A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in “attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.”
FireEye’s Research team has analysed this zero-day exploit and found a connection between these attacks and those previously documented in Operation Hangover, which adds India and Pakistan into the mix of targets. Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan.
However, FireEye has also found that another group also has access to this exploit and is using it to deliver theCitadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before the Hangover group did. Information obtained from CnCs operated by the Arx group revealed that 619 targets (4024 unique IP addresses) have been compromised. The majority of the targets are in India (63 percent) and Pakistan (19 percent).
From the analysis, it seems the use of this zero-day exploit (CVE-2013-3906) is more widespread than previously believed. Two different groups are using this exploit: Hangover and Ark. Hangover has been previously connected with a targeted malware campaign, and the Ark group is operating a Citadel-based botnet for organized crime. The one key theme for both actors: an India-Pakistan nexus.
The full analysis can be found below or here: http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html
The Dual Use Exploit: CVE-2013-3906 Used in Both Targeted Attacks and Crimeware Campaigns
A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in “attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.”
Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover (which targete d Norwegian Telecoms company Telenor), which adds India and Pakistan into the mix of targets. Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan.
However, we have found that another group also has access to this exploit and is using it to deliver the Citadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before to the Hangover group did. Information obtained from CnCs operated by the Arx group revealed that 619 targets (4024 unique IP addresses) have been compromised. The majority of the targets are in India (63 percent) and Pakistan (19 percent).
Exploit Analysis
The CVE-2013-3906 vulnerability is a heap overflow that occurs when processing TIFF image files with user-controlled allocation and copy size. A function pointer is overwritten and later called to execute code. Exploiting this vulnerability requires the attacker to be able to control the memory layout — which the Hangover and Arx groups did by using a new ActiveX heap-spray technique.
Different ActiveX Heap-spray Method
Judging from samples in the wild that we analyzed, both groups sprayed the heap using the new ActiveX method, but did so slightly differently. The Ark group used a slightly more clever approach to spray the same amount of memory using fewer objects in their exploit document.
Different ROP Payload
The Hangover group’s exploit mainly targets Windows XP because Microsoft Office offers NO Data Execution Prevention (DEP) protection by default, and the exploit doesn’t use return-oriented programming (ROP).
The Ark group, by contrast, uses ROP gadgets from the MSCOMCTL.DLL. In our tests, the ROP payload works for DLL version 6.1.98.34.
Decoded below are the various ROP chains used in the Ark group’s exploits:
Stack pivot:
275b4f3f 94 xchg eax,esp 275b4f40 0100 add dword ptr [eax],eax 275b4f42 5e pop esi 275b4f43 5d pop ebp 275b4f44 c21c00 ret 1Ch
Pop VirtualAlloc IAT from the new stack:
2761bdea 58 pop eax 2761bdeb c3 ret
Calling virtualAlloc to allocate RWX memory at 0×20000000:
275a58fe ff20 jmp dword ptr [eax] ds:0023:275811c8={kernel32!VirtualAlloc (7c809af1)}
Pop the length of the shell code:
27594a33 59 pop ecx 27594a34 c3 ret
Pop destination or source location for a memory copy:
2759a93f 5f pop edi 2759a940 5e pop esi 2759a941 c3 ret
Copy the shell code to 0×20000000:
275ceb04 f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 275ceb06 33c0 xor eax,eax 275ceb08 eb24 jmp MSCOMCTL!DllGetClassObject+0×3860 (275ceb2e)
After the copy, it returns to 0×20000000 to execute the shell code:
275ceb2f 5f pop edi 275ceb2f 5e pop esi 275ceb30 5b pop ebx 275ceb31 5d pop ebp 275ceb32 c3 ret
Different Shellcode
The Hangover group is using the URL Download shell code, but with a hook-hopping technique: ;; Check if target has been hooked with an absolute call instruction 001C205F cmp byte ptr [eax],0xE8 001C2062 jz 001C2073 ;; Check if target has been hooked with an absolute jump instruction 001C2064 cmp byte ptr [eax],0xE9 001C2067 jz 001C2073 ;; Check if target has been hooked with a software breakpoint 001C2069 cmp byte ptr [eax],0xCC 001C206C jz 001C2073 001C206E cmp byte ptr [eax],0xEB 001C2071 jnz 001C2084 001C2073 cmp dword ptr [eax+0x5],0x90909090 001C207A jz 001C2084 001C207C mov edi,edi 001C207E push ebp 001C207F mov ebp,esp 001C2081 lea eax,[eax+0x5] 001C2084 jmp eax
The hook-hopping technique was enabled for all API calls in this shell code, such as LoadlibraryA, GetTempPathA,URLDownloadToFileA, ShellExecuteA,and ExitProcess.
