By: Rubin Azad

Nuclear Exploit Kit And Flash CVE-2014-0515

Exploit Kit

For this blog, we'd like to walk you through a recent attack involving Nuclear Exploit Kit (EK) that we analyzed. It was found leveraging CVE-2014-0515, a buffer overflow in Adobe Flash Player discovered in April 2014.

Nuclear Exploit kit targets a number of known vulnerabilities including: Below are the files which were downloaded during the exploitation attempts observed:
 
FILE TYPE MD5 SIZE CVE/THREAT VT HITS
FLASH A1465ECE32FA3106AA88FD666EBF8C78 5614 CVE-2014-0515 18 / 53
JAR A93F603A95282B80D8AFD3F23C4D4889 12396 CVE-2012-0507 26 / 54
PDF 19ED55EF17A49451D8052D0B51C66239 9770 Exploit.PDF-JS 22 / 54
EXE 8BCE8A59F9E789BEFB9D178C9A03FB66 104960 Win32/Zemot 39 / 53

Although there are other associated vulnerabilities that are being exploited by Nuclear Exploit kit, we will limit this blog post to reviewing the Flash exploitation (CVE-2014-0515).

Nuclear EK Landing

Unlike other EKs such as RIG, Nuclear EK's landing page code is highly obfuscated.

 
(Fig 1: Obfuscated Landing Page)

After de-obfuscation, the page looks as follows:
 
(Fig 2: De-Obfuscated Landing Page)

Nuclear EK's landing page checks for the following antivirus (AV) driver files and if finds any, terminates the exploitation process. We have seen these checks before in RIG EK too.
 
(Fig 3: Check for AV driver files)
 

If this AV check is passed, a javascript function then checks the installed Flash version and if a vulnerable version is detected on the client's browser, a call is then made to a dynamic Flash object creation module.
 
(Fig 4: Flash Call)
 
Here are the vulnerable Flash player checks:
 
(Fig 5: Checks if vulnerable version installed)
 
If the version check passes, the Flash exploitation process will commence as seen below.

CVE-2014-0515 exploit analysis

Here is the code that dynamically creates a new Flash Object:
 
(Fig 6: Flash Object Creation)

The Flash exploit payload that gets downloaded is highly obfuscated to evade AV detection. Below is a snippet of decompiled code from this Flash exploit:
 
 
(Fig 7: Decompiled Flash File)
 
There are two hard coded snippets of obfuscated shellcode in the action script as seen below:
 
(Fig x1,x2: Raw Shellcodes)
 

After de-obfuscating on the run time, it adds bytecode to a Shader Object from one of the de-obfuscated shell code snippets.
 
 
    (Fig 8: Shader Byte Code Filler)
 
The Shader's Pixel Bender is where this malformed byte code is written, which triggers the vulnerability.
 
Here is the Malformed byte code:
 
(Fig 9: Malformed data for Pixel Shader)
 
 
Disassembling Pixel Bender's byte code
 
We used Tinc Uro's program to get the PixelBender binary data decompiled.
 
 
(Fig 10: Decompiled PixelBender data)
 
We can see the inappropriate content here. The Shader Object takes a float parameter whose default value is set to a matrix of 4x4 floats and the second float value of this matrix is invalid value triggering the vulnerability.
 
Conclusion

Since the downfall of the popular Blackhole Exploit Kit, we have seen the advent of many new Exploit Kits. Nuclear Exploit Kit definitely ranks in the Top 5 prevalent EKs in the wild at the moment. We have seen an increasing number of compromised sites and scam pages leading to Nuclear Exploit Kit in past three months. Some of the notable compromised sites during this time frame that were redirecting to Nuclear EK includes:

SocialBlade.com - A youtube statistics tracking site.
AskMen.com - Men's entertainment website
Facebook.com survey scam pages

Exploit kits generally make use of known vulnerabilities and Flash is a popular target. CVE-2014-0515 in particular targets a Flash vulnerability in Flash versions before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux. It's critical to ensure that your employees aren't running outdated versions of Flash as it is commonly targeted by EKs.


References:
 

Learn more about Zscaler.