October 10, 2014 at 14:32Sednit hacker group switched to using its own set of exploits
Over the past five years, a group of hackers called “Sednit” has been quite active and various organizations, mainly in Eastern Europe, have become its victims. This group used various types of malware in its arsenal, one of which is called Win32 / Sednit (aka Sofacy).
Recently, we were faced with the compromise of legitimate financial websites. These sites were compromised by cybercriminals and redirected their visitors to a set of exploits. Based on the results of our research and the information that was provided to us by the reporters from the Google Security Team, it was found that a group of cybercriminals Sednit is behind the compromised resources.
Using a set of exploits to infect users is a new strategy for this group, as they previously specialized in sending phishing messages. Such messages contained MS Word documents that exploited the vulnerability CVE-2014-1761 .
Back in April 2014, cyber attacks against users were observed in which the mentioned Win32 / Sednit malware was delivered using the 0day (at that time) vulnerability CVE-2014-1761 in MS Word. In addition to this malware, cybercriminals also specialized in delivering BlackEnergy and MiniDuke malware .
In a malware distribution campaign using the MS Word vulnerability, the Sednit group used special fake Office documents as bait. When the user opened the document, he allegedly showed important content. In fact, when viewing the specified document, the exploit secretly installed one of the specified malicious programs into the system. Both false documents demonstrated the theme of the conflict in Ukraine.
We have detected malicious content on several websites owned by banking institutions in Poland. This malicious content specialized in redirecting the user to install the Win32 / Sednit Trojan and was a malicious IFRAME. Through this IFRAME, which was added to the end of a legitimate web page, the user was redirected to a set of exploits. Examples of URLs for redirecting a user are shown in the screenshot below. One of these domains was registered on September 18th.
When you directly visit hxxp: //defenceiq.us, which is specified in the redirect URL to a set of exploits, the user will be redirected to defenceiq.com. This last site is a legitimate resource, described as “an authoritative news source for high quality and exclusive commentary and analysis on global defense and military-related topics”.
Like other suspicious domains that were detected in this campaign, the domain defenceiq.us was served by IP address 76.73.47.90. These domains were used to redirect to a set of exploits and they all used a similar mechanism to redirect to a landing page. This behavior serves as an indicator that the same group is behind this malicious content. If the Polish financial website is compromised, the domain used for redirecting, which is very similar to the address of a military-related website, is not the best choice for cybercriminals and was probably taken by cybercriminals from another campaign.
The behavior of the exploit set mentioned above, which we called Sedkit, is no different from the behavior of other exploit sets, such as Angler or Nuclear. These exploit kits have a similar exploitation chain as shown in the screenshot below. The web browser at the first stage is redirected to the so-called. landing page of the exploit suite The landing page contains special JavaScript code that is responsible for determining the version of the web browser and its plug-ins used.
The screenshot below shows part of the above JavaScript code, where we can see the commented out line with the call to the DetectJavaForMSIE () function. Perhaps this is due to the fact that the latest versions of browsers warn the user about downloading Java content or even disable the default Java plug-in in advance, thus making exploits for this plug-in completely useless.
After detecting the plugin version, the script sends this information to the server using the HTTP protocol POST request. Using the information received, the exploit suite page redirects the user to either a different URL with a specific exploit or to the localhost address . The information returned by the script includes some other information about the user's browser environment. This information is presented below in the screenshot.
Three exploits were discovered in the exploit set that exploit vulnerabilities in MS Internet Explorer. Vulnerabilities are listed below in the table. Interestingly, the exploit for CVE-2014-1776 was not yet observed in the well-known exploit sets, and the other two were presented only in a small number of instances.
Unlike most modern exploit kits, Sedkit does not use obfuscation for JavaScript code. We even found comments in JavaScript code that related to the implementation of the ROP mechanism in the exploit. Thus, we can conclude that at the time of detecting the page of this set of exploits, it was at the testing stage.
Fig. Part of the exploit code for CVE-2013-3897.
Fig. Part of the exploit code for CVE-2014-1776.
When unpacking the malicious Flash Player file, which is used to operate CVE-2014-1776, you can see the path to the directory of the computer on which the file was compiled. Such information was first encountered by us.
After successful exploitation of the vulnerability, a payload is loaded onto the victim’s computer, which can be encrypted.
When redirecting a user to a link leading to a set of exploits, the antivirus will block it with the following message.
The payload loaded onto the compromised computer is a malicious executable file called “runrun.exe”. The task of this executable file - dropper is to install the “splm.dll” dynamic library into the system. This library is stored in dropper in encrypted form. According to our data, this malicious library has been used in targeted attack operations since 2009.
Analysis of the library shows that it was developed in the C ++ environment. Thanks to Run-Time Type Information (RTTI)part of the malware architecture can be restored, including some of the names that were chosen by the developer. The malicious program contains various modules that implement certain functions, as well as determine the interaction mechanism between these modules and remote control. The table below shows the malware modules that we detected.
In the course of its work, malicious code creates an external communication channel for accessing a network named WinHttp. It also decrypts three domain names that are used as addresses of C&C servers: msonlinelive.com , windows-updater.com and azureon-line.com .
In recent years, exploit kits have become the primary tool that cybercriminals use to spread malware. These malicious programs are usually used to conduct fraudulent financial transactions, send spam, mining bitcoins, and also to steal confidential account data.
