Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack
FireEye Labs recently detected a limited APT campaign exploiting zero-day vulnerabilities in Adobe Flash and a brand-new one in Microsoft Windows. Using the Dynamic Threat Intelligence Cloud (DTI), FireEye researchers detected a pattern of attacks beginning on April 13th, 2015. Adobe independently patched the vulnerability (CVE-2015-3043) in APSB15-06. Through correlation of technical indicators and command and control infrastructure, FireEye assess that APT28 is probably responsible for this activity.
Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows (CVE-2015-1701). While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous. We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043. The Microsoft Security Team is working on a fix for CVE-2015-1701.
The high level flow of the exploit is as follows:
1. User clicks link to attacker controlled website
2. HTML/JS launcher page serves Flash exploit
3. Flash exploit triggers CVE-2015-3043, executes shellcode
4. Shellcode downloads and runs executable payload
5. Executable payload exploits local privilege escalation (CVE-2015-1701) to steal System token
The Flash exploit is served from unobfuscated HTML/JS. The launcher page picks one of two Flash files to deliver depending upon the target’s platform (Windows 32 versus 64bits).
The Flash exploit is mostly unobfuscated with only some light variable name mangling. The attackers relied heavily on the CVE-2014-0515 Metasploit module, which is well documented. It is ROPless, and instead constructs a fake vtable for a FileReference object that is modified for each call to a Windows API.
The payload exploits a local privilege escalation vulnerability in the Windows kernel if it detects that it is running with limited privileges. It uses the vulnerability to run code from userspace in the context of the kernel, which modifies the attacker’s process token to have the same privileges as that of the System process.
The primary difference between the CVE-2014-0515 metasploit module and this exploit is, obviously, the vulnerability. CVE-2014-0515 exploits a vulnerability in Flash’s Shader processing, whereas CVE-2015-3043 exploits a vulnerability in Flash’s FLV processing. The culprit FLV file is embedded within AS3 in two chunks, and is reassembled at runtime.
A buffer overflow vulnerability exists in Adobe Flash Player (<=18.104.22.168) when parsing malformed FLV objects. Attackers exploiting the vulnerability can corrupt memory and gain remote code execution.
In the exploit, the attacker embeds the FLV object directly in the ActionScript code, and plays the video using NetStream class. In memory, it looks like the following:
0000000: 46 4c 56 01 05 00 00 00 09 00 00 00 00 12 00 00 FLV.............
0000010: f4 00 00 00 00 00 00 00 02 00 0a 6f 6e 4d 65 74 ...........onMet
0000020: 61 44 61 74 61 08 00 00 00 0b 00 08 64 75 72 61 aData.......dura
0000030: 74 69 6f 6e 00 40 47 ca 3d 70 a3 d7 0a 00 05 77 tion.@G.=p.....w
0000040: 69 64 74 68 00 40 74 00 00 00 00 00 00 00 06 68 idth.@t........h
0000050: 65 69 67 68 74 00 40 6e 00 00 00 00 00 00 00 0d eight.@n........
0000060: 76 69 64 65 6f 64 61 74 61 72 61 74 65 00 00 00 videodatarate...
0003b20: 27 6e ee 72 87 1b 47 f7 41 a0 00 00 00 3a 1b 08 'n.r..G.A....:..
0003b30: 00 04 41 00 00 0f 00 00 00 00 68 ee ee ee ee ee ..A.......h.....
0003b40: ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ................
0003b50: ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ................
0003b60: ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ................
Files of the FLV file format contain a sequence of Tag structures. In Flash, these objects are created when parsing FLV Tags:
.text:1018ACE9 sub_1018ACE9 proc near ; CODE XREF: sub_1018BBAC+2Bp
.text:1018ACE9 ; sub_10192797+1A1p ...