The Ark group’s shell code uses the NTAccessCheckAndAuditAlarm system call to search memory for the dropper, then calls loadLibrary to load the dropper. This memory search technique is described here, in the egg hunt shell code section. NTAccessCheckAndAuditAlarm is one safe way to search memory to avoid access violations when accessing unmapped memory addresses. Upon finding the right memory location, the dropper XOR method is different, which is not easy to decode with brute force.
B5 00 9B B1 B5 00 9B B1 3A 9E 00 BA 04 00 77 82
The first two DWORDs are the signature used to locate the binary by the NTAccessCheckAndAuditAlarm system call.
0x3A is the first XOR key and 0x9E is the second XOR key. 0x0004BA00 is the dropper file’s length.
The XOR algorithm is described below. The algorithm takes two keys. The first key is XORed against the ciphertext, and the second key is added to the first key, after each XOR operation: def xor(a, key, key2): x = bytearray(a) for i in range(len(x)): x[i] ^= key&0xff key += key2 return x
The Hangover Group
As previously documented, “Operation Hangover” was a multi-year series of coordinated campaigns targeting systems around the world with a primary focus on organizations in Pakistan. “Operation Hangover” was uncovered, after the attackers responsible for this campaign targeted Telenor, a major Norwegian telecommunications provider. The Hangover group is believed to have been operating as early as 2009.
Cluster and Protocol Analysis
The related samples were uploaded to VirusTotal between 2013-10-23 and 2013-10-31. This provides an indication of when CVE-2013-3906 was first used by the Hangover group. The EXIF data contained within the malicious Word documents used by the group, which is likely an artifact of the builder, contain these dates:
• CreateDate: 2013:10:03 22:46:00Z
• ModifyDate: 2013:10:03 23:17:00Z
Microsoft zero-day vulnerability exploited by two hacking groups, target -Indian and Pakistani organizations
BY NART VILLNEUVE, XIAOBO CHEN, DAN CASELDEN AND DEN MORAN
A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in “attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.”
FireEye’s Research team has analysed this zero-day exploit and found a connection between these attacks and those previously documented in Operation Hangover, which adds India and Pakistan into the mix of targets. Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan.
However, FireEye has also found that another group also has access to this exploit and is using it to deliver theCitadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before the Hangover group did. Information obtained from CnCs operated by the Arx group revealed that 619 targets (4024 unique IP addresses) have been compromised. The majority of the targets are in India (63 percent) and Pakistan (19 percent).
From the analysis, it seems the use of this zero-day exploit (CVE-2013-3906) is more widespread than previously believed. Two different groups are using this exploit: Hangover and Ark. Hangover has been previously connected with a targeted malware campaign, and the Ark group is operating a Citadel-based botnet for organized crime. The one key theme for both actors: an India-Pakistan nexus.
The full analysis can be found below or here: http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html
The Dual Use Exploit: CVE-2013-3906 Used in Both Targeted Attacks and Crimeware Campaigns
A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in “attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.”
Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover (which targete d Norwegian Telecoms company Telenor), which adds India and Pakistan into the mix of targets. Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan.
However, we have found that another group also has access to this exploit and is using it to deliver the Citadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before to the Hangover group did. Information obtained from CnCs operated by the Arx group revealed that 619 targets (4024 unique IP addresses) have been compromised. The majority of the targets are in India (63 percent) and Pakistan (19 percent).
