Executive Overview
- Websense researchers have discovered the use of CVE-2014-0322 as early as January 20, 2014 - nearly 3 weeks before the previously known first date of the attacks
- The attack may be targeting organizations associated with the French aerospace association, GIFAS
- The CVE-2014-0322 exploit in this attack is hosted on a US server
- We observed the malicious Shockwave Flash (Tope.swf SHA:910de05e0113c167ba3878f73c64d55e5a2aff9a) being uploaded to VirusTotal on January 20. This was presumably done by the attackers to confirm if antivirus had protection for the exploit. At the time there was zero detection
- The exploit may use an in-memory attack with no file writes to avoid detection from antivirus products
- Early analysis indicates correlations between this attack and the DeputyDog and EphemeralHydra groups
CVE-2014-0322 Attack Analysis
Contributors: Alex Watson, Victor Chin - Websense Security Labs
Websense Security Labs ThreatSeeker telemetry has confirmed the existence of the Microsoft Internet Explorer 10 0-day exploit CVE-2014-0322 beginning as early as January 20 2014, predating the previously believed first use by nearly three weeks.
The CVE-2014-0322 exploit has been seen hosted and delivered from the following URL, which was first seen by Websense on January 20, 2014:
hxxp://gifas.assso.net
hxxp://gifas.assso.net is presumably a fake site meant to look like hxxp://gifas.asso.fr, which is a French aerospace association:
GIFAS, the French aerospace industries association, has more than 300 members, from major prime contractors and system suppliers to small specialist companies. Activities extend from civil and military aircraft and helicopters to engines, missiles and armament, satellites and launch vehicles, plus aerospace, defence and security major systems, equipment, subassemblies and associated software.
The use of the very similar domain name may indicate that the French aerospace association is the target, but this domain does not appear to be a campaign with active lures, yet.
Domain History for assso.net
An anonymous DNS registration service was originally used to register the domain "assso.net" which was updated to direct users to the malicious site on January 20, 2014.
Name Servers: NS05.DOMAINCONTROL.COM|NS06.DOMAINCONTROL.COM
Registrar Name: GODADDY.COM, LLC
Admin Contact: info com
hepinglui
buxhidao, pinghing 512326
8613590978619
215027763@qq.com
Registrant Contactinfo com
hepinglui
buxhidao, pinghing 512326
8613590978619
215027763@qq.com
As of January 28, 2014 gifts.assso.net resolved to 173.252.252.204. This IP address is geolocated to Santa Clara, Calif. We noticed the SHA1 for Tope.swf being uploaded to VirusTotal on January 20 (the same day as the fake gifas.assso.net site was set up), with no detection at the time by AV vendors. Presumably this was done by the attackers to check AV coverage for their malware before starting their attacks, further indicating that January 20 was the initial rollout of this campaign of attacks using this 0-day.
Similarity with other observations of CVE-2014-0322
As is in the HTTP stream shown below, visitors going to hxxp://gifts.assso.net are linked to include.html, which sets up the ROP exploit and "Tope.swf" Shockwave Flash file (SHA1: 910de05e0113c167ba3878f73c64d55e5a2aff9a) which is utilized after the CVE-2014-0322 use after free vulnerability to access memory through ActionScript in the SWF file.
Checking for Microsoft's Exploit Mitigation Toolkit
Additional similarities to the attacks on the US Veterans of Foreign Wars website include the Javascript-based check for Microsoft's EMET (exploit mitigation toolkit) which is attempted to be loaded as an XML to determine whether the DLL is present. If the DLL is verified as existing, the attack JavaScript aborts the attack.
var steeple ="<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'res://C:\\windows\\AppPatch\\EMET.DLL'>";
Malicious Content in Tope.swf Shockwave Flash File
Below is code located in the Tope.SWF that leads to a second stage dropper called "Erido.jpg". Code snippet below :
The code above shows the Shockwave Flash ActionScript downloading content but not actually storing it to a file. The follow-on code below shows a buffer being written and read as "little endian" to denote the order for the byte array to be executed. The _local(x) variables look to be calculations in memory which makes us believe this is an "in memory" only attack, presumably to make antivirus detection more difficult.
Analysis of the Malicious ActionScript (AS3) Code
Below is the use after free type vulnerability that is triggered when the Vector class is allocated / freed
In the code above, the string:
appears to be the culprit responsible for causing the vulnerability to return to malicious memory space allocated.
Links to DeputyDog and EphemeralHydra Campaigns
The similarities in the exploit, delivery and search for the EMET.DLL indicate that the same group of threat actors is most likely behind the malicious URL above and the attacks that have been covered by FireEye. More detailed analysis coming soon.
[UPDATE]
If you are concerned about your exposure to this vulnerability due to the use of Microsoft Internet Explorer 10 we would recommend that you consider upgrading to Internet Explorer 11. You can find out more information at Microsoft's IE page here.
This attack is known to check for the presence of Microsoft's Enhanced Mitigation Experience Toolkit (EMET). If it is found then the exploit attempt terminates. You can find out more about how to deploy EMET in Microsoft's overview here and the EMET knowledge base article.
