Featured zzZz..what?!

Published on February 13th, 2023 📆 | 8606 Views ⚑

0

CVE-2018-4878 (Flash Player up to 28.0.0.137) and Exploit Kits


https://www.ispeech.org

2018-03-09 - Exploit Integration

The CVE-2018-4878 is a bug that allows remote code execution in Flash Player up to 28.0.0.137, spotted in the wild as a 0day, announced by the South-Korean CERT on the 31st of January. Patched on February 6, 2018 with ASPB18-03. Seen in malspam campaign two weeks after, it’s now beeing integrated in Exploit Kits.

This is, as far as i know, the first new working RCE integrated in non targeted Exploit Kit since CVE-2016-0189 in july 2016 (!).

Spotted on the 2018-03-09 (but probably there since several days)

CVE-2018-4878-Successful pass on GreenFlash Sundown

Figure 1: Greenflash Sundown successfully deploying Hermes 2.1 Ransomware after exploiting Flash 26.0.0.131 in IE11 on Windows 7 - 2018-03-09

GreenFlash is a private heavily modified version of Sundown EK spotted in october 2016 by Trendmicro. It’s beeing exclusively used by the “WordsJS” (aka “ShadowGate”) group.
This group is getting traffic from crompromised OpenRevive/OpenX advertising server since at least may 2015.

MISP WordsJS

Figure 2: Some tagged activity from WordsJS displayed in MISP.

Some references about the activities of this group:

Files: Fiddler on VT - Pcap on VT (note: some https proxies were used)
IOCs: MISP Json

IOC Type Comment Date
bannerssale[.]com|159.65.131[.]94 domain|IP Sundown GF Step 1 2018-01-09
aquaadvertisement[.]com|159.65.131[.]95 domain|IP Sundown GF Step 2 2018-03-09
listening.secondadvertisements[.]com|207.148.104[.]5 domain|IP Sundown GF Step 3 2018-03-09
65bd3d860aaf8874ab76a1ecc852a570 md5 Ransomware Hermes 2.1 2018-03-09
f84435880c4477d3a552fb5e95f141e1 md5 Ransomware Hermes 2.1 2018-03-10

If you saw this kind of traffic in your perimeter/telemetry, i’d be happy to get more referer

Edits:

  • 2018-03-10 - 15:40 GMT - Removed mention of steganography. @smogoreli: “simple offset in the dat file”

Acknowledgement:

  • Thanks to Genwei Jiang (FireEye) for the CVE identification.
  • Thanks to Joseph Chen for inputs allowing the capture of a fresh pass of GreenFlash Sundown.
  • Thanks to @GelosSnake & @baberpervez2 for the ping on suspicious activity that could be associated to “WordsJS” (aka “ShadowGate”) and triggered those checks.

Spotted on the 2018-04-01

Magnitude_CVE-2018-4878

Figure 3: Magnitude successfully deploying Magniber Ransomware after exploiting CVE-2018-4878 on Flash 27.0.0.170 in IE11 on Windows 7 - 2018-04-01

Magnitude is using the WSH injection described by Matt Nelson in August 2017.

Magnitude_WSHinject





Figure 4: UAC prompt on the wsh injection executed upon successful exploitation

Payload is the Magniber Ransomware, first spotted in the wild in october 2017, in a context documented by Trendmicro.

MagnigateMagnitudeHistory

Figure 5: Some tagged activity from Magnigate displayed in MISP.

Select OSINT about this infection chain:

Files: Fiddler on VT - Pcap on VT (note: some https proxies were used)
IOCs: MISP Json (note: all those are changing almost hourly)

IOC Type Comment Date
finansee[.]credit|209.95.60[.]115 domain|IP Magnigate Step 1 2018-04-01
adex7s92616.fryrids[.]com|144.217.197[.]9 domain|IP Magnigate Step 2 2018-04-01
353kb544cv.anlogs[.]space|66.70.223[.]111 domain|IP Magnitude Exploit Kit 2018-04-01
*.fitpint[.]website|139.60.161[.]43 domain|IP Magniber Payment server 2018-04-01
*.riskjoy[.]pw|162.213.25[.]235 domain|IP Magniber Payment server 2018-04-01
*.ratesor[.]site|198.56.183[.]147 domain|IP Magniber Payment server 2018-04-01
*.accorda[.]space|107.167.77[.]100 domain|IP Magniber Payment server 2018-04-01
*.uxijz4kdhr4jp3wf[.]onion domain Magniber Payment server on tor 2018-04-01
1d4b9c4b4058bfc2238e92c0eebb5906 md5 Magniber Ransomware 2018-04-01

Spotted on the 2018-04-09

Replying to a customer complaining yesterday (2018-04-08) about the lack of CVE-2018-4878, “TakeThat” wrote early this morning (2018-04-09):

Чистки выполняются вовремя
Конечно мы добавили флеш CVE-2018-4878 он доступен на подписке от недели

Translated by google as:

Cleaning is done on time
Of course, we added the flash CVE-2018-4878 it is available on subscription from the week

And indeed today as spotted by @nao_sec:

RIG_CVE-2018-4878

Figure 6: RIG successfully exploiting CVE-2018-4878 on Flash 27.0.0.170 in IE11 on Windows 7 - 2018-04-09

IOC Type Comment Date
cash111[.]club|18.220.221[.]2 domain|IP Keitaro TDS 2018-04-09
185.154.53.190 IP RIG 2018-04-09
omega.level7[.]gdn|89.45.67[.]198 domain|IP Urausy C2 2018-04-09
1bd20aa0433f3f03001b7f3e6f1fb110 md5 RIG Flash Exploit 2018-04-09
712385a6073303a20163e4c9fb079117 md5 Urausy - probably as a loader 2018-04-09

Spotted on 2018-06-28, most probably there since 2018-06-16

Despite seeing code pointing to it, we did not saw it properly called in traffic.

Fallout_CVE-2018-4878 Call

Figure 6: Fallout call for CVE-2018-4878 in it's landing 2018-08-30

Edits:

  • 2018-04-10 - 10:05 GMT - Modified to reflect payload id: Urausy. Not seen since 2015-06-09

Acknowledgement:

  • Thanks to Kimberly for the payload identification.



Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