Exploit Analysis
The CVE-2013-3906 vulnerability is a heap overflow that occurs when processing TIFF image files with user-controlled allocation and copy size. A function pointer is overwritten and later called to execute code. Exploiting this vulnerability requires the attacker to be able to control the memory layout — which the Hangover and Arx groups did by using a new ActiveX heap-spray technique.
Different ActiveX Heap-spray Method
Judging from samples in the wild that we analyzed, both groups sprayed the heap using the new ActiveX method, but did so slightly differently. The Ark group used a slightly more clever approach to spray the same amount of memory using fewer objects in their exploit document.
Different ROP Payload
The Hangover group’s exploit mainly targets Windows XP because Microsoft Office offers NO Data Execution Prevention (DEP) protection by default, and the exploit doesn’t use return-oriented programming (ROP).
The Ark group, by contrast, uses ROP gadgets from the MSCOMCTL.DLL. In our tests, the ROP payload works for DLL version 6.1.98.34.
Decoded below are the various ROP chains used in the Ark group’s exploits:
Stack pivot:
275b4f3f 94 xchg eax,esp 275b4f40 0100 add dword ptr [eax],eax 275b4f42 5e pop esi 275b4f43 5d pop ebp 275b4f44 c21c00 ret 1Ch
Pop VirtualAlloc IAT from the new stack:
2761bdea 58 pop eax 2761bdeb c3 ret
Calling virtualAlloc to allocate RWX memory at 0×20000000:
275a58fe ff20 jmp dword ptr [eax] ds:0023:275811c8={kernel32!VirtualAlloc (7c809af1)}
Pop the length of the shell code:
27594a33 59 pop ecx 27594a34 c3 ret
Pop destination or source location for a memory copy:
2759a93f 5f pop edi 2759a940 5e pop esi 2759a941 c3 ret
Copy the shell code to 0×20000000:
275ceb04 f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 275ceb06 33c0 xor eax,eax 275ceb08 eb24 jmp MSCOMCTL!DllGetClassObject+0×3860 (275ceb2e)
After the copy, it returns to 0×20000000 to execute the shell code:
275ceb2f 5f pop edi 275ceb2f 5e pop esi 275ceb30 5b pop ebx 275ceb31 5d pop ebp 275ceb32 c3 ret
Different Shellcode
The Hangover group is using the URL Download shell code, but with a hook-hopping technique: ;; Check if target has been hooked with an absolute call instruction 001C205F cmp byte ptr [eax],0xE8 001C2062 jz 001C2073 ;; Check if target has been hooked with an absolute jump instruction 001C2064 cmp byte ptr [eax],0xE9 001C2067 jz 001C2073 ;; Check if target has been hooked with a software breakpoint 001C2069 cmp byte ptr [eax],0xCC 001C206C jz 001C2073 001C206E cmp byte ptr [eax],0xEB 001C2071 jnz 001C2084 001C2073 cmp dword ptr [eax+0x5],0x90909090 001C207A jz 001C2084 001C207C mov edi,edi 001C207E push ebp 001C207F mov ebp,esp 001C2081 lea eax,[eax+0x5] 001C2084 jmp eax
The hook-hopping technique was enabled for all API calls in this shell code, such as LoadlibraryA, GetTempPathA,URLDownloadToFileA, ShellExecuteA,and ExitProcess.
The Ark group’s shell code uses the NTAccessCheckAndAuditAlarm system call to search memory for the dropper, then calls loadLibrary to load the dropper. This memory search technique is described here, in the egg hunt shell code section. NTAccessCheckAndAuditAlarm is one safe way to search memory to avoid access violations when accessing unmapped memory addresses. Upon finding the right memory location, the dropper XOR method is different, which is not easy to decode with brute force.
B5 00 9B B1 B5 00 9B B1 3A 9E 00 BA 04 00 77 82
The first two DWORDs are the signature used to locate the binary by the NTAccessCheckAndAuditAlarm system call.