The considered method of cyberattacks is known under the general name "watering hole". It implies a compromise by attackers of a well-known web resource, which leads to numerous infections of users. As a rule, a compromised resource refers to a specific topic or belongs to a company, which indicates the direction of the attack.
Recently, we were faced with the compromise of legitimate financial websites. These sites were compromised by cybercriminals and redirected their visitors to a set of exploits. Based on the results of our research and the information that was provided to us by the reporters from the Google Security Team, it was found that a group of cybercriminals Sednit is behind the compromised resources.
Using a set of exploits to infect users is a new strategy for this group, as they previously specialized in sending phishing messages. Such messages contained MS Word documents that exploited the vulnerability CVE-2014-1761 .
Back in April 2014, cyber attacks against users were observed in which the mentioned Win32 / Sednit malware was delivered using the 0day (at that time) vulnerability CVE-2014-1761 in MS Word. In addition to this malware, cybercriminals also specialized in delivering BlackEnergy and MiniDuke malware .
In a malware distribution campaign using the MS Word vulnerability, the Sednit group used special fake Office documents as bait. When the user opened the document, he allegedly showed important content. In fact, when viewing the specified document, the exploit secretly installed one of the specified malicious programs into the system. Both false documents demonstrated the theme of the conflict in Ukraine.
We have detected malicious content on several websites owned by banking institutions in Poland. This malicious content specialized in redirecting the user to install the Win32 / Sednit Trojan and was a malicious IFRAME. Through this IFRAME, which was added to the end of a legitimate web page, the user was redirected to a set of exploits. Examples of URLs for redirecting a user are shown in the screenshot below. One of these domains was registered on September 18th.
When you directly visit hxxp: //defenceiq.us, which is specified in the redirect URL to a set of exploits, the user will be redirected to defenceiq.com. This last site is a legitimate resource, described as “an authoritative news source for high quality and exclusive commentary and analysis on global defense and military-related topics”.
Like other suspicious domains that were detected in this campaign, the domain defenceiq.us was served by IP address 76.73.47.90. These domains were used to redirect to a set of exploits and they all used a similar mechanism to redirect to a landing page. This behavior serves as an indicator that the same group is behind this malicious content. If the Polish financial website is compromised, the domain used for redirecting, which is very similar to the address of a military-related website, is not the best choice for cybercriminals and was probably taken by cybercriminals from another campaign.
The behavior of the exploit set mentioned above, which we called Sedkit, is no different from the behavior of other exploit sets, such as Angler or Nuclear. These exploit kits have a similar exploitation chain as shown in the screenshot below. The web browser at the first stage is redirected to the so-called. landing page of the exploit suite The landing page contains special JavaScript code that is responsible for determining the version of the web browser and its plug-ins used.
The screenshot below shows part of the above JavaScript code, where we can see the commented out line with the call to the DetectJavaForMSIE () function. Perhaps this is due to the fact that the latest versions of browsers warn the user about downloading Java content or even disable the default Java plug-in in advance, thus making exploits for this plug-in completely useless.
After detecting the plugin version, the script sends this information to the server using the HTTP protocol POST request. Using the information received, the exploit suite page redirects the user to either a different URL with a specific exploit or to the localhost address . The information returned by the script includes some other information about the user's browser environment. This information is presented below in the screenshot.
Three exploits were discovered in the exploit set that exploit vulnerabilities in MS Internet Explorer. Vulnerabilities are listed below in the table. Interestingly, the exploit for CVE-2014-1776 was not yet observed in the well-known exploit sets, and the other two were presented only in a small number of instances.
Unlike most modern exploit kits, Sedkit does not use obfuscation for JavaScript code. We even found comments in JavaScript code that related to the implementation of the ROP mechanism in the exploit. Thus, we can conclude that at the time of detecting the page of this set of exploits, it was at the testing stage.
Fig. Part of the exploit code for CVE-2013-3897.
Fig. Part of the exploit code for CVE-2014-1776.
When unpacking the malicious Flash Player file, which is used to operate CVE-2014-1776, you can see the path to the directory of the computer on which the file was compiled. Such information was first encountered by us.
After successful exploitation of the vulnerability, a payload is loaded onto the victim’s computer, which can be encrypted.
When redirecting a user to a link leading to a set of exploits, the antivirus will block it with the following message.
The payload loaded onto the compromised computer is a malicious executable file called “runrun.exe”. The task of this executable file - dropper is to install the “splm.dll” dynamic library into the system. This library is stored in dropper in encrypted form. According to our data, this malicious library has been used in targeted attack operations since 2009.
Analysis of the library shows that it was developed in the C ++ environment. Thanks to Run-Time Type Information (RTTI)part of the malware architecture can be restored, including some of the names that were chosen by the developer. The malicious program contains various modules that implement certain functions, as well as determine the interaction mechanism between these modules and remote control. The table below shows the malware modules that we detected.
In the course of its work, malicious code creates an external communication channel for accessing a network named WinHttp. It also decrypts three domain names that are used as addresses of C&C servers: msonlinelive.com , windows-updater.com and azureon-line.com .
In recent years, exploit kits have become the primary tool that cybercriminals use to spread malware. These malicious programs are usually used to conduct fraudulent financial transactions, send spam, mining bitcoins, and also to steal confidential account data.
The considered method of cyberattacks is known under the general name "watering hole". It implies a compromise by attackers of a well-known web resource, which leads to numerous infections of users. As a rule, a compromised resource refers to a specific topic or belongs to a company, which indicates the direction of the attack.