Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the case analysis of CVE-2018-5002 Flash 0day vulnerability APT attacks. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Background

The Enterprise Security threat Intelligence Center recently captured an APT attack using Flash 0day vulnerabilities in conjunction with Microsoft Office documents, using samples that use built-in technology without Flash files for the first time (Office documents do not contain Flash entity files). We immediately notified the manufacturer Adobe after confirming the vulnerability, becoming the first organization in the country to report the attack and related vulnerabilities to the manufacturer. Adobe thanked the threat Intelligence Center in a security announcement issued yesterday.

Adobe feedback confirms the existence of the vulnerability and gives a public thank you

The whole exploit process is highly engineering: the attacker deploys Loader (the first stage used to download the Flash file of Exploit), Exploit (the second stage exploit code) and Payload (the third phase ShellCode) on the server, and only the successful attack / detection of each phase will continue to download and execute the next stage of code, which makes it very difficult to restore the entire attack flow and exploit code. Through the analysis of the special structure of the sample, big data association and domain name analysis, the threat Intelligence Center found that the relevant vulnerability attack weapons used this time are suspected to be related to Hacking Team.

As this vulnerability and the corresponding attack code are likely to be modified by the underground industry and other APT groups to carry out large-scale attacks, posing a real threat, the 360threat Intelligence Center reminds users to take response measures.

Related vulnerability summary vulnerability name Adobe Flash Player remote code execution threat type remote code execution threat level high vulnerability IDCVE-2018-5002 exploit scenario attackers send maliciously constructed Office files to the victim through web download, e-mail, instant messaging and other channels to induce them to open for processing, which may trigger the vulnerability to execute arbitrary instructions on the user's system to gain control. Affected system and application version Adobe Flash Player (29.0.0.171 and earlier) unaffected system and application version Adobe Flash Player 30.0.0.113 (the latest version after repair) repair and upgrade address https://get.adobe.com/flashplayer/ sample

From the captured language attributes of the attack sample and the correlation information of the CC server, we infer that this is an APT attack against Qatar. The sample was detected maliciously within a few days after it was uploaded to VirusTotal on May 31. Until June 7, only the company's virus detection engine identified it as malicious code, and the threat Intelligence Center found the exploitation of 0day vulnerabilities through careful analysis.

Attack analysis

Through the tracking record of the sample execution process, the overall execution process of the restored sample is as follows:

The overall execution process of malicious documents containing Flash 0day

Bait document

The attacker first sends the Excel bait document containing the Flash ActiveX object to the person concerned to trick the victim into opening it:

Flash ActiveX control

The bait document contains a FlashActiveX control:

However, the FlashActiveX object does not contain an entity Flash file, and the loaded Flash file needs to be loaded remotely through the URL connection address in the ActiveX object, so that it can avoid the detection and killing of antivirus software:

Pass parameters to the remotely loaded Flash through the Excel document, including the download address of the second phase Flash and the communication address between the sample and the CC server:

The first stage Flash

Download the first-stage Flash file through the URL connection address in the FlashActiveX object. The main function of the Flash file is to continue communicating with the remote server and download the second-stage Flash file encrypted using AES:

Get the first phase Flash file

Second stage Flash 0day

Because the first phase of Flash will hit the ground, in order to prevent the Flash code implementing the vulnerability attack from being killed or captured, the attacker continues to download encrypted attack modules from the server and load them in memory through the first phase of Flash Loader.

The data returned from the server is in the form of [KEY+AES encrypted data]. The Flash file in the first stage decrypts the returned data into the Flash file in the second stage:

Get the second stage Flash after AES encryption

Decrypt the second stage Flash file encrypted using AES CBC mode:

The second phase of the Flash file is then loaded in memory, and the second phase of the Flash file contains Flash0day exploit code:

The third stage ShellCode

The Flash 0day vulnerability exploits the successful execution of the code before returning the third phase of ShellCode to the server through a POST request and performing the final attack:

0day vulnerability analysis vulnerability function context

The key trigger code of the vulnerability shown in the figure below occurs in the replace function. After the vulnerability is successfully triggered, the code execution can be realized by exchanging two objects in vector to convert to type confusion. Before the function execution, two object instances of SafeStr_5,SafeStr_7 type are declared, and the two object instances are alternately passed into the function SafeStr_61 as parameters, with a total of 256parameters, of which 128are of SafeStr_5,SafeStr_7 type:

The SafeStr_5 class is as follows:

The SafeStr_7 class is as follows:

Generate the corresponding SafeStr_5 class instance in the Jit code:

The instances of SafeStr_5,SafeStr_7 class generated before entering SafeStr_61 are as follows. The first two are globally declared instances, and the last two are declared in replace, and then passed as SafeStr_61 parameters:

