Posts

A new updated version of Terror Exploit Kit observed by SonicWall (March 13th, 2017)

A new updated version of Terror Exploit Kit observed by SonicWall

Summary:

Terror exploit kit is a new exploit kit, observed in the wild from be
ginning this year. SonicWall Threat Research team has observed a new version of Terror exploit kit, which now has stolen code from both RIG and Sundown exploit kits. The landing page of Terror exploit kit consists of a JavaScript which seems to be stolen from RIG, followed by another script stolen from Sundown exploit kit. These stolen JavaScripts are followed by embedded flash exploits. There is no obfuscation seen in this exploit kit. Both the landing page and the payload are not encrypted.

Technical Details:

Below Figure shows the URL pattern of the landing page, exploits and payload of the observed Terror exploit kit version.

Figure 1: Terror EK URL patterns

 

Landing Page:

The Terror EK landing page contains 2 JavaScripts and 2 flash exploits embedded in it. Below is the image of the first JavaScript. The below code looks like the de-obfuscated RIG exploit kit, the sub function name inside function exp looks exactly the same.

Figure 2: Landing page JavaScript functions

 

Few strings found in the landing page are Il1Iu, Il1Ix, Il1Ica, Il1Ida, function exp(_url, _key), function ush(u, k), function hex(num, width), leakMem, function fire(), Function tRIGgerBug, which should help future classification of this variant.

Below is the image of the second JavaScript present in Terror EK landing page.

Figure 3: VBScript embedded in JavaScript

 

This JavaScript injects malicious VBScript into the DOM dynamically by using JavaScripts document.write method as shown in Figure 3. Similar technic is used in Sundown exploit kit. Injected VBScript is identified to be exploiting vulnerability mentioned in CVE-2016-0189.

Below is the image showing the two embedded flash exploits.

Figure 8: Malicious SWF Objects

This variant tries to infect the victims by exploiting vulnerabilities available in Adobe Flash player as shown in above Figure 8. We can observe that this kit launches two flash movies which are malicious exploits and the shellcode is passed to these exploits as an argument using FlashVars parameter, which is executed after successful exploitation. On execution of shellcode, the payload malware will be downloaded and installed onto the victims system.

During our analysis we observed the payload has capabilities to disable installed security products, steal credentials, open ports (listens for commands from remote server) and also acts as a Downloader.

Solution provided by SonicWall:

Having up to date Software will help in mitigating this exploit kit. SonicWall Threat Research team will keep on monitoring this exploit kit and its evolution to update signatures as required.

SonicWall Gateway AntiVirus provides protect
ion against this threat via the following signatures:

Payload: Downloader.A_973

Exploit: CVE-2015-5122.A_2, MalSWF

Landing Page: Terror_EK.LP

CVE-2016-0189 Exploits spotted in the Wild (Aug 26, 2016)

The Microsoft JScript and VBScript engines, as used in Internet Explorer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted website,aka “Scripting Engine Memory Corruption Vulnerability,”

Dell SonicWALL Threat research team has observed that this CVE-2016-0189 is being exploited in the wild.

There is a proof of concept for this CVE available here.If you compare the PoC and the exploit you find that the attacker has added few new functions and variables.

By inserting alerts in the code one can see that the attacker is trying to invoke PowerShell process and transfer information back to the attacker’s website (url argument of code)

Running the exploit we can see that IE crashes and the vulnerable dll is jscript.dll/vbscript.dll

This happens when attacker reduces the array size and then tries to access an array element which isn’t there after the resize, resulting in a use after free condition.

Using process monitor tool one can see that IE opens a powershell process

Looking at PowerShell event properties one can see that the attacker is trying to download an executable from a malicious website.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 11594: Scripting Engine Memory Corruption Vulnerability (MS16-051) 1

Microsoft(CVE-2016-0189) and Adobe(CVE-2016-4117) Zero day (May 12, 2016)

Recent zero days discovered in Microsoft scripting engine and Adobe Flash player are being exploited in the wild.

