Gong Da exploit kit is involving, after integration of the CVE-2012-5076 Java vulnerability (Java Applet JAX-WS) one week ago, the EK is now preparing integration for Adobe Flash vulnerability CVE-2012-1535 fixed in APSB12-18 patch.
This new version was discovered on “hxxp://coa.ains.co.kr/css/css.html” and on “hxxp://www.dcpccdrw.com/asdf/index.html” web sites who is actually still online.
“coa.ains.co.kr” seem to be a legit web site and is hosted on 221.143.50.201, AS9318, in South Korea. “dcpccdrw.com” is hosted on 174.37.172.69, AS36351, in US. “dcpccdrw.com” domain name was created the 2012-11-23, through name.com registrar, for “tao wen ([email protected])“.
“index.html” and “css.html” file containing JavaScript code are obfuscated by “JSXX VIP JS Obfuscator“.
After de-obfuscation of the HTML files you can see that Gong Da Pack has involve to the following diagram.
You may have read my first blog post regarding the evolutions of Gong Da exploit kit, who has involve in a more complex EK by supporting most of the latest Oracle Java vulnerabilities like CVE-2011-3544 (Oracle Java Rhino exploit), CVE-2012-4681 (Oracle Java August 0day), CVE-2012-0507 (another Oracle Java exploit), CVE-2012-1723 (another Oracle Java exploit) and CVE-2012-1889 (Microsoft XML Core Services). Some previous versions of Gong Da EK had also support for CVE-2011-2140 (Adobe Flash Player) and CVE-2012-0003 (Windows Media), but it seem that the new version don’t use them anymore.
After Cool EK and BlackHole EK, Gong Da EK has integrate the exploitation of the Java vulnerability aka CVE-2012-5076 (Java Applet JAX-WS). This vulnerability, patched in version 7U9 of Oracle Java is affecting all version of Oracle Java from 7 to 7U7.
This new version was discovered on “hxxp://rdp.nhgdeerw.com/rdp/index.html” a web site how is actually still online.
“rdp.nhgdeerw.com” is hosted on 173.208.189.170, AS32097, in US and “wangmazz.com” domain name was created the 2012-11-17, through name.com registrar, for “tao we ([email protected])“.
The 24 October, during my regular malware monitoring hobby, I observed a suspicious infected server in Taiwan (www.grvb.com.tw) who is actually still online. The home page of the server is loading a first Java Applet with a JAR file “Java.jar” and a second Java Applet as a single class file “eiAD.class“.
VirusTotal analysis of “Java.jar” (2990711e7cd04553260a6fbccf8ea6a6) reported 5/43 Java/Downloader detection, and analysis of “eiAD.class” (8d4ddd1e1f41a2e8e18da097ecafecbc) reported 5/44 CVE-2012-4681 Oracle Java Gondvv exploit detection. The detection rate is really low and a deeper analysis of these elements is interesting.
This JAR file contain a Manifest file how reveal that the file was compiled with “Java 1.6.0_29 (Sun Microsystems Inc.)” and the JAR file is signed with a RSA signature.
You can see this self-signed certificate was create the 16 October and was pretending to be generated by Microsoft and issued by Microsoft. By signing an applet, the restrictions on an applet are mostly removed. Signing an applet, basically means that the applet writer is vouching that the applet is safe. The user of a signed applet can accept the signed applet and have it run without most restrictions, or reject the applet and not have it run at all. A self-signed applet will trigger a security warning pop-up advising you on the associated risks. Similar self-signed Java Applet could be generated with java_signed_applet Metasploit exploit module.
By analyzing the source code of “Java.jar” we can see interesting arrays and functions.
The “FCKME” is an array where a space is representing a new entry in the array. The guys don’t seem to like ESET anti-virus editor of NOD-32 🙂
Encoded string is present and will be decoded by the beside “FJKOKL” function. You can see that the 29 value of the “FCKME” array will be used to complete the encoded text.
This function will remove all the “[>|<]” values of the encoded text with the following result.
The string is encoded in HEX and after decoding you will have the following result completed with “FCKME[29]” how is “.exe“.
“http://www.gvrb.com.tw/upload/user/files/num.exe” (this file is actually no more existing)
The following table will provide all value of “FCKME” array.
With all these value we are able to decode all “FCKME” variable used in the “Java.jar” code.
As you can see the Java.jar is only a self-signed Java downloader. Finally, as pointed by @_sinn3r, this Applet is surely used as a plan B, if eiAD.class is not triggered.
By analyzing the source code of “eiAD.class” we can see interesting arrays and functions.
This variable seem to be one more time an reference to ESET anti-virus editor and especially to the “Foxxy Software Outfoxed” blogpost. (Thanks to @binjo).
