Tag Archives: Adobe

Gong Da Exploit Kit Add Java CVE-2013-1493 & IE CVE-2012-4792 & IE CVE-2012-4969 Support

Like other Exploit Kits, Gong Da has add support for Oracle Java CVE-2013-1493 vulnerability, fixed in Oracle Java 6 Update 17, has also add support for Microsoft Internet Explorer CVE-2012-4969 and CVE-2012-4792 vulnerabilities, fixed in an emergency patch in September 2012 and January 2013.

Here is the new code for CVE-2013-1493.

Capture d’écran 2013-04-14 à 23.39.38

And here the new code for CVE-2012-4792 (aka 4792.html) and CVE-2012-4969 (aka payload.html).

Capture d’écran 2013-04-14 à 23.39.48

Also a new variant of CVE-2012-1889 (xml.html) has been introduced, reducing the detection rate by anti-viruses.

Capture d’écran 2013-04-14 à 23.40.15

As always this new version of Gong Da Exploit Kit has been discovered on a Korean web site.

Gong Da Pack has involve to the following diagram.

Gong Da EK 1.5

Here under some information s regarding the different files:

Normally Gong Da was used against gamers, but this time the loaded malware seem to be different (analysis on ThreatExpert)

APSB13-11 – Adobe Flash April 2013 Security Bulletin Review

Adobe has release, the 9 April 2013, during his April Patch Tuesday, one Adobe Flash security bulletin dealing with four vulnerabilities. This security bulletin has a Critical severity rating.

APSB13-11 – Security updates available for Adobe Flash Player

APSB13-11 is concerning :

  • Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.275  and earlier versions for Linux
  • Adobe Flash Player 11.1.115.48 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.6090 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.6090 SDK & Compiler and earlier version

CVE-2013-1378 (7.5 CVSS base score), CVE-2013-1379 (7.5 CVSS base score) and CVE-2013-1380 (7.5 CVSS base score) have been discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security TeamCVE-2013-2555 (10.0 CVSS base score) has been discovered and privately reported by a VUPEN Security reported through TippingPoint’s Zero Day Initiative.

Gong Da / Gondad Exploit Pack Add Flash CVE-2013-0634 Support

If you are working in computer security and still don’t have heard about the latest Adobe Flash 0days, aka CVE-2013-0633 and CVE-2013-0634, then you should change of job ! These vulnerabilities were found exploited in targeted attacks through spear phishing email messages targeting several industries including the aerospace one.

One of the e-email attached Word document was using the 2013 IEEE Aerospace Conference schedule, and another reported sample was related to online payroll system of ADP US company, to exploit CVE-2013-0633. I wrote a complete blog post regarding this campaign 2 weeks ago.

Adobe fixed the vulnerabilities in APSB13-04 the 7 February, but the vulnerabilities were not found massively exploited in Exploit Kits. Also there was a confusion,  by anti-virus vendors and security researchers, regarding CVE-2013-0633 and CVE-2013-0634 detection. But as mentioned in Adobe APSB13-04 CVE-2013-0633 was only exploited by been embedded in Word documents and CVE-2013-0634 was exploited through HTML web pages and by been embedded in Word documents.

So as nobody as seen CVE-2013-0633 working outside a Word document, I will suppose that the vulnerability I discovered exploited in Gong Da exploit kit is potentially a fork of CVE-2013-0633 or could be CVE-2013-0634. Colleagues, you are welcome for comments 🙂

Here is the new code in Gong Da exploit kit.

Capture d’écran 2013-02-25 à 23.29.30

If you take a look at the ActionScript of “myrF03.swf” (506fe8f82ea151959c5160bc40da25b5) you will see some similarities with CVE-2013-0633, like the “ByteArrayAsset” mentioned by MalwareMustDie, or the well-known “LadyBoyle” function.

Capture d’écran 2013-02-26 à 00.10.49

Capture d’écran 2013-02-26 à 00.11.03

This new version was discovered on “hxxp://www.jhtyhtrsgr.com/yymex/index.html” a web site how is actually still online.

Capture d’écran 2013-02-25 à 23.29.04

jhtyhtrsgr.com” is hosted on 69.197.61.29, in US and this domain name was created the 22 Feb 2013 with registration informations located in China and the following contact “jing yan ([email protected]) – GuangMing yanjing“.

The “index.html” file containing JavaScript code obfuscated by “JSXX VIP JS Obfuscator“, but traditional traces if this obfuscator are no more available.

After de-obfuscation of the “index.html” file you can see that Gong Da Pack has involve to the following diagram.

Gong Da EK 1.4 - 2

Here under some information s regarding the different files:

  • vQSopE2.jpg (aka CVE-2011-3544) : 10/46 on VirusTotal.com
  • ulxzBc7.jpg (aka CVE-2012-0507) : 11/45 on VirusTotal.com
  • MQnA3.jpg (aka CVE-2012-1723) : 18/46 on VirusTotal.com
  • eATBNfg1.jpg (aka CVE-2012-4681) : 29/46 on VirusTotal.com
  • tkPfaMz7.jpg (aka CVE-2012-5076) : 14/46 on VirusTotal.com
  • iOiezo6.jpg (aka CVE-2013-0422): 19/46 on VirusTotal.com
  • YPVTz8.html (aka CVE-2012-1889): 14/46 on VirusTotal.com
  • vQSopE2.html (aka CVE-2012-1889): 12/46 on VirusTotal.com
  • myrFO3.swf (aka a fork of CVE-2013-0633 CVE-2013-0634): 8/46 on VirusTotal.com

Here under a demonstration video of CVE-2013-0633 CVE-2013-0634 without been embeded in a Word document.

Updates:

After investigation from @unixfreaxjp, it seem that the exploited vulnerability is CVE-2013-0634 and not CVE-2013-0633.

Exploitation Demo of Fake Mandiant APT1 Report PDF

As mentioned by Symantec & Seculert, a spear phishing campaign has involved a fake Mandiant APT1 PDF report, a report published by Mandiant earlier this week (APT1: Exposing One of China’s Cyber Espionage Units). This fake PDF was used in targeted attacks against Japanese entities and exploiting code for Adobe Acrobat and Reader Remote Code Execution Vulnerability (CVE-2013-0641).

Despite the analysis of Symantec, I can confirm you that the PDF is dropping malware onto the computer.

PDF file name is “Mandiant.pdf” with 2a42bf17393c3caaa663a6d1dade9c93 hash (23 / 46 on VirusTotal). Once opened an error message is displayed.

pdf-error-message

After ignoring this error message the vulnerability is exploited and drop “AdobeARM.exe” (41915b34fc50ffdd2a6a0969e3f55ff1) in “C:\Documents and Settings\<USER>\Local Settings\Temp” Windows folder. Chinese simplified ressource language is used for this executable.

AdobeARM-properties

AdobeARM.exe” is connecting to domain name “www.shounkaku.co.jp“, a legit website, and to folder “/space/fsjd-ge3234c4d61033.gif“. The file is actually no more existing.

Interesting strings in “AdobeARM.exe” are “Hello from MFC!” (Military Force of China ?).

AdobeARM-strings

Regarding the PDF, the embedded JavaScript seem to be the same as in the original version of 0day (sHOGG, oTHERWISE, and others functions and variables names). So it seem that some guys have successfully weaponize the original version of 0day.

pdf-shogg

Here under a demonstration video of the exploitation.