrary code remotely.

By exploiting this vulnerability, the observed malware executes the following steps:

a. Create a “mspaints.exe” file with the following codes:

b. Execute mspaints.exe

c. mspaints copies itself in system directory and deletes the first copy

d. connects to malicious webpage:

Dell SonicWALL has created the following IPS signatures to prevent attacks addressing this vulnerability:

  • 4539 Malformed Java Class File 8
  • 4547 Malformed Java Class File 9
  • 4662 Malformed Java Class File 11