Encoded string is present and will be decoded by the beside “FJKOKL” function, also used in “Java.jar“. A space is representing a new entry in the “JFI” array.
“FJKOKL” will remove all the “[>|<]” values of the encoded text with the following result.
The string is encoded in HEX and after decoding you will have the following result.
“Nothing like sun. being a awt. Sometimes I put my SunToolkit in my asshole! You see the get is a Field that Name for .exe okay // I mean god damn the get is being set for the Security Manager for file:/ ! Got damn I want some milk from my mommies titz for that acc“.
The following table will provide all value of “JFI” array.
With all these value we are able to decode all “JFI” variable used in the “Java.jar” code.
With all these variables and other functions the code will be able to reconstruct CVE-2012-4681 Oracle Java vulnerability.
Another encoded string is present in “eiAD.class” and this encoded string has the same result as the “Java.jar“.
“http://www.gvrb.com.tw/upload/user/files/num.exe” (this file is actually no more existing)
I found a Author variable occurrence “lEZdLl.class” on pastebin who was posted by a Guest the 24 September, and is equivalent to “eiAD.class“.
“HGIDO” value of “lEZdLl.class” is “http://212.150.101.32/Facebook_msn.exe” (this file is actually no more existing).
Here under a demonstration video of the effectiveness of these files against anti-viruses.
I can confirm, the zero-day season is really not over yet. Less than three weeks after the discovery of the Java SE 7 0day, aka CVE-2012-4681, potentially used by the Nitro gang in targeted attacks, a potential Microsoft Internet Explorer 7 and 8 zero-day is actually exploited in the wild.
First I would like to thanks the nice people (@binjo, @_sinn3r and all the guys of the Metasploit IRC channel on freenode) how helped me to understand and go further in my investigations.
Second, I would like to clarify some points:
I wasn’t a target of the 0day, I tested it on my lab. This misunderstanding has been introduced by Reuters in their press release.
I did these researches on my personal time, and these researches are not linked with my professional activities. This misunderstanding has been introduced by Reuters in their press release.
I don’t pin the responsibility on the Nitro gang, if you read my blog post, you will see that I found coincidences.
I don’t know the timeline of the vulnerability, including when it was discovered and how long it has been exploited.
Since the release of the Java SE 7 0day I was monitoring some of the infected servers used by the alleged Nitro gang (take a look at the updates at the end of the blog post). The 14th September morning, I discovered a “/public/help” folder on one of these servers, the Italian one (smile to @PhysicalDrive0).
As seen in the following screenshot, 4 files were hosted in this folder, and as a curious man, I downloaded everything to see what was related to these files.
I tested these files on an up-to-date Microsoft Windows XP Pro SP3 with an up-to-date Adobe Flash (11,4,402,265). Surprise they dropped files on my test computer (See demonstration video here under) ! A new 0day ? I decide then to take a deeper look at the grabbed files.
You can observe that the file is packed by DoSWF and that it is decompress in the memory. After decompression “Moh2010.swf” file is spraying the heap and eval an iframe to “Protect.html” file.
The ActionScript embedded in the original packed SWF file, is also interesting, you will see some special encoding (Chinese ?).
This file, during exploitation is also checking if the web site is present in Flash Website Storage Settings pannel to no more load the “Protect.html” file. This mean, that once infected the user will no more be exploited despite further visites to the web site.
The guys how developed this new 0day were not happy to have been catched, they just removed all the files from the source server 2 days after my discovery. But also more interesting the also removed a Java 0day variant from other folders.
Also I submitted all these stuff to different person in order to confirm the strangeness of this exploit, and we got some good return.
AlienVault Labs has provide more details on the potential source of the attack.
It seems the guys behind this 0day were targeting specific industries. We’ve seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spearphishing campaigns to those industries.
Wednesday 09/19:
AlienVault Labs has report variant of the “Protect.html” file, named “Dodge.html” how is now also infecting Windows 7 32 bits running Java6 with Internet Explorer 9, and confirm the usage of the 0day in targeted attacks.
Microsoft propose a Fix it KB2757760 solution, “Prevent Memory Corruption via ExecCommand in Internet Explorer“, that prevents exploitation of this issue.
Microsoft has publish an advanced notification “Microsoft Security Bulletin Advance Notification for September 2012” for one out-of-band security bulletin that Microsoft is intending to release on September 21, 2012. The bulletin will addresses security vulnerabilities in Internet Explorer. The vulnerability is also affecting Internet Explorer on Windows Server 2003 and 2008.
Friday 09/21:
Microsoft has release the promised update MS12-063 in order to fix the 0day vulnerability. If you use Internet Explorer, I advice you to update as soon as possible !
