This post is co-authored by Andrew Tsonchev, Jaeson Schultz, Alex Chiu, Seth Hanford, Craig Williams, Steven Poulson, and Joel Esler. Special thanks to co-author Brandon Stultz for the exploit reverse engineering.
Silverlight exploits are the drive-by flavor of the month. Exploit Kit (EK) owners are adding Silverlight to their update releases, and since April 23rd we have observed substantial traffic (often from Malvertising) being driven to Angler instances partially using Silverlight exploits. In fact in this particular Angler campaign, the attack is more specifically targeted at Flash and Silverlight vulnerabilities and though Java is available and an included reference in the original attack landing pages, it’s never triggered.
The C-Suite Summary
A few weeks ago we discussed a malvertising campaign that redirected victims to Styx EK landing pages. Advertising exchanges continue to be leveraged for force redirection, which means by extension that websites serving advertisements from an exchange are unwittingly redirecting their viewers to malicious destinations. Malvertising continues to play a key role in malicious web drive-by campaigns.
In fact, the U.S. Senate issued a report on Thursday highlighting some of the specific risks that digital advertising presents to everyone using the web with a modern browser. On page 7 under “Findings and Recommendations” the report states:
1. Consumers risk exposure to malware through everyday activity. Consumers can incur malware attacks without having taken any action other than visiting a mainstream website. The complexity of the online advertising ecosystem makes it impossible for an ordinary consumer to avoid advertising malware attacks, identify the source of the malware exposure, and determine
whether the ad network or host website could have prevented the attack.
2. The complexity of current online advertising practices impedes industry accountability for malware attacks. The online advertising industry has grown in complexity to such an extent that each party can conceivably claim it is not responsible when malware is delivered to a user’s computer through an advertisement. An ordinary online advertisement typically goes through five
or six intermediaries before being delivered to a user’s browser, and the ad networks themselves rarely deliver the actual advertisement from their own servers. In most cases, the owners of the host website visited by a user do not know what advertisements will be shown on their site.
In this latest campaign we detect initial stage zero malicious advertisements redirecting to advertising banners (among other stage one destinations) on stage one websites where redirection is again occurring to Angler EK landing pages (the full list of URIs is located below in the IoCs).
Thus the complete attack life cycle is composed of multiple stage web redirection, eventually landing on an Angler EP page, followed by application exploit delivery (Flash or Silverlight), and finally payload delivery. In this particular campaign, the payload is a Trojan that opens two listener ports and initiates a TCP connection to a remote host located in Brazil.
We should expect these existing Silverlight exploits to proliferate through other exploit pack families in the near future as threat actors copy code from each other and release updates. Silverlight exploits are also ideal because Silverlight continues to gain rich Internet application market share, perhaps surpassing Java, and Microsoft’s life cycle schedule suggests Silverlight 5 will be supported through October, 2021.
Unfortunately, we observe extensive global DNS requests for the Angler landing pages, indicating that this campaign is largely succeeding even if only 10% of victims (a reasonable exploit kit percentage) are exploited due to failure to upgrade their system’s applications.
The Network Defenders’ Attack Dissection
In January we discussed Fiesta’s inclusion of Silverlight exploits for two linked vulnerabilities announced in 2013, specifically CVE-2013-0074 (subclassing System.Windows.Browser.ScriptObject) and CVE-2103-3896 (memory disclosure vulnerability in the publicWritableBitmap class).
This Angler campaign uses a Silverlight file to trigger the same CVE-2013-3896 vulnerability, but packages the exploit differently and attempts obfuscation through AES encryption. Byte code within the file calculates the ROP offset inside mscorlib.ni.dll and subsequently leverages CVE-2013-0074 to access System.Windows.Browser.ScriptObject.Initialize() (via System.Windows.Browser.HtmlObject) in order to construct a custom IntPtr handle (which gets called in agcore.dll) to achieve code execution. This vulnerability was fixed in Silverlight build 5.1.20125.0 (released on 3/12/2013). Silverlight 5.1.10411.0 or prior is required to accomplish code execution.
