Thursday, December 8, 2016

Cyber Updates - 08/12

Hey all,
Today I’d like to introduce you to Stegano  - a new exploit kit that was recently in use by malicious ads.

The exploit kit uses MS16-037 (a vulnerability for I.E.) to check if it runs on a malware analysis system. Based on server-side logic, the target is then served either a clean image or a malicious one: a script encoded in its alpha channel (which defines the transparency of each pixel). The script then redirects the user to another URL which attempts to exploit 3 different vulnerabilities for Flash (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the victim’s Flash version.

The attached image illustrates the attack.

What is interesting to note is that the exploit creators did not want it to be discovered. As such, the malware is not executed if one of the following processes/modules is running on the system:
                 vmtoolsd.exe
                 VBoxService.exe
                 prl_tools_service.exe
                 VBoxHook.dll
                 SBIEDLL.DLL
                 fiddler.exe (luckily for us, they also check if the tool is installed, so all Comsec’s consultants are in the clear )
                 charles.exe
                 wireshark.exe
                 proxifier.exe
                 procexp.exe
                 ollydbg.exe
                 windbg.exe

Here are all the details:

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit