At the beginning of the week we started to analyze a water hole campaign that was present on the Council on Foreign Relations (CFR) portal. After studying the attack and the payload and realizing that it was likely using a zeroday exploit against Internet Explorer, we sent the information to Microsoft Security Response Center (MSRC) that is still investigating the issue. At the same time the issue was communicated to CFR and other third parties that began to work on the issue so we decided to not release public details of this attack.
It seems other researchers didn’t think the same and went public with this (http://freebeacon.com/chinese-hackers-suspected-in-cyber-attack-on-council-on-foreign-relations/) and this led to other companies blogging about this.
Once the attack has been made public we have decided to public some useful details and information that can help companies to detect and respond against this incident.
The malicious code we found in the Council on Foreign Relations portal is a Javascript file that works as follow:
- It first sets a cookie on the victim system to check if the same machine visited the link before:
If it is not the first visit from that system the exploit won’t trigger:
- The next check ensure that the victim is running Internet Explorer 8:
- Since the exploit uses Flash to do the Heap Spray and build the shellcode, the code also checks that Adobe Flash is present on the browser:
- Finally, it won’t continue if the browser language is not Chinese, Chinese (Taiwan), Japanese, Korean, or Russian:
The vulnerability present in Internet Explore 8 seems to be a user-after-free. The exploit is able to exploit both Windows XP and Windows 7 bypassing both data execution (DEP) and address space layout randomization (ASLR) protections. The malicious code loads “ms-help:” in order to bypass ASLR on Windows 7 using the technique described here. We won’t release the piece of code that triggers the use-after-free since Microsoft is still investigating the issue and we don’t want public exploits to be released and compromise thousands of users.
If the system is running Windows 7 it will also load Java since it requires the Java libraries to be loaded in order to leverage return-oriented programming (ROP) chains to bypass protections.
In the case that Windows XP is used it doesn’t load Java since it is not required to perform the exploitation:
Once the Flash file is loaded it will perform the Heap Spray and it will build the shellcode based on the system’s language and operating system supporting the following ones:
(flash.system.Capabilities.language.toLowerCase() == “zh-cn” && this.OS_Version == “windows xp”)
(flash.system.Capabilities.language.toLowerCase() == “zh-tw” && this.OS_Version == “windows xp”)
(flash.system.Capabilities.language.toLowerCase() == “en” && this.OS_Version == “windows xp”)
(flash.system.Capabilities.language.toLowerCase() == “ja” && this.OS_Version == “windows xp”)
(flash.system.Capabilities.language.toLowerCase() == “ko” && this.OS_Version == “windows xp”)
(flash.system.Capabilities.language.toLowerCase() == “ru” && this.OS_Version == “windows xp”)
(this.OS_Version == “windows 7” && loc6 == “default”)
(this.OS_Version == “windows 7” && loc6 == “false”)
(this.OS_Version == “windows 7” && loc6 == “true”)
The shellcode used is very tricky, first the javascript has downloaded a file as seen in the code:
Lets follow the execution of the shellcode:
Using base offset: 0x401000
Basically the shellcode performs the following:
- It checks the path for the Temporary Internet Explorer Files folder
- It uses index.dat and looks for the path of the file previously downloaded (xsainfo.jpg).
- It creates the file flowertep.
- It reads xsainfo.jpg and performs a XOR “0x83” operation ignoring the bytes that contain “0x00” or “0x083”.
- It writes the the result of the XOR operation on flowertep.
- It uses LoadLibraryA to load flowertep.
Once the payload is executed it will be implanted on the system and it will try to contact the C&C server using a binary protocol through HTTP:
We have released an OpenIOC file that contains some indicators of compromise that you can use to detect the attack on your systems:
We recommend to use these indicators of compromise to check the presence of the malicious payload in your system. Hopefully Microsoft will release a patch soon but once again we recommend you to:
- Maintain your system up to date
- Not use Flash, Java and other third party applications in your browser if you don’t use it.
Happy hunting!