On April 2, security researcher @Kafeine at Proofpoint discovered a change to the Magnitude Exploit Kit. Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-1019). The in-the-wild exploit achieves remote code execution on recent versions of Flash Player, but fails on the latest version (21.0.0.197).
While version 21.0.0.197 is vulnerable to this exploit, execution fails because Adobe introduced new exploit mitigations in version 21.0.0.182 of Flash Player. This was a great move from Adobe that shows how valuable innovations into exploit mitigations can be. Before the exploit kit authors could devise a way around the new mitigations, Adobe patched the underlying vulnerability.
Exploit Delivery Chain
Magnitude EK recently updated its delivery chain. It added a profile gate, just like Angler EK, which collects the screen’s dimensions and color depth (Figure 1).
Figure 1. JS of Profile Gate
The server responds with another profiling page, which tries to avoid sending exploits to users browsing from virtual machines or with certain antivirus programs installed (Figure 2). See the appendix for the full list of checks performed.
Figure 2. JS of redirecting to main exploit page
In our tests, Magnitude EK delivered the JSON double free exploit (CVE-2015-2419) and a small Flash loader that renders the new Flash exploit (Figure 3).
Figure 3. JS of loading exploits
The Flash Exploit
A memory corruption vulnerability exists in an undocumented ASnative API. The exploit causes the flash memory allocator to allocate buffers under the attacker’s control. The attacker can then create a ByteArray of length 0xFFFFFFFF such that it can read and write arbitrary memory, as seen in Figure 4. The exploit’s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.
Figure 4. ActionScript of Flash exploits
Conclusion
This is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications – such as Internet Explorer/Edge and Flash Player – change the game.
Despite regular security updates, attackers continue to target Flash
Player, primarily because of its ubiquity and cross-platform reach. If
Flash Player is required in your environment, ensure that you update
to the latest version, and consider the use of mitigation tools such
as EMET
from Microsoft.
Click here
for the security bulletin issued by Adobe.
Acknowledgements
A huge thank you to @Kafeine, without whom this discovery would not be possible. His diligence continues to keep this industry at pace with exploit kit authors around the world.
Appendix
res://Program%20Files%20(x86)Fiddler2Fiddler.exe/#3/#32512
res://Program%20FilesFiddler2Fiddler.exe/#3/#32512
res://Program%20Files%20(x86)VMwareVMware
ToolsTPAutoConnSvc.exe/#2/#26567
res://Program%20FilesVMwareVMware
ToolsTPAutoConnSvc.exe/#2/#26567
res://Program%20Files%20(x86)VMwareVMware
ToolsTPAutoConnSvc.exe/#2/#30996
res://Program%20FilesVMwareVMware
ToolsTPAutoConnSvc.exe/#2/#30996
res://Program%20Files%20(x86)OracleVirtualBox Guest
Additionsuninst.exe/#2/#110
res://Program%20FilesOracleVirtualBox Guest
Additionsuninst.exe/#2/#110
res://Program%20Files%20(x86)ParallelsParallels
ToolsApplicationssetup_nativelook.exe/#2/#204
res://Program%20FilesParallelsParallels
ToolsApplicationssetup_nativelook.exe/#2/#204
res://Program%20Files%20(x86)Malwarebytes
Anti-Malwarembamext.dll/#2/202
res://Program%20FilesMalwarebytes
Anti-Malwarembamext.dll/#2/202
res://Program%20Files%20(x86)Malwarebytes
Anti-Malwareunins000.exe/#2/DISKIMAGE
res://Program%20FilesMalwarebytes
Anti-Malwareunins000.exe/#2/DISKIMAGE
res://Program%20Files%20(x86)Malwarebytes
Anti-Exploitmbae.exe/#2/200
res://Program%20FilesMalwarebytes
Anti-Exploitmbae.exe/#2/200
res://Program%20Files%20(x86)Malwarebytes
Anti-Exploitmbae.exe/#2/201
res://Program%20FilesMalwarebytes
Anti-Exploitmbae.exe/#2/201
res://Program%20Files%20(x86)Malwarebytes
Anti-Exploitunins000.exe/#2/DISKIMAGE
res://Program%20FilesMalwarebytes
Anti-Exploitunins000.exe/#2/DISKIMAGE
res://Program%20Files%20(x86)Trend
MicroTitaniumTmConfig.dll/#2/#30994
res://Program%20FilesTrend
MicroTitaniumTmConfig.dll/#2/#30994
res://Program%20Files%20(x86)Trend
MicroTitaniumTmSystemChecking.dll/#2/#30994
res://Program%20FilesTrend
MicroTitaniumTmSystemChecking.dll/#2/#30994
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus 6.0
for Windows Workstationsshellex.dll/#2/#102
res://Program%20FilesKaspersky LabKaspersky Anti-Virus 6.0 for
Windows Workstationsshellex.dll/#2/#102
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
6.0shellex.dll/#2/#102
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 6.0shellex.dll/#2/#102
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
7.0shellex.dll/#2/#102
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 7.0shellex.dll/#2/#102
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
2009mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 2009mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
2010mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 2010mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
2011avzkrnl.dll/#2/BBALL
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 2011avzkrnl.dll/#2/BBALL
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
2012x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 2012x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
2013x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 2013x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
14.0.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 14.0.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
15.0.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 15.0.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
15.0.1x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 15.0.1x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
15.0.2x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 15.0.2x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Anti-Virus
16.0.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Anti-Virus 16.0.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Internet
Security 6.0shellex.dll/#2/#102
res://Program%20FilesKaspersky LabKaspersky Internet Security
6.0shellex.dll/#2/#102
res://Program%20Files%20(x86)Kaspersky
LabKaspersky Internet Security 7.0shellex.dll/#2/#102
res://Program%20FilesKaspersky LabKaspersky Internet Security
7.0shellex.dll/#2/#102
res://Program%20Files%20(x86)Kaspersky
LabKaspersky Internet Security 2009mfc42.dll/#2/#26567
res://Program%20FilesKaspersky LabKaspersky Internet Security
2009mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Internet
Security 2010mfc42.dll/#2/#26567
res://Program%20FilesKaspersky LabKaspersky Internet Security
2010mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Internet
Security 2011avzkrnl.dll/#2/BBALL
res://Program%20FilesKaspersky LabKaspersky Internet Security
2011avzkrnl.dll/#2/BBALL
res://Program%20Files%20(x86)Kaspersky LabKaspersky Internet
Security 2012x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky LabKaspersky Internet Security
2012x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Internet
Security 2013x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky LabKaspersky Internet Security
2013x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Internet
Security 14.0.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky LabKaspersky Internet Security
14.0.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Internet
Security 15.0.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky LabKaspersky Internet Security
15.0.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Internet
Security 15.0.1x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky LabKaspersky Internet Security
15.0.1x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Internet
Security 16.0.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky LabKaspersky Internet Security
16.0.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Internet
Security 15.0.2x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky LabKaspersky Internet Security
15.0.2x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Total Security
14.0.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Total Security 14.0.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Total Security
15.0.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Total Security 15.0.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Total Security
15.0.1x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Total Security 15.0.1x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Total Security
15.0.2x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Total Security 15.0.2x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky Total Security
16.0.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky Total Security 16.0.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky PURE
2.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky PURE 2.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky PURE
3.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky PURE 3.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky CRYSTAL
3.0x86mfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky CRYSTAL 3.0x86mfc42.dll/#2/#26567
res://Program%20Files%20(x86)Kaspersky LabKaspersky
PUREmfc42.dll/#2/#26567
res://Program%20FilesKaspersky
LabKaspersky PUREmfc42.dll/#2/#26567