Before entering the SafeStr_61 function:

The SafeStr_61 function is shown below. First, a class instance of SafeStr_6 (used to trigger vulnerabilities) and a vector of type SafeStr_5,_SafeStr_7 are created, and then the parameters are crossed into the two vector:

Then start the vector assignment:

After the assignment, it is as follows:

Causes of loopholes

Now take a look at the instance of the _ SafeStr_6 class used to trigger the vulnerability. The AS code is as follows:

As you can see, because the Flash parser does not properly handle the scope of the exception handling code when dealing with the corresponding Try-Catch code block, the parser mistakenly thinks that no code can be executed into the Catch statement, so it does not detect the bytecode corresponding to the code in Catch, and the li8 (123456) operation in this function will trigger an exception and be caught by Catch, so there is a lack of checking the code in the Catch code block. Then the bytecode in the code can illegally modify the data on the stack through the setlocal,getlocal operation, and finally replace the position of the two object pointers on the stack, which is transformed into type confusion to achieve arbitrary code execution!

Vulnerability exploitation

Let's take a look at the code context that triggered the vulnerability, where _ SafeStr_6 is the class instance code shown in the figure above:

As shown below, you can see that the pointer of an object in the vector of the corresponding SafeStr_5 type is modified to the object pointer of SaftStr, and its address is marked as 0x1c1=449, which is the variable of the getlocal operation in the figure above:

Then change the pointer of an object in the vector of type SafeStr_7 to the object pointer of SaftSt_5r:

Then iterate through the m_p1 member variables of each object in SafeStr_5 to get the corresponding members modified to SafeStr_7 pointers:

Because the SafeStr_5 object is confused as SafeStr_7, the operation on the confused SafeStr_5 object actually acts on the memory space of the SafeStr_7. In this case, the operation of the corresponding memory offset of the SafeStr_7 object can be realized by setting the m_p1 variable of the SafeStr_5 object, and the offset points to the corresponding SafeStr_5 object in the SafeStr_7 object. At this point, the operation equivalent to SafeStr_7.SafeStr_5.m_p1 is controlled by the m_p1 object of the _ SafeStr_5 object, so that the specified address is read and written, and then converted to arbitrary code execution:

Traceability and related similar samples

Combined with the vulnerability's skill of delivering files (Excel documents) and inserting Flash ActiveX controls (compound binary bin+ remote Flash loading), the threat Intelligence Center uses big data to associate to another document control file (MD5:5b92b7f4599f81145080aa5c3152dfd9) that delivers Flash exploits using the same technique:

The built-in URL for loading remote Flash vulnerabilities is as follows:

Hxxps://mynewsfeeds.info/docs/P6KMO6/5v1z1p3r1p1o.swf

Domain name analysis

The domain name was used to download multiple SWF Payload files from 2015 to early 2016:

The mynewsfeeds.info history of the domain name was registered by marchaopn@gmail.com, and the domain name was protected by privacy after the HackingTeam leak in July 2015:

Combined with the threat intelligence platform, the domain name is also associated with the exploit sample of CVE-2015-5119, which is also the Flash 0day vulnerability exposed by the Hacking Team leak!

Domain name belongs to Hacking Team

The signing certificate registered by marchaopn@gmail.com mailbox is exactly the one to which Hacking Team belongs:

And the information of the domain name and mailbox mentioned in the communication email between HackingTeam and the customer:

So far, the threat Intelligence Center has found a highly similar sample through the special construction of the leaked 0day exploit sample, which points to Hacking Team.

Since the Hacking Team leak incident, its new related activities and its development of espionage Trojans have also been disclosed many times by foreign security manufacturers and information websites, proving that they have not completely disappeared.

About Hacking Team

The threat Intelligence Center combines various connections to list some comparisons between this 0day attack and the historical Hacking Team:

L Hacking Team has long sold its cyber espionage weapons to multiple intelligence agencies or government departments.

The past HackingTeam leaks show that it has a deep foundation for Flash 0day vulnerabilities and exploitation techniques, and the implementation of the exploitation techniques in this 0day vulnerability is also very common.

The EXP production and exploitation of this 0day vulnerability are also similar to those of HackingTeam in the past.

Protection suggestion

The threat Intelligence Center reminds all units / business users to carefully open documents of unknown sources and download and install the latest version of Adobe Flash Player through the repair and upgrade address as soon as possible, or install antivirus software tools such as 360Security Guard / Sky engine to minimize risk.

After reading the above, do you have any further understanding of the case analysis of CVE-2018-5002 Flash 0day vulnerability APT attacks? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.