FakeFlash Installation via Silverlight
Using the Websense® ThreatSeeker® Intelligence Cloud , Websense Security Labs researchers have discovered attempts to infect users using the commonly distributed plug-in, Silverlight. Silverlight allows development of web and mobile applications that consist of streaming media, multimedia, graphics, and animation. It has been used for video streaming of events such as the 2008 Summer Olympics in Beijing, the 2010 Winter Olympics in Vancouver, and the 2008 conventions of both major United States political parties. Streaming services such as Netflix use Silverlight for Digital Rights Management (DRM). By leveraging two Silverlight plug-in vulnerabilities, CVE-2013-3896 and CVE-2013-0074, attackers have been able to infect victims via dropper files and subsequently through calls home to the command and control (C&C) server.
We will analyze this malicious campaign and explain how it goes from generating the first dropper file to calling home for additional binaries. The infection begins with the following:
1. Silverlight object with "param" value
The infected URL hxxp://philelec.be/VZX.html hosts code which calls Java and Silverlight content including a parameter value. The Silverlight file makes use of vulnerabilities CVE-2013-3896 and CVE-2013-0074. Leveraging the ability to execute arbitrary code, the param values are read and executed.
2. Base64 encoded Visual Basic Script
The param value loaded with the plug-in is a Base64 encoded Visual Basic Script (VBS). Silverlight generates the VBS file and places it in the directory C:\Users\<user name>\AppData\Local\Temp\Log. Please note the following code:
The downloaded binary is encrypted with the XOR key “m3S4V”. Using the ADODB.Stream ability to read and write text and binary files, a file named 4bb213.exe is created and run.
3. Call home for dropper file
Upon execution, the file makes two calls to the bot network server hxxp://cc9966.com/. The queries included in the call contain the current version of Windows on the infected machine. In our ACE Insight report , the query os=5.1.2600_2.0_32 lets the server know the system is Windows XP 32-bit. Once the OS version is known, a dropper file is downloaded from hxxp://cc9966.com/clk.
4. Additional dropper downloads
Additional binaries are then downloaded from the URL hxxp://net-translscl.com/b/shoe/456.
5. FakeFlash update installation
Lastly a FakeFlash update file is installed. Once that is complete, one last file is run.
The Windows batch file makes final changes and restarts the user machine.
At the time of initial investigation, fewer than 10% of AV vendors had detection for the malicious files. The dropper files involved in this campaign are currently being identified as a Trojan threat by AV vendors. Based on call back activity, infected machines may be updated with additional dropper files by the C&C server when communication is established.
The C&C server hosting the dropper file was registered via a domain privacy provider, while the resolving IP address is owned by the hosting provider 3NT Solutions. Communication attempts to the C&C server have been observed from the following countries:
While Silverlight is not commonly used for business purposes, its use for web applications and streaming gives it a strong presence on devices owned by everyday users. With many companies embracing BOYD policies, applications such as Silverlight provide malicious actors with another potential cyber-attack vector.
Websense customers are protected with ACE™, our Advanced Classification Engine, at the stages detailed below:
- Stage 3 (Exploit Kit) – ACE has detection for the malicious code which attempts to execute this cyber-attack.
- Stage 5 (Dropper Files) – ACE has detection for the binary files associated with this attack. Additionally, ThreatScope behavioral analysis classifies the binary's behavior as malicious or suspicious.
- Stage 6 (Call Home) – Communication to the associated C&C server is prevented.