On February 11, FireEye identified a zero-day exploit (CVE-2014-0322) being served up from the U.S. Veterans of Foreign Wars’ website (vfw[.]org). We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend. Based on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified campaigns (Operation DeputyDog and Operation Ephemeral Hydra).
This blog post examines the vulnerability and associated attacks, which we have dubbed “Operation SnowMan."
The exploit targets IE 10 with Adobe Flash. It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft’s Experience Mitigation Toolkit (EMET). So installing EMET or updating to IE 11 prevents this exploit from functioning.
The vulnerability is a previously unknown use-after-free bug in Microsoft Internet Explorer 10. The vulnerability allows the attacker to modify one byte of memory at an arbitrary address. The attacker uses the vulnerability to do the following:
- Gain access to memory from Flash ActionScript, bypassing address space layout randomization (ASLR)
- Pivot to a return-oriented programing (ROP) exploit technique to bypass data execution prevention (DEP)
The attacker uses the Microsoft.XMLDOM ActiveX control to load a one-line XML string containing a file path to the EMET DLL. Then the exploit code parses the error resulting from the XML load order to determine whether the load failed because the EMET DLL is not present. The exploit proceeds only if this check determines that the EMET DLL is not present.
Because the vulnerability allows attackers to modify memory to an arbitrary address, the attacker can use it to bypass ASLR. For example, the attacker corrupts a Flash Vector object and then accesses the corrupted object from within Flash to access memory. We have discussed this technique and other ASLR bypass approaches in our blog. One minor difference between the previous approaches and this attack is the heap spray address, which was changed to 0x1a1b2000 in this exploit.
Once the attacker’s code has full memory access through the corrupted Flash Vector object, the code searches through loaded libraries gadgets by machine code. The attacker then overwrites the vftable pointer of a flash.Media.Sound() object in memory to point to the pivot and begin ROP. After successful exploitation, the code repairs the corrupted Flash Vector and flash.Media.Sound to continue execution.
Subsequently, the malicious Flash code downloads a file containing the dropped malware payload. The beginning of the file is a JPG image; the end of the file (offset 36321) is the payload, encoded with an XOR key of 0x95. The attacker appends the payload to the shellcode before pivoting to code control. Then, when the shellcode is executed, the malware creates files “sqlrenew.txt” and “stream.exe”. The tail of the image file is decoded, and written to these files. “sqlrenew.txt” is then executed with the LoadLibraryA Windows API call.
ZxShell payload analysis
As documented above, this exploit dropped an XOR (0x95) payload that executed a ZxShell backdoor (MD5: 8455bbb9a210ce603a1b646b0d951bce). The compile date of the payload was 2014-02-11, and the last modified date of the exploit code was also 2014-02-11. This suggests that this instantiation of the exploit was very recent and was deployed for this specific strategic Web compromise of the Veterans of Foreign Wars website. A possible objective in the SnowMan attack is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website. It is probably no coincidence that Monday, Feb. 17, is a U.S. holiday, and much of the U.S. Capitol shut down Thursday amid a severe winter storm.
The ZxShell backdoor is a widely used and publicly available tool used by multiple threat actors linked to cyber espionage operations. This particular variant called back to a command and control server located at newss[.]effers[.]com. This domain currently resolves to 184.108.40.206. The domain info[.]flnet[.]org also resolved to this IP address on 2014-02-12.
The info[.]flnet[.]org domain overlaps with icybin[.]flnet[.]org and book[.]flnet[.]org via the previous resolutions to the following IP addresses:
|First Seen||Last Seen||CnC Domain||IP|
|2013-08-31 2013-08-31||2013-08-31 2013-08-31||icybin.flnet[.]org icybin.flnet[.]org||220.127.116.11 18.104.22.168|
|2013-05-02 2013-05-02||2013-08-02 2013-08-02||info.flnet[.]org info.flnet[.]org||22.214.171.124 126.96.36.199|
|2013-08-02 2013-08-02||2013-08-02 2013-08-02||book.flnet[.]org book.flnet[.]org||188.8.131.52 184.108.40.206|
|2013-08-10 2013-08-10||2013-08-10 2013-08-10||info.flnet[.]org info.flnet[.]org||220.127.116.11 18.104.22.168|
|2013-07-15 2013-07-15||2013-07-15 2013-07-15||icybin.flnet[.]org icybin.flnet[.]org||22.214.171.124 126.96.36.199|
|2014-01-02 2014-01-02||2014-01-02 2014-01-02||book.flnet[.]org book.flnet[.]org||188.8.131.52 184.108.40.206|
|2013-12-03 2013-12-03||2014-01-02 2014-01-02||info.flnet[.]org info.flnet[.]org||220.127.116.11 18.104.22.168|
We previously observed Gh0stRat samples with the custom packet flag “HTTPS” calling back to book[.]flnet[.]org and icybin[.]flnet[.]org. The threat actor responsible for Operation DeputyDog also used the “HTTPS” version of the Gh0st. We also observed another “HTTPS” Gh0st variant connecting to a related command and control server at me[.]scieron[.]com.
