November 5, 2015

Newest Flash Player Exploit & Double Nuclear Exploit Kit Payload

Nicholas Griffin Security Researcher

<p>Yesterday, we blogged about a&nbsp;<a href="http://blogs.websense.com.com/security-labs/popular-indonesian-tech-news... target="_blank">malvertising campaign affecting a popular Indonesian news site</a>&nbsp;and leading to the Nuclear Exploit Kit. Today we came across another compromised website that leads to the Nuclear Exploit Kit, but this time we received two malware payloads after&nbsp;the newest Adobe Flash Player vulnerability was exploited. It is worth noting that no user interaction was required at any point--simply visiting the compromised website was enough to end up with malware being executed on our machine.</p>

<p>Raytheon | Websense&reg;&nbsp;customers&nbsp;are protected against this threat via real-time&nbsp;analytics&nbsp;in ACE,&nbsp;the Websense&nbsp;<a href="http://www.websense.com/content/websense-advanced-classification-engine.... rel="nofollow" target="_blank">Advanced Classification Engine</a>.</p>

<h2>Compromised Website</h2>

<p>While&nbsp;reviewing interesting hits on security-related events today, we noticed a website named&nbsp;<em>thisblewmymind[.]com</em>. The website&nbsp;claims to be &quot;viral media for the brain,&quot; which&nbsp;may be somewhat true since the site&nbsp;drops viruses on your computer. Google&nbsp;does identify&nbsp;the site as likely&nbsp;compromised:</p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/4336.blewmymind_google2.jpg" style="height:181px; width:576px" /></p>

<p>According to SimilarWeb, this site is actually quite popular, recently receiving almost 2 million users per month:</p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/6787.blewmymind_similarweb.png-550x0.png" style="height:334px; width:549px" /></p>

<p>Unfortunately for people browsing to this site, it is injected with&nbsp;obfuscated JavaScript that ends up leading to the Nuclear Exploit Kit and dropping malware.</p>

<h2>Flash Player Exploit</h2>

<p>The infection chain we saw resulted in&nbsp;Adobe Flash Player version being exploited by the Nuclear Exploit Kit to drop malware. This means that the exploit is likely to be the newest Flash exploit, leveraging CVE-2015-7645, which was recently known to have been incorporated into the Nuclear and Angler exploit kits. In fact, the Nuclear Exploit Kit seems to be packaging up two different Flash Player exploits inside one parent SWF file (<a href="https://www.virustotal.com/en/file/5988cc77852e0d9e56c407ecd60b753a62990... target="_blank">VirusTotal</a>), and dynamically choosing which one to load, depending on the current Flash Player version. If it detects version or below,&nbsp;an exploit leveraging CVE-2015-5122 is&nbsp;used. Otherwise, the new exploit is&nbsp;chosen:</p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/1638.blewmymind_nuclear_swfexp.png-550x0.png" style="height:343px; width:494px" /></p>

<p>We successfully managed to unpack the new SWF exploit, and found that it had been on&nbsp;<a href="https://www.virustotal.com/en/file/e111ae9229d4538577afebd25c10ab9355158... target="_blank">VirusTotal</a>&nbsp;since 31 October.</p>

<h2>Malware Payloads</h2>

<p>It&#39;s not typical to see more than one payload dropped by an exploit kit, but in this instance both Gamarue and CryptoWall 3.0 were dropped and executed&nbsp;via the Flash Player exploit.</p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/1715.blewmymind_capture.png" style="height:559px; width:1200px" /></p>

<p>Gamarue is&nbsp;modular, plug-in based malware belonging to the Andromeda botnet. Its main intent is usually for credential theft. CryptoWall 3.0 is&nbsp;crypto ransomware that encrypts your files and demands payment in&nbsp;BitCoin to have them decrypted:</p>

<p><img alt="" src="/sites/default/files/blog/legacy/security-labs/5148.cryptowall3.0_ransom.png" style="height:661px; width:1009px" /></p>

<h2>Indicators of Compromise</h2>

<p>Below are some indicators of compromise from the threat described in this blog:</p>

<p><em>hxxp://thisblewmymind[.]com -&nbsp;<strong>Compromised website</strong></em></p>

<p><em>hxxp://cdn[.]goroda235[.]pw/ -&nbsp;<strong>Malicious redirect</strong></em></p>

<p><em>hxxp://zadnicaberezu[.]tk/ -&nbsp;<strong>Nuclear Exploit Kit</strong></em></p>

<p><em>2ed1953d2b182a0319041e73f6489d4151475dff -&nbsp;<strong>Nuclear EK </strong><strong>SWF</strong>36356533f44d6107d49662c78a56149e2f359fcc -&nbsp;<strong>Nuclear EK SWF (unpacked)</strong></em></p>

<p><em>3d5682ac799cace0325ca5437445fd3c163ee4ff -&nbsp;<strong>Gamarue</strong></em></p>

<p><em>9d3cc04dc97d0791565cf69778ee864f8af5d7f7 -&nbsp;<strong>CryptoWall 3.0</strong></em></p>


<p>The&nbsp;Nuclear Exploit Kit operators seem to be looking to maximize their profits by dropping multiple pieces of malware onto machines, capitalizing on the new Adobe Flash Player exploit and compromising popular sites in order to infect as many users as possible.&nbsp;As always, it is important to ensure that your software is up to date, especially your browser and associated plug-ins like Adobe Flash Player.</p>

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.