Zero-Day Attack for Internet Explorer (CVE-2013-3897) Goes High Profile

Websense® Security Labs™ has seen a new zero-day exploit for Internet Explorer (CVE-2013-3897) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013. The publication of the vulnerability details (CVE-2013-3897) were shared by Microsoft in advance of today’s patch for the vulnerability that is now available for download. Websense ThreatSeeker® Intelligence Cloud was able to correlate those attacks and create a profile about targeted geographical locations where attacks began as well as targeted industries, which will be described later in this post. In addition, we found the targeted attacks that utilized the exploit for CVE-2013-3897 also included older exploits in their attacks like CVE-2012-4792 for certain targets.

 

Executive Summary

  • Websense ThreatSeeker Intelligence Cloud has seen a new zero-day exploit for Internet Explorer (CVE-2013-3897) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013. 
  • Websense
    telemetry indicates that the attack campaign using the same infrastructure
    and the exploit (CVE-2012-4792) began as early as August 23rd 2013 before
    transitioning to CVE-2013-3897 in mid-September
    • A patch has been supplied by Microsoft and is available for download.
    • Microsoft took this opportunity to patch a previous vulnerability for Internet Explorer CVE-2013-3893. The patch for both vulnerabilities can be found at this link: ms13-080.
    • Our ThreatSeeker Intelligence Cloud reported that the attacks targeted primarily financial and heavy industries in Japan and Korea.
    • Our telemetry shows that the actors behind these attacks used their infrastructure to launch older exploits for Internet Explorer, such as CVE-2012-4792, which was first seen at the start of 2013.
    • Websense has protected our customers from the recent Microsoft Internet Explorer CVE-2013-3897 and CVE-2013-3893 exploits observed in the wild by using real-time analytics that have been in place for nearly three years.

     

    Vulnerability Details for CVE-2013-3897

     

    The vulnerability is caused by a “use-after-free” error when processing “CDisplayPointer” objects within mshtml.dll and generically triggered by the “onpropertychange” event handler; the vulnerability could be exploited remotely by attackers to compromise a system via a malicious web page. The specific exploit that has been seen uses heap-spray to allocate some memory that employs an ROP technique around the 0x14141414 address (as confirmed by the Microsoft Security Response Center).

     

    A sample of one of the specific exploit pages that has been spotted in the wild shows Javascript code that appears to target Microsoft Windows XP 32-bit with these languages: Japanese or Korean and Internet Explorer 8.

     


     

    The attacks were served by directly browsing to raw IP addresses and were spotted served by selected IP addresses in the network range of 1.234.31.x/24, which is geolocated in the Republic of Korea. The attack lure pages (starting point of the exploit chain) on that network range share the same URL patterns and they all consist of the URL structure <x.x.x.x>/mii/guy2.html.

     

    We also spotted that a URL with that same structure on the same network range was used to serve an older and disclosed exploit for Internet Explorer CVE-2012-4792 also in a low-volume and targeted way. Those attacks were launched at the end of August this year. Here is a snippet of the page located at hxxp://1.234.31.142/mii/guy2.html. In the case of CVE-2012-4792 in this campaign, it looks like there were no conditional checks for the operating system, browser, and language prior to serving the exploit, which means it was served to the target unconditionally.

     

     

     

       

      Telemetry

       

      Looking at the broader picture and taking into account all the related attacks that we’ve seen served from the IP range 1.234.31.x/24, we found some interesting information that can shed more light on the high-level agenda held by the perpetrators in this campaign. The next pie chart shows the different industries that we saw being targeted with this campaign in the last month. The chart reveals that the interest of the perpetrators in this case is broad as they aim to compromise different type of industries that aren’t necessarily related to each other:

       


       

      Another interesting find is that this attack campaign is global; although, as described earlier, attack pages check whether the operating system’s language is either Japanese or Korean before issuing the CVE-2013-3897 exploit. It looks like the geolocation of targeted entities of Korean or Japanese origin are not just limited and based in those countries. For example, one entity that belongs to the Engineering and Construction industry has been targeted in the U.S. as one of its locations. In addition, as mentioned before, those who use CVE-2012-4792 didn’t employ any conditional checks before issuing the exploit, so that meant the potential targets in that case could be more varied. Indeed, we found that with this campaign, a government entity located in the U.S. was targeted with CVE-2012-4792.The next pie chart shows the popularity of the different targeted geographical locations of this campaign:

       

       

       

       

      Exploit Locations vs. Targets

      Websense telemetry indicates that the CVE-2013-3897 exploit has been hosted on servers in Seoul, South Korea at IP addresses 1.234.31.153, 1.234.31.142 and 1.234.31.154. We have seen this exploit targeting computers located in the United States, Hong Kong, and Seoul, South Korea.

