Internet Explorer and Flash Player vulnerabilities exploited

Apr 9, 2015 08:09 GMT  ·  By

More than 100 forums, some of them running on outdated versions of vBulletin or IP Board software, have been compromised and feature malicious code that redirects to malware which evades detection of most antivirus programs.

The malicious campaign, discovered recently by security researchers at Cyphort, was still active on Wednesday and caused forum visitors to be redirected to a landing page hosting Fiesta exploit kit (EK).

One of the affected forums is DIY Chatroom, a location reached by over 8,000 unique IP addresses on a daily basis that provides discussions and advice on repair and home improvement matters.

Malware avoids virtual environments, disables security settings

The payload served is a new variant of Gamarue, which is known for stealing sensitive information and installing a backdoor on the compromised systems.

At the moment of the discovery, the threat went undetected by all antivirus engines available on the VirusTotal online scanning service, Cyphort says.

According to the researchers, one of the infection chains analyzed exploited two vulnerabilities, an old one in Internet Explorer (CVE-2013-2551) and a newer one (CVE-2015-0313) in Adobe Flash Player 16.0.0.296 and earlier.

The malware dropper for Gamarue features protection against analysis and does not run if virtual environments created by VirtualBox, VMWare or Qemu are detected.

Once Gamarue is executed on the affected machine, it achieves persistence by creating an autostart entry in Windows Registry and initiates a routine to disable security settings on the system.

Then, it contacts a command and control (C&C) server located at “nindziaboy.net” and awaits for instructions (report, update and start); all communication is carried out in encrypted form, Cyphort informs.

Click fraud appears to be the end goal

Apart from Gamarue, the dropper also adds FleerCivet, a Trojan whose purpose is clickjacking. It reaches its goal by launching multiple hidden instances of Internet Explorer and opening certain websites where it clicks on advertisements.

Both Gamarue and FleerCivet are part of the main dropper’s resources, but a third malicious component, detected as Backdoor.Ruperk, is added to the system.

The backdoor’s capabilities include delivery of system-related info (MachineGuid, version of the operating system and name of the display device) to a C&C and downloading other files.

Cyphort researchers believe that the end game of the entire watering-hole attack is click fraud, as the visitors of the infected forums seem to be mainly home users. By targeting this type of audience, the operators ensure that the clickjacking is not easily discovered because clicks appear to be generated via legitimate actions.

However, since other data can be downloaded to the victim’s machines, the operators can also set up a botnet, which can be rented to other cybercriminals, or they can try to funnel in banking Trojans and empty users’ accounts.

As is always the case with exploit kits, one of the best defenses is to have all browser components updated to their latest versions. Applied to this attack, the door into the system is opened by outdated versions of Internet Explorer and Flash Player.

Internet Explorer glitch leveraged in the attack
Internet Explorer glitch leveraged in the attack

Photo Gallery (2 Images)

Flash Player vulnerability exploited
Internet Explorer glitch leveraged in the attack
Open gallery