|MD5 Hash||CnC Domain|
|758886e58f9ea2ff22b57cbbb015166e 758886e58f9ea2ff22b57cbbb015166e||book.flnet[.]org book.flnet[.]org|
|0294f9280491f85d898ebe471f0fb58e 0294f9280491f85d898ebe471f0fb58e||icybin.flnet[.]org icybin.flnet[.]org|
|9d20566a327076b7152bbf9ed20292c4 9d20566a327076b7152bbf9ed20292c4||me.scieron[.]com me.scieron[.]com|
The me[.]scieron[.]com domain previously resolved to 22.214.171.124. The book[.]flnet[.]org domain also resolved to another IP in the same subnet 126.96.36.199/24. Specifically, book[.]flnet[.]org previously resolved to 188.8.131.52.
Others domain seen resolving to this same /24 subnet were dll[.]freshdns[.]org, ali[.]blankchair[.]com, and cht[.]blankchair[.]com. The domain dll[.]freshdns[.]org resolved to 184.108.40.206. Both ali[.]blankchair[.]com and cht[.]blankchair[.]com resolved to 220.127.116.11.
|First Seen||Last Seen||CnC Domain||IP|
|2012-11-12 2012-11-12||2012-11-28 2012-11-28||me.scieron[.]com me.scieron[.]com||18.104.22.168 22.214.171.124|
|2012-04-09 2012-04-09||2012-10-24 2012-10-24||cht.blankchair[.]com cht.blankchair[.]com||126.96.36.199 188.8.131.52|
|2012-04-09 2012-04-09||2012-09-18 2012-09-18||ali.blankchair[.]com ali.blankchair[.]com||184.108.40.206 220.127.116.11|
|2012-11-08 2012-11-08||2012-11-25 2012-11-25||dll.freshdns[.]org dll.freshdns[.]org||18.104.22.168 22.214.171.124|
|2012-11-23 2012-11-23||2012-11-27 2012-11-27||rt.blankchair[.]com rt.blankchair[.]com||126.96.36.199 188.8.131.52|
|2012-05-29 2012-05-29||2012-6-28 2012-6-28||book.flnet[.]org book.flnet[.]org||184.108.40.206 220.127.116.11|
A number of other related domains resolve to these IPs and other IPs also in this /24 subnet. For the purposes of this blog, we’ve chosen to focus on those domains and IP that relate to the previously discussed DeputyDog and Ephemeral Hydra campaigns.
You may recall that dll[.]freshdns[.]org, ali[.]blankchair[.]com and cht[.]blankchair[.]com were all linked to both Operation DeputyDog and Operation Ephemeral Hydra. Figure 1 illustrates the infrastructure overlaps and connections we observed between the strategic Web compromise campaign leveraging the VFW’s website, the DeputyDog, and the Ephemeral Hydra operations.
Links to DeputyDog and Ephemeral Hydra
Other tradecraft similarities between the actor(s) responsible for this campaign and the actor(s) responsible for the DeputyDog/Ephemeral Hydra campaigns include:
- The use of zero-day exploits to deliver a remote access Trojan (RAT)
- The use of strategic web compromise as a vector to distribute remote access Trojans
- The use of a simple single-byte XOR encoded (0x95) payload obfuscated with a .jpg extension
- The use of Gh0stRat with the “HTTPS” packet flag
- The use of related command-and-control (CnC) infrastructure during the similar time frames
These actors have previously targeted a number of different industries, including:
- U.S. government entities
- Japanese firms
- Defense industrial base (DIB) companies
- Law firms
- Information technology (IT) companies
- Mining companies
- Non-governmental organizations (NGOs)
The proven ability to successfully deploy a number of different private and public RATs using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term.