FireEye Labs recently detected a limited APT campaign exploiting
zero-day vulnerabilities in Adobe Flash and a brand-new one in
Microsoft Windows. Using the Dynamic Threat Intelligence Cloud (DTI), FireEye
researchers detected a pattern of attacks beginning on April
2015. Adobe independently patched the vulnerability (CVE-2015-3043) in
Through correlation of technical indicators and command and control
infrastructure, FireEye assess that APT28 is probably responsible for
Microsoft is aware of the outstanding local privilege escalation
vulnerability in Windows (CVE-2015-1701). While there is not yet a
patch available for the Windows vulnerability, updating Adobe Flash to
the latest version will render this in-the-wild exploit innocuous. We
have only seen CVE-2015-1701 in use in conjunction with the Adobe
Flash exploit for CVE-2015-3043. The Microsoft Security Team is
working on a fix for CVE-2015-1701.
The high level flow of the exploit is as follows:
1. User clicks link to attacker controlled website
2. HTML/JS launcher page serves Flash exploit
Flash exploit triggers CVE-2015-3043, executes shellcode
4. Shellcode downloads and runs executable payload
5. Executable payload exploits local privilege escalation
(CVE-2015-1701) to steal System token
The Flash exploit is served from unobfuscated HTML/JS. The launcher
page picks one of two Flash files to deliver depending upon the
target’s platform (Windows 32 versus 64bits).
The Flash exploit is mostly unobfuscated with only some light
variable name mangling. The attackers relied heavily on the
CVE-2014-0515 Metasploit module, which is well documented. It is
ROPless, and instead constructs a fake vtable for a FileReference
object that is modified for each call to a Windows API.
The payload exploits a local privilege escalation vulnerability in
the Windows kernel if it detects that it is running with limited
privileges. It uses the vulnerability to run code from userspace in
the context of the kernel, which modifies the attacker’s process token
to have the same privileges as that of the System process.
The primary difference between the CVE-2014-0515 metasploit module
and this exploit is, obviously, the vulnerability. CVE-2014-0515
exploits a vulnerability in Flash’s Shader processing, whereas
CVE-2015-3043 exploits a vulnerability in Flash’s FLV processing. The
culprit FLV file is embedded within AS3 in two chunks, and is
reassembled at runtime.
A buffer overflow vulnerability exists in Adobe Flash Player
(<=184.108.40.206) when parsing malformed FLV objects. Attackers exploiting the vulnerability can corrupt memory and gain remote code execution.
In the exploit, the attacker embeds the FLV object directly in the
ActionScript code, and plays the video using NetStream class. In
memory, it looks like the following:
0000000: 46 4c 56 01 05 00 00 00 09 00 00 00 00 12 00 00
0000010: f4 00 00 00 00 00 00 00 02 00 0a 6f 6e
4d 65 74 ………..onMet
0000020: 61 44 61 74 61 08 00 00 00
0b 00 08 64 75 72 61 aData…….dura
0000030: 74 69 6f 6e 00
40 47 ca 3d 70 a3 d7 0a 00 05 77 tion.@G.=p…..w
64 74 68 00 40 74 00 00 00 00 00 00 00 06 68 idth.@t……..h
0000050: 65 69 67 68 74 00 40 6e 00 00 00 00 00 00 00 0d
0000060: 76 69 64 65 6f 64 61 74 61 72 61 74 65
00 00 00 videodatarate…
0003b20: 27 6e ee 72 87 1b
47 f7 41 a0 00 00 00 3a 1b 08 ‘n.r..G.A….:..
0003b30: 00 04
41 00 00 0f 00 00 00 00 68 ee ee ee ee ee ..A…….h…..
0003b40: ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee
0003b50: ee ee ee ee ee ee ee ee ee ee ee ee ee
ee ee ee …………….
0003b60: ee ee ee ee ee ee ee ee ee
ee ee ee ee ee ee ee …………….
Files of the FLV file format contain a sequence of Tag structures.
