‚ÄčRecently, we've seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability (CVE-2013-5330). This vulnerability was addressed with a patch released by Adobe on November 12, 2013. On the Windows platform, Flash Player version 11.9.900.117 and earlier, are vulnerable.

We had a chance to analyze how the attacks work and noted some interesting details from our investigation.

The malicious file has been distributed as a .swf file using obfuscator secureSWF, which has been designed as a “one-stop” attack. It contains the vulnerability’s trigger, the heap spray and shellcode, and an encrypted PE file (see figure 1).

malicious .swf file

Figure 1: The malicious .swf file

This .swf exploit can be hosted on a web server and run when the webpage is visited. When the .swf is loaded, the vulnerability is triggered. The .swf successfully bypasses the validation of memory range and is able to access arbitrary locations. It builds a deliberated crafted VTABLE (figure 2) and uses it to pass control to a controlled location, which contains the “Shim” code (a small piece of code before the shellcode is executed), as shown in figure 3.

Crafted VTABLE

Figure 2: Crafted VTABLE for control transfer

Shim code

Figure 3: The "Shim” code

The “Shim” code calls VirtualProtect() to make the shellcode memory area writable and executable. After the VirtualProtect() call, the control is passed to the shellcode. The shellcode is short and pithy – only 140 bytes (see figure 4).

Interestingly, the shellcode doesn’t contain the code to resolve the API addresses. Instead, the API addresses are resolved by the ActionScript (see figure 5 - the placeholders for the API addresses are marked as red).

The shellcode simply drops a PE file (already decrypted by .swf) to the %temp% directory and loads it with LoadLibrary() call. The dropped PE file (SHA1: 05446C67FF8C0BAFFA969FC5CC4DD62EDCAD46F5) is detected as TrojanSpy:Win32/Lurk. The telemetry for this file is showm in figure 6.

“shellcode”

Figure 4: Short and sweet “shellcode”

ActionScript

Figure 5: The ActionScript used to generate the shellcode

TrojanSpy:Win32/Lurk infections

Figure 6: TrojanSpy:Win32/Lurk infected machines

We have received reports that an iframe loading this malicious .swf file has been injected to some clean or benign websites. Visiting these websites with an outdated version of Flash Player, can lead to a compromise of the machine.

If you're using Flash Player version 11.9.900.117 or earlier, you need to update your Flash Player now to be protected against these attacks.

Chun Feng
MMPC