0x3A is the first XOR key and 0x9E is the second XOR key. 0x0004BA00 is the dropper file’s length.
The XOR algorithm is described below. The algorithm takes two keys. The first key is XORed against the ciphertext, and the second key is added to the first key, after each XOR operation: def xor(a, key, key2): x = bytearray(a) for i in range(len(x)): x[i] ^= key&0xff key += key2 return x
The Hangover Group
As previously documented, “Operation Hangover” was a multi-year series of coordinated campaigns targeting systems around the world with a primary focus on organizations in Pakistan. “Operation Hangover” was uncovered, after the attackers responsible for this campaign targeted Telenor, a major Norwegian telecommunications provider. The Hangover group is believed to have been operating as early as 2009.
Cluster and Protocol Analysis
The related samples were uploaded to VirusTotal between 2013-10-23 and 2013-10-31. This provides an indication of when CVE-2013-3906 was first used by the Hangover group. The EXIF data contained within the malicious Word documents used by the group, which is likely an artifact of the builder, contain these dates:
• CreateDate: 2013:10:03 22:46:00Z
• ModifyDate: 2013:10:03 23:17:00ZBY NART VILLNEUVE, XIAOBO CHEN, DAN CASELDEN AND DEN MORAN
A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in “attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.”
FireEye’s Research team has analysed this zero-day exploit and found a connection between these attacks and those previously documented in Operation Hangover, which adds India and Pakistan into the mix of targets. Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan.
However, FireEye has also found that another group also has access to this exploit and is using it to deliver theCitadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before the Hangover group did. Information obtained from CnCs operated by the Arx group revealed that 619 targets (4024 unique IP addresses) have been compromised. The majority of the targets are in India (63 percent) and Pakistan (19 percent).
From the analysis, it seems the use of this zero-day exploit (CVE-2013-3906) is more widespread than previously believed. Two different groups are using this exploit: Hangover and Ark. Hangover has been previously connected with a targeted malware campaign, and the Ark group is operating a Citadel-based botnet for organized crime. The one key theme for both actors: an India-Pakistan nexus.
The full analysis can be found below or here: http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html
The Dual Use Exploit: CVE-2013-3906 Used in Both Targeted Attacks and Crimeware Campaigns
A zero-day vulnerability was recently discovered that exploits a Microsoft graphics component using malicious Word documents as the initial infection vector. Microsoft has confirmed that this exploit has been used in “attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia.”
Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover (which targete d Norwegian Telecoms company Telenor), which adds India and Pakistan into the mix of targets. Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan.
However, we have found that another group also has access to this exploit and is using it to deliver the Citadel Trojan malware. This group, which we call the Arx group, may have had access to the exploit before to the Hangover group did. Information obtained from CnCs operated by the Arx group revealed that 619 targets (4024 unique IP addresses) have been compromised. The majority of the targets are in India (63 percent) and Pakistan (19 percent).
Exploit Analysis
The CVE-2013-3906 vulnerability is a heap overflow that occurs when processing TIFF image files with user-controlled allocation and copy size. A function pointer is overwritten and later called to execute code. Exploiting this vulnerability requires the attacker to be able to control the memory layout — which the Hangover and Arx groups did by using a new ActiveX heap-spray technique.
Different ActiveX Heap-spray Method
Judging from samples in the wild that we analyzed, both groups sprayed the heap using the new ActiveX method, but did so slightly differently. The Ark group used a slightly more clever approach to spray the same amount of memory using fewer objects in their exploit document.
Different ROP Payload
The Hangover group’s exploit mainly targets Windows XP because Microsoft Office offers NO Data Execution Prevention (DEP) protection by default, and the exploit doesn’t use return-oriented programming (ROP).
The Ark group, by contrast, uses ROP gadgets from the MSCOMCTL.DLL. In our tests, the ROP payload works for DLL version 6.1.98.34.