       

      Summary

       

      In this blog, we’ve taken a look at a targeted attack campaign that has been in circulation for the past month. It appears that the perpetrators behind this campaign target entities that belong to different industries over a selected set of geolocations, which reaffirms the notion that these kinds of campaigns operate on a global scale and focus on a variety of industries that are not necessarily related. The perpetrators behind these campaigns are innovative and employ zero-day exploit code, but it also appears that their work is customized for their targets since we witnessed older exploits that have already been patched being used in selected attacks.

       

      Update 10/10/2013 – Websense Researchers have confirmed that the attacks seen from this threat actor beginning August 23rd, 2013 were utilizing the CVE-2012-4792 exploit. The first observed use of CVE-2013-3897 as part of this campaign was on September 18th, 2013.


      Cybercriminals Behind CVE-2013-3893 Launched Attacks Earlier Than Previously Reported; More Widespread

      Websense Security Labs™ Websense ThreatSeeker® Intelligence Cloud has discovered that attacks utilizing the most recent Internet Explorer zero-day (CVE-2013-3893) are more prevalent than previously thought.  In this write up we shall analyze the exploit code and perform analysis on the dropped malicious file.

       

      Executive Summary

      • We have seen the CVE-2013-3893 exploit targeting
        Japanese firms in the financial industry hosted on a Taiwanese IP
        address.
      • Our ThreatSeeker Intelligence Cloud reported a potential victim organization in Taiwan attempting to communicate with the associated malicious command and control server as far back as July 1, 2013. These C&C communications predate the widely-reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan.
      • Commonalities in C&C infrastructure, domain registrations, exploit techniques and malware link this threat actor to the Operation DeputyDog and Hidden Lynx attack crew.
      • This alleged hackers-for-hire crew has committed ongoing attacks against businesses, stealing vital information, allegedly dating back to 2009.
      • Our telemetry indicates that these attacks have enough variations to indicate that different high-profile attack teams may be using the same tool sets.
      • Websense has protected our customers from the CVE-2013-3893 exploit observed in the wild using real-time analytics that have been in place for nearly three years.

       

        A Reminder…

        In our previous post (Up to 70% of PCs Vulnerable to Zero-Day: CVE-2013-3893) we covered a remote code execution vulnerability (CVE-2013-3893) that exists across all versions of Internet Explorer. This vulnerability exploits the way that Internet Explorer accesses an object in memory that has been deleted or not properly allocated, allowing an attacker to execute arbitrary code affecting current users with Internet Explorer.

        An exploit leveraging this vulnerability was first discovered in very targeted attacks located in Japan. First disclosed in a Wepawet security advisory on August 29th, 2013, Microsoft released a security advisory (KB2887505) providing details on the vulnerability and a Fix-It solution on September 17th, 2013. Websense researchers reviewed our third-party telemetry feeds to determine the potential attack surface and risk associated with this exploit, and determined that nearly 70% of Windows-based PCs are vulnerable. While the vulnerability can theoretically affect all versions of Internet Explorer, the exploit is targeting only users of IE8 and IE9 who are running the Windows 7 and XP operating systems.

        The Exploit

        On September 25th, 2013, at 00:39 PST, Websense real-time security analytics stopped an exploit against one of our customers (a major financial institution based in Japan) leveraging CVE-2013-3893 being hosted on a Taiwanese IP address (220.229.238.123). The exploit was hosted at the following URL (hxxp://220.229.238.123/tn/images/index.html). It is worth noting that in addition to specific analytics designed to stop this exploit, three different Websense real-time analytics protected our customers from this threat dating back for more than 3 years.