In Flash, these objects are created when parsing FLV Tags:
.text:1018ACE9 sub_1018ACE9 proc near ; CODE XREF:
arg_0 = dword ptr 4
.text:1018ACE9 mov eax, ecx
.text:1018ACEB mov ecx, [esp+arg_0]
.text:1018ACEF mov dword ptr [eax], offset
.text:1018ACF5 mov dword ptr
.text:1018ACFC and dword ptr
.text:1018AD00 mov [eax+28h],
.text:1018AD03 mov byte ptr [eax+20h],
.text:1018AD07 retn 4
In the case of this exploit, a Tag structure begins at offset 0x3b2f
into the FLV stream that, when parsed, populates the Tag structure as follows:
UINT_8 type: 8
UINT_24 datasize: 1089
UINT_24 timestamp: 15
UINT_8 timestamphi: 0
UINT_4 fmt: 6
UINT_2 sr: 2
UINT_1 channels: 0
UINT_32 lastsize: 0xeeeeeeee
Beginning within the data field, all contents of the FLV stream
become 0xEE. Consequently, the data and lastsize fields are mangled,
and one final tag technically exists consisting exclusively of 0xEE:
UINT_8 type: 0xEE
One can see the datasize field of Tag2 populated from the attacker’s
FLV stream below:
.text:10192943 mov eax, [ebx+24h]
.text:10192946 mov [esi+14h], eax
.text:10192949 movzx eax, byte ptr [ebx+19h] ;
.text:1019294D movzx ecx, byte ptr
[ebx+1Ah] ; 04
.text:10192951 shl eax,
.text:10192954 or eax, ecx
.text:10192956 movzx ecx, byte ptr [ebx+1Bh] ;
.text:1019295A shl eax, 8
.text:1019295D or eax, ecx
.text:1019295F mov ecx, ebx
.text:10192961 mov [esi+0Ch], eax ; 0x441
.text:10192964 call sub_1002E2B3
The buffer is allocated with fixed size 0x2000:
.text:101A647E push 2000h
.text:101A6483 mov ecx, esi
.text:101A6485 call sub_101A6257 ; alloc 0x2000
buffer, store in esi+0xDC
.text:101A627F push 0
.text:101A6281 push edi ; 0x2000
.text:101A6282 call sub_105EBEB0
.text:101A6287 pop ecx
.text:101A6288 pop ecx
.text:101A6289 mov [esi+0DCh], eax
Since the size is controlled by the attacker, it’s possible to
overflow the fixed size buffer with certain data.
A datasize of 0x441 results in a value here of 0x1100 passed to
sub_100F88F8, which memcopies 0x2200 bytes in 0x11 chunks of 0x200.
The last memcpy overflows the fixed size 0x2000 buffer into a adjacent
Attackers spray the heap with array of Vector, 0x7fe * 4 + 8 ==
0x2000, and create holes of such size, which will be allocated by the
while (_local_2 < this._bp35) // _bp35 ==
_local_3 = 0x00;
this._ok47[_local_2][_local_3] = 0x41414141;
(_local_2 + 0x01);
while (_local_2 < this._bp35)
this._ok47[_local_2] = null;
_local_2 = (_local_2 + 0x02);
As the previous picture demonstrated, the followed Vector object’s
length field being overflowed as 0x80007fff, which enables the
attacker to read/write arbitrary data within user space.
Shellcode is passed to the exploit from HTML in flashvars. The
shellcode downloads the next stage payload, which is an executable
passed in plaintext, to the temp directory with UrlDownloadToFileA,
which it then runs with WinExec.
Payload & C2
This exploit delivers a malware variant that shares characteristics
with the APT28 backdoors CHOPSTICK and CORESHELL malware families,
both described in our APT28 whitepaper. The
malware uses an RC4 encryption key that was previously used by the
CHOPSTICK backdoor. And the C2 messages include a checksum algorithm
that resembles those used in CHOPSTICK backdoor communications. In
addition, the network beacon traffic for the new malware resembles
those used by the CORESHELL backdoor. Like CORESHELL, one of the
beacons includes a process listing from the victim host. And like
CORESHELL, the new malware attempts to download a second-stage executable.
One of the C2 locations for the new payload, 87.236.215[.]246, also hosts
a suspected APT28 domain ssl-icloud[.]com. The same
subnet (220.127.116.11/24) also hosts
several known or suspected APT28 domains, as seen in Table 1.
The target firm is an international government entity in an industry
vertical that aligns with known APT28 targeting.
The payload contains an exploit for the unpatched local privilege
escalation vulnerability CVE-2015-1701 in Microsoft Windows. The
exploit uses CVE-2015-1701 to execute a callback in userspace. The
callback gets the EPROCESS structures of the current process and the
System process, and copies data from the System token into the token
of the current process. Upon completion, the payload continues
execution in usermode with the privileges of the System process.
Because CVE-2015-3043 is already patched, this remote exploit will
not succeed on a fully patched system. If an attacker wanted to
exploit CVE-2015-1701, they would first have to be executing code on
the victim’s machine. Barring authorized access to the victim’s
machine, the attacker would have to find some other means, such as
crafting a new Flash exploit, to deliver a CVE-2015-1701 payload.
Microsoft is aware of CVE-2015-1701 and is working on a fix.
CVE-2015-1701 does not affect Windows 8 and later.
Thank you to all of the contributors to this blog!
- The following people in FireEye: Dan
Caselden, Yasir Khalid, James “Tom” Bennett, GenWei Jiang, Corbin
Souffrant, Joshua Homan, Jonathan Wrolstad, Chris Phillips, Darien
- Microsoft & Adobe security teams