The Microsoft JScript and VBScript engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Scripting Engine Memory Corruption Vulnerability” (CVE-2016-0189)

Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors.(CVE-2016-4117)

Dell SonicWALL Threat Research Team have released following signatures to protect their customers

  • SPY 4502: Malformed-File swf.MP.410
  • IPS 11594: Scripting Engine Memory Corruption Vulnerability (MS16-051) 1

Microsoft Security Bulletin Coverage (May 10, 2016)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May 10, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS16-051 Cumulative Security Update for Internet Explorer

  • CVE-2016-0188 Internet Explorer Security Feature Bypass
    There are no known exploits in the wild.
  • CVE-2016-0189 Scripting Engine Memory Corruption Vulnerability
    IPS:11594 ” Scripting Engine Memory Corruption Vulnerability (MS16-051) 1″
  • CVE-2016-0192 Microsoft Browser Memory Corruption Vulnerability
    IPS:11595 ” Microsoft Browser Memory Corruption Vulnerability (MS16-051) 1″
  • CVE-2016-0194 Internet Explorer Information Disclosure Vulnerability
    SPY:4495 ” Malformed-File exe.MP.15 “

MS16-052 Cumulative Security Update for Microsoft Edge

  • CVE-2016-0191 Microsoft Edge Memory Corruption Vulnerability
    IPS: 11596 “Microsoft Edge Memory Corruption Vulnerability (MS16-051) 1”
  • CVE-2016-0192 Microsoft Browser Memory Corruption Vulnerability
    IPS:11595 ” Microsoft Browser Memory Corruption Vulnerability (MS16-051) 1″
  • CVE-2016-0193 Scripting Engine Memory Corruption Vulnerability
    IPS:11597 ” Scripting Engine Memory Corruption Vulnerability (MS16-051) 2″

MS16-053 Cumulative Security Update for JScript and VBScript

  • CVE-2016-0187 Scripting Engine Memory Corruption Vulnerability
    IPS:11598 ” Scripting Engine Memory Corruption Vulnerability (MS16-051) 3″
  • CVE-2016-0189 Scripting Engine Memory Corruption Vulnerability
    IPS:11594 “Scripting Engine Memory Corruption Vulnerability (MS16-051) 1”

MS16-054 Security Update for Microsoft Office

  • CVE-2016-0126 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0140 Microsoft Office Memory Corruption Vulnerability
    SPY: 4335 “Malformed-File xls.MP.52”
  • CVE-2016-0183 Microsoft Office Graphics RCE Vulnerability
    There are no known exploits in the wild.

MS16-055 Security Update for Microsoft Graphics Component

  • CVE-2016-0168 Windows Graphics Component Information Disclosure Vulnerability
    SPY: 4500 “Malformed-File emf.MP.2”
  • CVE-2016-0169 Windows Graphics Component Information Disclosure Vulnerability
    SPY: 4499 “Malformed-File emf.MP.1”
  • CVE-2016-0170 Windows Graphics Component RCE Vulnerability
    SPY: 4499 “Malformed-File emf.MP.1”
  • CVE-2016-0184 Direct3D Use After Free Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0195 Direct3D Use After Free RCE Vulnerability
    This is a local Vulnerability.

MS16-056 Security Update for Windows Journal

  • CVE-2016-0182 Windows Journal Memory Corruption Vulnerability
    This is a local Vulnerability.

MS16-057 Security Update for Windows Shell

  • CVE-2016-0179 Windows Shell Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-058 Security Update for Windows IIS

  • CVE-2016-0152 Windows DLL Loading Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-059 Security Update for Windows Media Center

  • CVE-2016-0185 Windows Media Center Remote Code Execution Vulnerability
    IPS:11593 “Windows Media Center Remote Code Execution (MS16-059)”

MS16-060 Security Update for Windows Kernel

  • CVE-2016-0180 Windows Kernel Elevation of Privilege Vulnerability
    This is a local Vulnerability.

MS16-061 Security Update for Microsoft RPC

  • CVE-2016-0178 RPC Network Data Representation Engine Elevation of Privilege Vulnerability
    SPY:4497 “Malformed-File exe.MP.14”

MS16-062 Security Update for Windows Kernel-Mode Drivers

  • CVE-2016-0171 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0172 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0173 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0174 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0175 Win32k Information Disclosure Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0176 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0196 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-0197 Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS16-064 Security Update for Adobe Flash Player

  • CVE-2016-0177 Schannel Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-065 Security Update for .NET Framework

  • CVE-2016-0149 TLS/SSL Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-066 Security Update for Virtual Secure Mode

  • CVE-2016-0181 Hypervisor Code Integrity Security Feature Bypass
    There are no known exploits in the wild.

MS16-067 Security Update for Volume Manager Driver

  • CVE-2016-0190 Remote Desktop Protocol Drive Redirection Information Disclosure Vulnerability
    There are no known exploits in the wild.