.text:1018ACE9 arg_0 = dword ptr 4
.text:1018ACE9 mov eax, ecx
.text:1018ACEB mov ecx, [esp+arg_0]
.text:1018ACEF mov dword ptr [eax], offset off_10BA771C
.text:1018ACF5 mov dword ptr [eax+24h], 1
.text:1018ACFC and dword ptr [eax+14h], 0
.text:1018AD00 mov [eax+28h], ecx
.text:1018AD03 mov byte ptr [eax+20h], 0
.text:1018AD07 retn 4
.text:1018AD07 sub_1018ACE9 endp
In the case of this exploit, a Tag structure begins at offset 0x3b2f into the FLV stream that, when parsed, populates the Tag structure as follows:
UINT_8 type: 8
UINT_24 datasize: 1089
UINT_24 timestamp: 15
UINT_8 timestamphi: 0
UINT_24 streamid: 0
UINT_4 fmt: 6
UINT_2 sr: 2
UINT_1 bits: 0
UINT_1 channels: 0
UBYTE data: \xee\xee\xee\xee…
UINT_32 lastsize: 0xeeeeeeee
Beginning within the data field, all contents of the FLV stream become 0xEE. Consequently, the data and lastsize fields are mangled, and one final tag technically exists consisting exclusively of 0xEE:
UINT_8 type: 0xEE
UINT_24 datasize: 0xEEEEEE
One can see the datasize field of Tag2 populated from the attacker's FLV stream below:
.text:10192943 mov eax, [ebx+24h]
.text:10192946 mov [esi+14h], eax
.text:10192949 movzx eax, byte ptr [ebx+19h] ; 00
.text:1019294D movzx ecx, byte ptr [ebx+1Ah] ; 04
.text:10192951 shl eax, 8
.text:10192954 or eax, ecx
.text:10192956 movzx ecx, byte ptr [ebx+1Bh] ; 41
.text:1019295A shl eax, 8
.text:1019295D or eax, ecx
.text:1019295F mov ecx, ebx
.text:10192961 mov [esi+0Ch], eax ; 0x441
.text:10192964 call sub_1002E2B3
The buffer is allocated with fixed size 0x2000:
.text:101A647E push 2000h
.text:101A6483 mov ecx, esi
.text:101A6485 call sub_101A6257 ; alloc 0x2000 buffer, store in esi+0xDC
.text:101A627F push 0
.text:101A6281 push edi ; 0x2000
.text:101A6282 call sub_105EBEB0
.text:101A6287 pop ecx
.text:101A6288 pop ecx
.text:101A6289 mov [esi+0DCh], eax
Since the size is controlled by the attacker, it’s possible to overflow the fixed size buffer with certain data.
A datasize of 0x441 results in a value here of 0x1100 passed to sub_100F88F8, which memcopies 0x2200 bytes in 0x11 chunks of 0x200. The last memcpy overflows the fixed size 0x2000 buffer into a adjacent heap memory.
Attackers spray the heap with array of Vector, 0x7fe * 4 + 8 == 0x2000, and create holes of such size, which will be allocated by the said object.
while (_local_2 < this._bp35) // _bp35 == 0x2000
this._ok47[_local_2] = new Vector.<uint>(this._lb60); // _lb60 == 0x07FE
_local_3 = 0x00;
while (_local_3 < this._lb60)
this._ok47[_local_2][_local_3] = 0x41414141;
_local_2 = (_local_2 + 0x01);
_local_2 = 0x00;
while (_local_2 < this._bp35)
this._ok47[_local_2] = null;
_local_2 = (_local_2 + 0x02);
As the previous picture demonstrated, the followed Vector object’s length field being overflowed as 0x80007fff, which enables the attacker to read/write arbitrary data within user space.
Shellcode is passed to the exploit from HTML in flashvars. The shellcode downloads the next stage payload, which is an executable passed in plaintext, to the temp directory with UrlDownloadToFileA, which it then runs with WinExec.
Payload & C2
This exploit delivers a malware variant that shares characteristics with the APT28 backdoors CHOPSTICK and CORESHELL malware families, both described in our APT28 whitepaper. The malware uses an RC4 encryption key that was previously used by the CHOPSTICK backdoor. And the C2 messages include a checksum algorithm that resembles those used in CHOPSTICK backdoor communications. In addition, the network beacon traffic for the new malware resembles those used by the CORESHELL backdoor. Like CORESHELL, one of the beacons includes a process listing from the victim host. And like CORESHELL, the new malware attempts to download a second-stage executable.
One of the C2 locations for the new payload, 87.236.215[.]246, also hosts a suspected APT28 domain ssl-icloud[.]com. The same subnet (22.214.171.124/24) also hosts several known or suspected APT28 domains, as seen in Table 1.
The target firm is an international government entity in an industry vertical that aligns with known APT28 targeting.
The payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in Microsoft Windows. The exploit uses CVE-2015-1701 to execute a callback in userspace. The callback gets the EPROCESS structures of the current process and the System process, and copies data from the System token into the token of the current process. Upon completion, the payload continues execution in usermode with the privileges of the System process.
Because CVE-2015-3043 is already patched, this remote exploit will not succeed on a fully patched system. If an attacker wanted to exploit CVE-2015-1701, they would first have to be executing code on the victim’s machine. Barring authorized access to the victim’s machine, the attacker would have to find some other means, such as crafting a new Flash exploit, to deliver a CVE-2015-1701 payload.
Microsoft is aware of CVE-2015-1701 and is working on a fix. CVE-2015-1701 does not affect Windows 8 and later.
Thank you to all of the contributors to this blog!
- The following people in FireEye: Dan Caselden, Yasir Khalid, James “Tom” Bennett, GenWei Jiang, Corbin Souffrant, Joshua Homan, Jonathan Wrolstad, Chris Phillips, Darien Kindlund
- Microsoft & Adobe security teams