November 25, 2014 at 15:54Attackers are using CVE-2014-6332
Recently, we wrote about a new dangerous vulnerability CVE-2014-6332 in Windows, which was present (MS14-064) in the OleAut32.dll library, or rather, in the OleAut32! SafeArrayRedim function . This function is used by the VBScript engine (vbscript.dll) for run-time resizing an array in SAFEARRAY format. SafeArrayRedim itself contained a vulnerability that allowed inside the function to modify the field of the size of the array, and then return the result of the failure of the operation, which led to an increase in the size of the buffer from the point of view of the structure itself. See here for more details .
Due to the fact that the exploit for this vulnerability (Windows OLE Automation Array Remote Code Execution Vulnerability), in fact, can operate on memory directly, due to damage to the buffer header structure by the OS function, it does not need to resort to use-after- vulnerability operations free , all operation is reduced to the sequential execution of several functions that help to start the process from the VBScript function bypassing DEP & ASLR.
Analysts at our antivirus lab have discovered the exploitation of this in-the-wild vulnerability. It is a matter of compromising the content of the website of one popular news agency in Bulgaria with malicious content. We observed one of the web pages of this site that was compromised and redirected visitors to install a malicious program using CVE-2014-6332. The appearance of this compromised web page is shown below in the screenshot.
The HTML source code for this webpage contains a malicious iframe that points to the exploit installation page.
As you can see in the screenshot above, the exploit is hosted on a web page belonging to the natmasla [.] Ru domain. It is detected by ESET AV products as Win32 / Exploit.CVE-2014-6332.A. The discovered exploit is based on a proof-of-concept code that was published by a Chinese reseller. In the PoC itself, its data is indicated.
It was not difficult for attackers to modify the original PoC to install their malware in the system.
Oddly enough, the malicious page itself contains the exploit code twice. In the first case, the payload is a set of instructions for the Windows shell (cmd.exe). They are indicated in the screenshot below.
As you can see, in this set of commands there is one group with the prefix [at] echo, which is designed to write special instructions to a text file (KdFKkDls.txt, the file name may differ for various modifications of the exploit). These instructions are for the ftp application, which starts with the special -s switch (take commands to execute from the file). Special ftp instructions are written to the file, with the help of which they connect to the remote server with the specified user name and password, then the executable file is downloaded and launched.
In the case of a second payload, it has the form of the following instructions.
It can be seen that this time, PowerShell is used to download the executable from a remote server .
The malware downloaded this way is detected by ESET AV products like Win32 / IRCBot.NHR . It has a number of capabilities in its arsenal, including the organization of DDoS attacks and the opening of remote access to a computer for attackers.
Due to the fact that the exploit for this vulnerability (Windows OLE Automation Array Remote Code Execution Vulnerability), in fact, can operate on memory directly, due to damage to the buffer header structure by the OS function, it does not need to resort to use-after- vulnerability operations free , all operation is reduced to the sequential execution of several functions that help to start the process from the VBScript function bypassing DEP & ASLR.
Analysts at our antivirus lab have discovered the exploitation of this in-the-wild vulnerability. It is a matter of compromising the content of the website of one popular news agency in Bulgaria with malicious content. We observed one of the web pages of this site that was compromised and redirected visitors to install a malicious program using CVE-2014-6332. The appearance of this compromised web page is shown below in the screenshot.
The HTML source code for this webpage contains a malicious iframe that points to the exploit installation page.
As you can see in the screenshot above, the exploit is hosted on a web page belonging to the natmasla [.] Ru domain. It is detected by ESET AV products as Win32 / Exploit.CVE-2014-6332.A. The discovered exploit is based on a proof-of-concept code that was published by a Chinese reseller. In the PoC itself, its data is indicated.
It was not difficult for attackers to modify the original PoC to install their malware in the system.
Oddly enough, the malicious page itself contains the exploit code twice. In the first case, the payload is a set of instructions for the Windows shell (cmd.exe). They are indicated in the screenshot below.
As you can see, in this set of commands there is one group with the prefix [at] echo, which is designed to write special instructions to a text file (KdFKkDls.txt, the file name may differ for various modifications of the exploit). These instructions are for the ftp application, which starts with the special -s switch (take commands to execute from the file). Special ftp instructions are written to the file, with the help of which they connect to the remote server with the specified user name and password, then the executable file is downloaded and launched.
In the case of a second payload, it has the form of the following instructions.
It can be seen that this time, PowerShell is used to download the executable from a remote server .
The malware downloaded this way is detected by ESET AV products like Win32 / IRCBot.NHR . It has a number of capabilities in its arsenal, including the organization of DDoS attacks and the opening of remote access to a computer for attackers.