Shulou(Shulou.com)06/02 Report--

The use of Firefox 0day vulnerability attack analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Background

The recent Firefox vulnerability CVE-2019-11707 was first submitted by Google Project Zero's Samuel Gro ²on April 15, but the 0day he found can only lead to code execution, but not the sandboxie escape of Firefox, so if exploited in the actual attack, it should also need to cooperate with a loophole of sandboxie escape.

Then, in recent days, security personnel of Coinbase, a digital currency trading agency, submitted to Firefox a loophole caught during an internal attack, which proved to be a sandboxie escape vulnerability and was named CVE-2019-11708.

The relevant security personnel of the subsequent Coinbase also released the IOC and claimed that it was not the only digital currency trading institution under attack.

Hash:

Af10aad603fe227ca27077b83b26543b

De3a8b1e149312dac5b8584a33c3f3c6

C2 IP:

89.34.111.113:443

185.49.69.210:80

And the famous Mac malicious sample research station Objective-See issued an analysis report on the macOS backdoor related to the vulnerability event delivery (https://objective-see.com/blog/blog_0x43.html).

Combined with the disclosure of the report, after receiving the email shown in the figure below, the relevant personnel with digital cryptocurrency clicked on the corresponding html, which led to the execution of malicious code in the background. What is interesting is that the subsequent malicious code provided by it is consistent with the previous one provided by Coinbase security personnel, that is, de3a8b1e149312dac5b8584a33c3f3c6. Therefore, we associate these two events and guess that the source of this 0day attack comes from people.ds.cam.ac.uk/nm603/awards/Adams_Prize.

Then we make a further analysis of the relevant clues.

Analysis.

We can see the two samples provided by Coinbase through vt, with the main focus on the second, which is consistent with the one mentioned in objective-see earlier.

The first submission was made on June 6 from South Africa and the second from Canada on June 20.

Then take a look at the two ip,89.34.111.113:443 and 185.49.69.210 ip,89.34.111.113:443 provided by Coinbase

Among them, there is the previously mentioned de3a8b1e149312dac5b8584a33c3f3c6 (IconServicesAgent) under 89.34.111.113, and in addition, there is a sample related to windows, which was uploaded on April 16, 2018.

Combined with Qianxin TIP platform, you can also view the corresponding sample of the IP history, which is Emotet, a well-known bank Trojan horse.

185.49.69.210 there is not much valid correlation information under the 80-degree-of-freedom.

Analyze the de3a8b1e149312dac5b8584a33c3f3c6 sample, the sample should be the Netwire RAT,Netwire RAT under Mac is an open Trojan horse. There is a special string "hyd7u5jdi8" in the sample.

Hyd7u5jdi8 is a special character, which appeared in the 2012 Netwire sample, which claims to be the first sample of mac osx and linux.

The Netwire Trojan was previously used by APT organizations and cyber criminal gangs.

For example, it is used by APT 33, which is believed to belong to Iran, the famous cyber criminal gang Carbanak and the Nigerian hacker organization SilverTerrier.

Interestingly, a researcher named Vitali Kremez later introduced that the string also appeared in the CVE-2017-0261 eps 0day attack reported by FireEye in May 2017.

The last sample delivered in the attack at that time was Netwire.

As can be seen from the fireeye report, three groups, turla,apt28, and an unknown economic motivation organization have emerged in the attack, which uses NETWIERE and targets relevant institutions of the global banking organization in the Middle East.

We note that in a report on the attack activity of exploiting WinRAR vulnerability CVE-2018-20250 at the end of March 2019, fireeye mentioned the use of WinRAR vulnerability to deliver Netwire Trojan horse, and used C2 of 89.34.111.113, whose C2 IP address is the same as that of this 0day vulnerability.

Summary

The current evidence does not seem to be fully attributed to the known attack organization, but combined with the above association analysis, we can speculate as follows:

1. The organization should take economic profit as an important attack motive, and the historical attack may target banks and extend to digital currency exchanges.

two。 From the point of view of the target region, the Middle East seems to be its main goal, but combined with the distribution of documents uploaded, it does not rule out that it is global.

3. Using Netwire as its main RAT tool, it is worth noting that Netwire is an open commercial version of RAT and is adapted to multiple platforms, a version with specific fingerprints that an attacker may use

4. The attacker seems to have a strong ability to exploit 0day vulnerabilities, but it does not rule out that it is a purchased 0day vulnerability, but it is worth noting that the attacker has been active.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.