By: Deepen Desai

Hacking Team Leak, Flash 0day, Exploit Payloads And More

Data Breach

[Update - July 13, 2015]

In addition to the Flash 0day exploit that we reported earlier [CVE-2015-5119], two new Flash 0day exploits were found in the Hacking Team's leaked data and these flaws are not yet patched:
  • CVE-2015-5122: valueOf use after free vulnerability during the assignment to freed TextBox
Two in-the-wild samples reported here
  • CVE-2015-5123: valueOf use after free vulnerability during the assignment to freed Bitmap
Adobe acknowledged these issues over the weekend and is working on a patch. Meanwhile, ThreatLabZ has deployed additional coverage for these new exploits to protect Zscaler customers. We are continuously monitoring for new in-the-wild exploit payloads for these flaws.

Introduction

Data breaches have become a common and painful reality. Major enterprises, including retailers and financial institutions have been affected in the past few years. Even cyber criminals are not spared from breaches, with various malware code leaks, the most recent being that of the KINS 2.0 Banking Trojan family.
 
Earlier this week, we saw a large stolen information archive (400 GB) being published that belonged to the notorious Italian hackers-for-hire firm - Hacking Team. Hacking Team has been known to sell offensive surveillance technology to government agencies worldwide. The archive contains e-mails, invoices, and more importantly exploits & malware source codes. An individual that goes by the handle PhineasFisher has taken credit for the attack and if that name sounds familiar it's because he's done similar work before, having hacked and leaked data from Gamma International last year. His motivation for that breach was apparently similar as he accused the firm of selling surveillance tools to repressive regimes. While our assessment is far from over, in this blog, we will provide a quick run down of what we have seen in the archive related to exploits & malware thus far and we will continue to update as we discover more details.

Exploits, Remote Control System, and more

  • Flash 0-day exploit with Proof-Of-Concept (POC) [CVE-2015-5119] - Confirmed 0day for the latest version of Adobe Flash Player, running on Windows XP and Windows 7. The exploit did not succeed on Windows 8.1. We also saw support for targeting OS X. This is a Use-After-free vulnerability in Adobe Flash player's built-in ByteArray class that can lead to crash or remote code execution by the attacker.
 Affected applications:
  1. The majority of the popular browsers including Chrome, FireFox, Internet Explorer and Safari with Flash Player installed are vulnerable to this issue.
  2. Microsoft Office 2007/2010/2013 - where the attack scenario will involve an office document with the malicious SWF file embedded in it. The document may arrive via an e-mail or as a drive-by download on the target system.
Adobe released a patch today to address this vulnerability.
  • Microsoft Windows Kernel code injection vulnerability exploit that can be leveraged to perform privilege escalation on the target system to bypass various security mechanisms
  • Support for iOS devices - They are leveraging the popular iOS Jailbreak application Cydia for iOS devices to further install malicious payloads on the target device.
  • Support for Android Devices - There is a separate module for Android OS (Android Webkit) that is leveraging a probable 0day exploit [we are still working on confirming this] in the Android browser and running various known root-access exploits like exynos, gingerbreak, levitator, etc. to root the target devices and further install malicious payloads. 
  • Support for Windows & Blackberry devices - We also saw source code for supposed exploits that will target Windows Phone 8 as well as Blackberry devices. 
  • MacOS Rooting exploit to enable online and offline installation of untrusted applications.
  • A Remote Control System (RCS) Dropper module that is capable of creating both mobile and computer system payloads for Windows and Macintosh. 
  • A multi-stage JAVA exploit module that contains a weaponized version as well as a two stage version with features to by pass Microsoft Security Essentials and an example Trojanized Putty.exe payload.
  • Multiple driver files that may contain Rootkit functionality to hide the malicious process and evade detection.
  • Source code of the core Remote Control System module where we can see the in-depth list of features supported by it.
core-win32:
1.) Monitoring modules for Instant messengers, Web Browsers, PC cameras & microphones, etc.
2.) Monitoring social media activities over Yahoo, Gmail, Twitter, and Facebook
3.) Hooking Outlook and getting email and contact details.
4.) Relaying infected system information including time, battery status, processor, memory, OS, user etc..
5.) Advanced keylogging capabilities
 We also observed support for 64-bit operating system target.
  • There are also multiple anti-VM, anti-Sandbox, and anti-AV evasion modules present in the source code archive.
We are still combing through the archive evaluating more exploits and we will continue to publish our findings as they emerge.

Loader configuration server

We saw a hardcoded IP address in the first stage shellcode payload that is supposedly hosting the configuration file as seen below
 
Hardcoded configuration file location
 
The shellcode payload is presumably used by the loader for downloading and installing the main RCS component following a successful exploitation attempt. A quick VirusTotal lookup for the IP address reveals lot of interesting activity in the past two months only:
 
VirusTotal report for the Configuration Server
Enterprises would be advised to block the aforementioned IP address if they are concerned that they may have been targeted by any of the Hacking Tools applications.

Conclusion

As has been the case in the past after any such leak, we will start seeing the leaked code being incorporated into many future spin offs as well as existing malware families as feature upgrades. Exploit Kit authors have already incorporated the Flash 0day payload in their exploit arsenal as noted here.
 
ThreatLabZ has ensured coverage for the Flash 0day (CVE-2015-5119) and other exploit payloads ensuring protection for the Zscaler customers. We will continue to monitor further developments surrounding this leak.
 
Research by: Abhay Yadav, Nirmal Singh, Deepen Desai
 
 
 

Learn more about Zscaler.