Stepping through the complete attack chain in detail, as we mentioned above, many of the victim redirects begin in advertising exchange networks and redirect to third party sites with advertising banners, specifically “banner728x90.jpg”. This file is actually HTML that performs a redirect while also loading a JPG image. Website owners may be mystified about this process when searching for redirection causation because the file name masquerades as a benign advertising banner which they are likely to ignore.
After de-obfuscation six eval () statements remain, one of which (appears below) loads a Silverlight file.
The file’s code execution parameters are passed in through the init_params variable ‘exteeec’. This file contains another embedded Silverlight file that is rolling XOR encrypted.
The embedded Silverlight assembly (fotosaster.dll) is decrypted and executed.
This is the Silverlight file that leverages CVE-2013-3896 (A memory disclosure vulnerability in the public WritableBitmap class).
CVE-2013-3896 reveals the base address for mscorlib.ni.dll in order to calculate the offset to the first link in the ROP chain. The embedded Silverlight file uses the class:
Which contains the call to the vulnerable System.Windows.Browser.ScriptObject::Initialize():
The embedded Silverlight exploit uses a custom IntPtr handle above (which gets called in agcore.dll) to achieve code execution. The dropped malware starts listening on ports 14099 and 20231, decrypts “C:\Documents and Settings\<user>\Local\Settings\Application Data\extrics.dll” and then calls loadlibrary on it. Extrics.dll uses ws2_32.dll (Winsock) to establish a TCP session with the hard coded address, ns9.carrotpizzaeater.me.uk.
After encoding data it sends a 44 byte request to notify the Command and Control (C2) server of the infection:
The payload is identified by anti-virus software as a Trojan in the “Kazy” or “Pony” families.
Starting with known Angler domains, we identified additional attack domains via passive DNS (pDNS) and their associated A record IP addresses. We subsequently found additional domains hosted on the same IP addresses. We manually post-processed the new domain list and used Domain Tools to acquire the WHOIS records for these associated domains. Using the domain generation algorithm (DGA), we queried reverse WHOIS on the domain registrants and registrant email addresses which produced additional associated domains (listed below in IoCs).
In the same way that some of the Angler domain names are using a DGA, likewise, the registrant email address also follows a regular expression. In total there are over 650 domains registered by 21 different Hotmail addresses.
The A record for ns9.carrotpizzaeater.me.uk is 22.214.171.124 – Telefonica Brazil – 179-163-128-154.user.vivozap.com.br. WHOIS registrant data for carrotpizzaeater.me.uk includes:
Registrant: Yoji Majimuro
Registrant type: UK Individual
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.
Registrant name and address awaiting validation
Internet.bs Corp. t/a Internet.bs Corp. [Tag = INTERNET-BS]
Registered on: 06-May-2014
Expiry date: 06-May-2015
In March a Russian criminal forum announced that the Neutrino EK developer is selling the full exploit pack. Another post reported that Neutrino currently brings in $30,000 per month for its owner. Assuming that figure is correct, there is ample incentive to continue creating, maintaining, and updating these exploit packs.
The exploit kit drive-by campaigns fueled by malvertising continue to be effective, and given the web’s ubiquity in the work place, this channel is crucially important for inspection and detection. While patching may be an effective counter measure in this case, targeted watering hole attacks leveraging zero day exploits continue to necessitate a behavioral detection framework.
Businesses should be developing or acquiring intelligent solutions that incorporate a threat centric model for enhanced visibility into all stages of an attack regardless of whether it’s targeted or an equal opportunity victim attack. While traditional security mechanisms (firewall, IDS, etc.) are reasonable to support defense-in-depth, it is the advanced statistical analysis of all available data that will automatically identify behavioral anomalies and deliver finished threat intelligence to analysts, especially in the context of web based drive-by attacks.
Indicators of Compromise
Angler Domain Registrant Email Addresses:
Extrics.dll – Silverlight payload (SHA256 hashes):
Additional Angler droppers (SHA256 hashes):
Sourcefire SIDS for the Angler Exploit Pack: