Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched

by Feike Hacquebord, Senior Threat Researcher

The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors. Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets. This is exactly what we saw in late October and early November 2016, when the espionage group Pawn Storm (also known as Fancy Bear, APT28, Sofacy, and STRONTIUM) ramped up its spear-phishing campaigns against various governments and embassies around the world.  In these campaigns, Pawn Storm used a previously unknown zero-day in Adobe’s Flash (CVE-2016-7855, fixed on October 26, 2016 with an emergency update) in combination with a privilege escalation in Microsoft’s Windows Operating System (CVE-2016-7255) that was fixed on November 8, 2016.

After the fix of CVE-2016-7855 in Adobe’s Flash, Pawn Storm probably devalued the two zero-days in its attack tool portfolio. Instead of only using it against very high profile targets, they started to expose much more targets to these vulnerabilities. We saw several campaigns against still-high-profile targets since October 28 until early November, 2016.

Figure 1. Infection chain of the spear-phishing campaign

In early November, Pawn Storm sent spear-phishing e-mails to various governments around the world. In one of Pawn Storm’s campaigns on November 1, the subject line was “European Parliament statement on nuclear threats.” The e-mail seemingly came from a real press officer working for the media relations office of the European Union, but in reality, the sender e-mail address was forged. Clicking on the link in the spear-phishing e-mail led to the exploit kit of Pawn Storm.

The exploit kit will first fingerprint its targets with invasive JavaScript, which uploads OS details, time zone, installed browser plugins, and language settings to the exploit server. The exploit server may then send back an exploit or simply redirect to a benign server. In recent attacks, we observed that the exploit kit exposed selected targets to the Flash vulnerability CVE-2016-7855, combined with the then-unpatched privilege escalation vulnerability in Windows (CVE-2016-7255). Internet users who were using Windows Vista up to Windows 7 without the latest patch for Flash would be at high risk of automatically getting infected.

From October 28 until early November 2016, several waves of spear-phishing e-mails were sent to embassies and other governmental institutions. Some of the e-mails posed as an invitation for a “Cyber Threat Intelligence and Incident Response conference in November” by Defense IQ, a media organization that specializes in news on defense and the military. The conference is real, but of course, the sender address was forged. The spear-phishing e-mail contained an RTF (Rich Text Format) document called “Programm Details.doc.”

Opening the RTF document (detected by Trend Micro as TROJ_ARTIEF.JEJOSU) would show the program details of the real conference, which was to be held in London in late November 2016. However, the RTF document has an embedded Flash file (SWF_CONEX.A) that downloads additional files from a remote server. This attack methodology of Pawn Storm has been previously observed. We also noted that the embedded Flash file downloaded a Flash exploit for the just-patched CVE-2016-7855. A second file was also downloaded, but this file consistently crashed Microsoft Word during our tests.

Figure 2. Spear-phishing e-mail from Pawn Storm

Figure 3. The Word document with an embedded Flash file that will try to download exploits from a remote server. The program was taken from a real conference to be held in London in end of November.

Apart from these two campaigns, several others were also launched by Pawn Storm in the period between the discovery of the zero-days and the release of Adobe’s and Microsoft’s patches on October 26 and November 8, 2016.  This shows that Pawn Storm ramped up their spear-phishing attacks shortly after its zero-days were discovered.  Not all organizations may have been able to immediately patch Adobe’s Flash, and the Windows vulnerability wasn’t patched until November 8, 2016.

End users are urged to update their Windows OS (through MS16-135), and Flash Player (via its emergency patch) to mitigate these threats.

Trend Micro Solutions

Trend MicroDeep Discovery™ uses extensive detection techniques and monitors all traffic across virtual and physical networks to deliver real-time protection and in-depth threat analysis. Smart Sandbox, a custom sandbox and emulator technology which is part of Deep Discovery, can detect these threats as well even without any engine or pattern update. Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats that abuses unpatched vulnerabilities. OfficeScan’s Intrusion Defense Firewall plugin shield endpoints from identified and unknown vulnerability exploits even before patches are deployed.

TippingPoint customers are protected from attacks exploiting these vulnerabilities with these MainlineDV filters:

  • 25498: HTTP: Adobe Flash AMF Use-After-Free Vulnerability
  • 25729: HTTP: Microsoft Windows NtSetWindowLongPtr Privilege Escalation Vulnerability
  • 25728: HTTPS: TROJ_KEFLER.A Checkin

TSPY_SEDNIT.F is detected by Trend MicroDeep Discovery™ Sandbox as VAN_FILE_INFECTOR.UMXX.

Trend MicroDeep Security™ and Vulnerability Protection shield endpoints and networks through Rule update DSRU16-034, which includes these Deep Packet Inspection (DPI) rules:

  • 1008003-Adobe Flash Player Use-After-Free Vulnerability (CVE-2016-7855)
  • 1008033-Microsoft Windows Elevation Of Privilege Vulnerability

Indicators of Compromise:

Exploit sites:

  • abc24news[.]com
  • defenceglobalnews[.]com
  • globaldefencetalk[.]com
  • politlco[.]com
  • pressservices[.]net
  • washingtnpostnews[.]com
  • worldpressjournal[.]com
  • worldpostjournal[.]com

RTF document (TROJ_ARTIEF.JEJOSU): 4173b29a251cd9c1cab135f67cb60acab4ace0c5

CVE-2016-7855 sample (SWF_EXES.A): cb1e30e6e583178f8d4bf6a487a399bd341c0cdc

Payload (TSPY_SEDNIT.F): c2f8ea43f0599444d0f6334fc6634082fdd4a69f

C&C Servers:

  • microsoftstoreservice[.]com
  • servicetlnt[.]net
  • windowsdefltr[.]net

Remote sites giving back exploits to RTF Documents with embedded SWF:

  • appexsrv[.]net
  • securityprotectingcorp[.]com
  • uniquecorpind[.]com
  • versiontask[.]com

With additional analysis by Francis Antazo and Jeanne Jocson

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.