Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Nuclear Exploit Kit And Flash CVE-2014-0515

image
RUBIN AZAD
September 05, 2014 - 4 min read
For this blog, we'd like to walk you through a recent attack involving Nuclear Exploit Kit (EK) that we analyzed. It was found leveraging CVE-2014-0515, a buffer overflow in Adobe Flash Player discovered in April 2014.

Nuclear Exploit kit targets a number of known vulnerabilities including: Below are the files which were downloaded during the exploitation attempts observed:
 
FILE TYPEMD5SIZECVE/THREATVT HITS
FLASHA1465ECE32FA3106AA88FD666EBF8C785614CVE-2014-051518 / 53
JARA93F603A95282B80D8AFD3F23C4D488912396CVE-2012-050726 / 54
PDF19ED55EF17A49451D8052D0B51C662399770Exploit.PDF-JS22 / 54
EXE8BCE8A59F9E789BEFB9D178C9A03FB66104960Win32/Zemot39 / 53

Although there are other associated vulnerabilities that are being exploited by Nuclear Exploit kit, we will limit this blog post to reviewing the Flash exploitation (CVE-2014-0515).

Nuclear EK Landing

Unlike other EKs such as RIG, Nuclear EK's landing page code is highly obfuscated.

 
Image
(Fig 1: Obfuscated Landing Page)

After de-obfuscation, the page looks as follows:
 
Image
(Fig 2: De-Obfuscated Landing Page)

Nuclear EK's landing page checks for the following antivirus (AV) driver files and if finds any, terminates the exploitation process. We have seen these checks before in RIG EK too.
 
Image
(Fig 3: Check for AV driver files)
 

If this AV check is passed, a javascript function then checks the installed Flash version and if a vulnerable version is detected on the client's browser, a call is then made to a dynamic Flash object creation module.
 
Image
(Fig 4: Flash Call)
 
Here are the vulnerable Flash player checks:
 
Image
(Fig 5: Checks if vulnerable version installed)
 
If the version check passes, the Flash exploitation process will commence as seen below.

CVE-2014-0515 exploit analysis

Here is the code that dynamically creates a new Flash Object:
 
Image
(Fig 6: Flash Object Creation)

The Flash exploit payload that gets downloaded is highly obfuscated to evade AV detection. Below is a snippet of decompiled code from this Flash exploit:
 
Image
 
(Fig 7: Decompiled Flash File)
 
There are two hard coded snippets of obfuscated shellcode in the action script as seen below:
 
Image
Image
(Fig x1,x2: Raw Shellcodes)
 

After de-obfuscating on the run time, it adds bytecode to a Shader Object from one of the de-obfuscated shell code snippets.
 
Image
 
    (Fig 8: Shader Byte Code Filler)
 
The Shader's Pixel Bender is where this malformed byte code is written, which triggers the vulnerability.
 
Here is the Malformed byte code:
 
Image
(Fig 9: Malformed data for Pixel Shader)
 
 
Disassembling Pixel Bender's byte code
 
We used Tinc Uro's program to get the PixelBender binary data decompiled.
 
 
Image
(Fig 10: Decompiled PixelBender data)
 
We can see the inappropriate content here. The Shader Object takes a float parameter whose default value is set to a matrix of 4x4 floats and the second float value of this matrix is invalid value triggering the vulnerability.
 
Conclusion

Since the downfall of the popular Blackhole Exploit Kit, we have seen the advent of many new Exploit Kits. Nuclear Exploit Kit definitely ranks in the Top 5 prevalent EKs in the wild at the moment. We have seen an increasing number of compromised sites and scam pages leading to Nuclear Exploit Kit in past three months. Some of the notable compromised sites during this time frame that were redirecting to Nuclear EK includes:

SocialBlade.com - A youtube statistics tracking site.
AskMen.com - Men's entertainment website
Facebook.com survey scam pages

Exploit kits generally make use of known vulnerabilities and Flash is a popular target. CVE-2014-0515 in particular targets a Flash vulnerability in Flash versions before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux. It's critical to ensure that your employees aren't running outdated versions of Flash as it is commonly targeted by EKs.


References:
 
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.