Decoded below are the various ROP chains used in the Ark group’s exploits:
Stack pivot:
275b4f3f 94 xchg eax,esp 275b4f40 0100 add dword ptr [eax],eax 275b4f42 5e pop esi 275b4f43 5d pop ebp 275b4f44 c21c00 ret 1Ch
Pop VirtualAlloc IAT from the new stack:
2761bdea 58 pop eax 2761bdeb c3 ret
Calling virtualAlloc to allocate RWX memory at 0×20000000:
275a58fe ff20 jmp dword ptr [eax] ds:0023:275811c8={kernel32!VirtualAlloc (7c809af1)}
Pop the length of the shell code:
27594a33 59 pop ecx 27594a34 c3 ret
Pop destination or source location for a memory copy:
2759a93f 5f pop edi 2759a940 5e pop esi 2759a941 c3 ret
Copy the shell code to 0×20000000:
275ceb04 f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 275ceb06 33c0 xor eax,eax 275ceb08 eb24 jmp MSCOMCTL!DllGetClassObject+0×3860 (275ceb2e)
After the copy, it returns to 0×20000000 to execute the shell code:
275ceb2f 5f pop edi 275ceb2f 5e pop esi 275ceb30 5b pop ebx 275ceb31 5d pop ebp 275ceb32 c3 ret
Different Shellcode
The Hangover group is using the URL Download shell code, but with a hook-hopping technique: ;; Check if target has been hooked with an absolute call instruction 001C205F cmp byte ptr [eax],0xE8 001C2062 jz 001C2073 ;; Check if target has been hooked with an absolute jump instruction 001C2064 cmp byte ptr [eax],0xE9 001C2067 jz 001C2073 ;; Check if target has been hooked with a software breakpoint 001C2069 cmp byte ptr [eax],0xCC 001C206C jz 001C2073 001C206E cmp byte ptr [eax],0xEB 001C2071 jnz 001C2084 001C2073 cmp dword ptr [eax+0x5],0x90909090 001C207A jz 001C2084 001C207C mov edi,edi 001C207E push ebp 001C207F mov ebp,esp 001C2081 lea eax,[eax+0x5] 001C2084 jmp eax
The hook-hopping technique was enabled for all API calls in this shell code, such as LoadlibraryA, GetTempPathA,URLDownloadToFileA, ShellExecuteA,and ExitProcess.
The Ark group’s shell code uses the NTAccessCheckAndAuditAlarm system call to search memory for the dropper, then calls loadLibrary to load the dropper. This memory search technique is described here, in the egg hunt shell code section. NTAccessCheckAndAuditAlarm is one safe way to search memory to avoid access violations when accessing unmapped memory addresses. Upon finding the right memory location, the dropper XOR method is different, which is not easy to decode with brute force.
B5 00 9B B1 B5 00 9B B1 3A 9E 00 BA 04 00 77 82
The first two DWORDs are the signature used to locate the binary by the NTAccessCheckAndAuditAlarm system call.
0x3A is the first XOR key and 0x9E is the second XOR key. 0x0004BA00 is the dropper file’s length.
The XOR algorithm is described below. The algorithm takes two keys. The first key is XORed against the ciphertext, and the second key is added to the first key, after each XOR operation: def xor(a, key, key2): x = bytearray(a) for i in range(len(x)): x[i] ^= key&0xff key += key2 return x
The Hangover Group
As previously documented, “Operation Hangover” was a multi-year series of coordinated campaigns targeting systems around the world with a primary focus on organizations in Pakistan. “Operation Hangover” was uncovered, after the attackers responsible for this campaign targeted Telenor, a major Norwegian telecommunications provider. The Hangover group is believed to have been operating as early as 2009.
Cluster and Protocol Analysis
The related samples were uploaded to VirusTotal between 2013-10-23 and 2013-10-31. This provides an indication of when CVE-2013-3906 was first used by the Hangover group. The EXIF data contained within the malicious Word documents used by the group, which is likely an artifact of the builder, contain these dates:
• CreateDate: 2013:10:03 22:46:00Z
• ModifyDate: 2013:10:03 23:17:00Z