        Below is a screenshot of the Exploit code for CVE-2013-3893 that is hosted on the Taiwanese IP (220.229.238.123). It is interesting that the JavaScript exploit is not obfuscated and is delivered in clear-text, while the shell code and dropper discussed below are both obfuscated.

         

         

        Screen shot of the exploit’s obfuscated shell-code:

         

         

        We were quickly able to recover the XOR key (9F) and de-obfuscate the shellcode with a clear-text  attack to reveal the dropper file. While the delivery mechanisms are very similar, it is interesting to note that the URI path, IP address and image file names are different than those noted in the analysis of the Operation DeputyDog attacks, as this shell code attempts to drop “./tn/logo.jpg” from the IP address (220.229.238.123).

        Analysis of the JPG file, when XORed with 0x95 reveals an executable titled “runrun.exe” (38db830da02df9cf1e467be0d5d9216b):

         

         

        A clear-text attack on the logo.jpg file revealed that it is actually a Windows executable (when XORed with 0x95) with the following attributes:

        $ time ~/obfuscation/xray.pl logo.jpg 

        Opening file: “logo.jpg”

          94BC: [^95] “runrun.exe”

          782C: [^95] “user32.dll”

          79D6: [^95] “KERNEL32.dll”

          7A14: [^95] “ADVAPI32.dll”

            E0: [^95] “PE”

            4D: [^95] “!This program cannot be run in DOS mode.”

          776C: [^95] “Microsoft Visual C++ Runtime Library”

          7C76: [^95] “GetProcAddress”


        Network Analysis

        The runrun.exe immediately performs a DNS lookup for login.momoshop.org

         

         

        Next, runrun.exe initiates an HTTPS connection handshake to login.momoshop.org (210.17.236.29), which is terminated by the server. For some reason, the client never sends a SYN/ACK to continue the HTTPS handshake. More on this when we finish reversing the malware. 

         

         

        Interestingly, momoshop.org was registered on March 16, 2013, by the registrant listed above. This domain is unusually old (6 months) in the context of the other C&C domains that we have seen associated with the malware and that were registered just days before the attacks.

         

        Telemetry Data

        Websense Labs researchers are currently confirming telemetry from the ThreatSeeker network with possibly compromised Taiwanese hosts communicating to the C&C server (180.150.228.102) associated with malware variants (8aba4b5184072f2a50cbc5ecfe326701 and bd07926c72739bb7121cec8a2863ad87) dating back to July 1st, 2013, indicating that attacks from the threat actor identified in the Operation DeputyDog report may have started earlier than previously thought and may not be limited only to Japan.  More on this soon.

         

        Conclusion

        1. We have seen the CVE-2013-3893 exploit targeting Japanese firms in the financial industry, being hosted on a Taiwanese IP address (hxxp://220.229.238.123/tn/images/index.html) as of September 25th at 00:39 PST.

        2. Websense has three real-time analytics (one has been in place for nearly three years) that blocked the CVE-2013-3893 exploit from compromising customers.

        3. ThreatSeeker Intelligence Cloud reports a potential victim organization in Taiwan attempting to communicate with the malicious C&C server (180.150.228.102) associated with the CVE-2013-3893 exploit as early as July 1st, 2013.

        4. The C&C server above can be associated with the Bit9 compromise. The contact email address 654@123.com was used to register the domain blankchair(dot)com which points to the malicious C&C server (180.150.228.102). The same email address was used to register a C&C server downloadmp3server(dot)servemp3(dot)com (66.153.86.14) associated with the Bit9 attacks.  

        5. Websense Threat Intelligence indicates that the threat actor’s attacks were not limited only to Japan as previously reported. The use of separate IP addresses, domain registrations, and permutations to dropper locations indicates a high degree of segmentation between attacks and different teams using the same tool sets, exploits and C&C infrastructure.

         

        The real-time analytics deployed in ACE (our Advanced Classification Engine) were able to detect and stop the attack above at three stages independent of the zero-day exploit (CVE-2013-3893) for which we had built specific protection. These analytics were able to detect the techniques used to deliver and obfuscate the exploit and malware, protecting our customer from being compromised. This is a great example of how offering protection from multiple stages of an attack can stop even highly targeted, low volume threats with cutting edge exploits.