Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

What did the Java applet say to the SWF? Don't leave me alone in this Blackholeee!

Last week as we were analyzing the new version of Blackhole with the new Java exploit (CVE-2012-1723), we ran into a SWF file called Flash.swf that we've not analyzed before. This is a refreshing change, as there haven't been too many updates to the SWF part of Blackhole in a long time, and so we thought we'd give it a spin.

So, how did it all start?

A new massive spam campaign tries to coerce users into clicking a malicious link by sending out an email imploring them to pay an unpaid parking ticket. The following domains were seen hosting this so-called ticket:

hxxp://cartaastral.com/intpmt.html

hxxp://hemorrapid.com/intpmt.html

hxxp://qrdp.com/intpmt.html

hxxp://timaru.ru/intpmt.html

hxxp://theannoying.ca/intpmt.html

hxxp://picturebuggphotobooth.com/intpmt.html

hxxp://naninani.info/intpmt.html

hxxp://m-mucha.eu/intpmt.html

hxxp://hizmetyeri.com/intpmt.html

hxxp://digdin.ru/intpmt.html

hxxp://11655.org/intpmt.htm

The page displays a fake invoice and asks the user to wait. While the user waits, the page loads an IFRAME with the Blackhole exploit kit:

8541_2e8daab0-68be-4af8-9473-b44c9314910bThe fake invoice page

We wondered how many people actually wait until the page is fully loaded (with the exploits); luckily we managed to take a closer look at the statistics of this attack, which show pretty poor results for the attackers:

7663_02aacc93-2641-4219-932d-9e29f964a194The blackhole exploit kit statistics page

Now, let's take a closer look at the aforementioned new SWF file, and a couple of other recent updates of Blackhole:

Adobe Flash Player AVM Verification Logic Array Indexing Code Execution (CVE-2011-2110):

First of all, here is a snippet from the decompiled ActionScript of Flash.swf:

12636_f1ecfe20-21e3-46a0-90d3-9dcb7b04767fThe ActionScript source code of Flash.swf

As you can see marked in the first box the flash file reads a stream passed from the HTML exploit page as a parameter:

9746_6a339b86-1036-4df2-89ab-f807b03d7cb3

The source code of the exploit HTML page

The ActionScript code manipulates the data provided by the info parameter by converting it to a binary stream, XOR'ing it with 122 and then decompressing it using zlib. This process results in the construction of a URL that is then fetched using a standard URLRequest (also marked in the source code), but our journey does not end here. The data fetched from this URL is not the payload one might expect to find, but rather more binary data which then goes through the same process as the previous binary stream, being XOR'd and decompressed using zlib to ultimately result in yet another URL- this time of the payload:

8844_3cfab5b7-83b7-452b-95a3-e1fc79f1025a

The deobfuscated binary data

We uploaded the file to VirusTotal:

9163_4cb42664-4dc9-4d1e-8166-90e80e686eb8 VirusTotal scan results for Flash.swf

As you can see, 9/42 AV scanners detected this file as malicious, but despite some of the reports, this SWF actually exploits CVE-2011-2110:

8882_3f7c82c9-eac5-4bd4-887f-edac0bc86435
The Metasploit module for CVE-2011-2110

… Looks familiar?

Oracle Java Applet Field Bytecode Verifier Cache Remote Code Execution (CVE-2012-1723):

The newcomer Java exploit in this version of Blackhole is CVE-2012-1723. There's a great description regarding the actual vulnerability made by Michael Schierl. This vulnerability joins the family of Type Confusion vulnerabilities detected in the JVM and we believe it isn't the last one. Many efforts are put by researchers and malware authors to find such bugs in the JVM, as they usually have high successful exploitation rate. As you can see in the admin panel above, JVM vulnerabilities are responsible for the majority for successful exploitations made by Blackhole.

Despite its high profile in the media and its success rate, a quick visit to VirusTotal revealed that the detection rates for this java exploit are still very low (3/42):

10922_9fdf67b0-ee56-4901-90f4-f5774137801aVirusTotal scan results for Fiord.jar

It is quite obvious that the exploits included in the Blackhole Exploit Kit for CVE-2012-1723 and CVE-2011-2110 are adopted from the Metasploit framework. The exploit for CVE-2012-1723, though, seem to have evolved and now also contains bytecode obfuscation.

Bytecode obfuscation is a technique which we recently described after it was employed in the RedKit exploit kit, which makes it the most common method for obfuscating Java malware nowadays.

Internet Explorer MSXML Uninitialized Memory Corruption (CVE-2012-1889):

This last one has been mentioned in the context of the Blackhole exploit kit in several places already, but since this vulnerability was released as a 0-day just last month, it's worth noting that it, too, is already part of the new Blackhole exploit lineup, if only to make a point.

It is obvious that the Blackhole authors put a lot of effort into keeping the exploit kit up-to-date both in terms of vulnerabilities and in terms of obfuscation techniques, and we expect to see more such updates in the future.

Trustwave Secure Web Gateway's generic protection against 0-day attacks protects its customers from exploitation attempts of the above vulnerabilities without the need for installing new security updates.

Authored by: Moshe Basanchig, Daniel Chechik and Anat Davidi.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More