by Feike Hacquebord, Senior Threat Researcher
The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors. Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets. This is exactly what we saw in late October and early November 2016, when the espionage group Pawn Storm (also known as Fancy Bear, APT28, Sofacy, and STRONTIUM) ramped up its spear-phishing campaigns against various governments and embassies around the world. In these campaigns, Pawn Storm used a previously unknown zero-day in Adobe’s Flash (CVE-2016-7855, fixed on October 26, 2016 with an emergency update) in combination with a privilege escalation in Microsoft’s Windows Operating System (CVE-2016-7255) that was fixed on November 8, 2016.
After the fix of CVE-2016-7855 in Adobe’s Flash, Pawn Storm probably devalued the two zero-days in its attack tool portfolio. Instead of only using it against very high profile targets, they started to expose much more targets to these vulnerabilities. We saw several campaigns against still-high-profile targets since October 28 until early November, 2016.
Figure 1. Infection chain of the spear-phishing campaign
In early November, Pawn Storm sent spear-phishing e-mails to various governments around the world. In one of Pawn Storm’s campaigns on November 1, the subject line was “European Parliament statement on nuclear threats.” The e-mail seemingly came from a real press officer working for the media relations office of the European Union, but in reality, the sender e-mail address was forged. Clicking on the link in the spear-phishing e-mail led to the exploit kit of Pawn Storm.
From October 28 until early November 2016, several waves of spear-phishing e-mails were sent to embassies and other governmental institutions. Some of the e-mails posed as an invitation for a “Cyber Threat Intelligence and Incident Response conference in November” by Defense IQ, a media organization that specializes in news on defense and the military. The conference is real, but of course, the sender address was forged. The spear-phishing e-mail contained an RTF (Rich Text Format) document called “Programm Details.doc.”
Opening the RTF document (detected by Trend Micro as TROJ_ARTIEF.JEJOSU) would show the program details of the real conference, which was to be held in London in late November 2016. However, the RTF document has an embedded Flash file (SWF_CONEX.A) that downloads additional files from a remote server. This attack methodology of Pawn Storm has been previously observed. We also noted that the embedded Flash file downloaded a Flash exploit for the just-patched CVE-2016-7855. A second file was also downloaded, but this file consistently crashed Microsoft Word during our tests.
Figure 2. Spear-phishing e-mail from Pawn Storm
Figure 3. The Word document with an embedded Flash file that will try to download exploits from a remote server. The program was taken from a real conference to be held in London in end of November.
Apart from these two campaigns, several others were also launched by Pawn Storm in the period between the discovery of the zero-days and the release of Adobe’s and Microsoft’s patches on October 26 and November 8, 2016. This shows that Pawn Storm ramped up their spear-phishing attacks shortly after its zero-days were discovered. Not all organizations may have been able to immediately patch Adobe’s Flash, and the Windows vulnerability wasn’t patched until November 8, 2016.
Trend Micro Solutions
Trend Micro™ Deep Discovery™ uses extensive detection techniques and monitors all traffic across virtual and physical networks to deliver real-time protection and in-depth threat analysis. Smart Sandbox, a custom sandbox and emulator technology which is part of Deep Discovery, can detect these threats as well even without any engine or pattern update. Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats that abuses unpatched vulnerabilities. OfficeScan’s Intrusion Defense Firewall plugin shield endpoints from identified and unknown vulnerability exploits even before patches are deployed.
TippingPoint customers are protected from attacks exploiting these vulnerabilities with these MainlineDV filters:
- 25498: HTTP: Adobe Flash AMF Use-After-Free Vulnerability
- 25729: HTTP: Microsoft Windows NtSetWindowLongPtr Privilege Escalation Vulnerability
- 25728: HTTPS: TROJ_KEFLER.A Checkin
- 1008003-Adobe Flash Player Use-After-Free Vulnerability (CVE-2016-7855)
- 1008033-Microsoft Windows Elevation Of Privilege Vulnerability
Indicators of Compromise:
RTF document (TROJ_ARTIEF.JEJOSU): 4173b29a251cd9c1cab135f67cb60acab4ace0c5
CVE-2016-7855 sample (SWF_EXES.A): cb1e30e6e583178f8d4bf6a487a399bd341c0cdc
Payload (TSPY_SEDNIT.F): c2f8ea43f0599444d0f6334fc6634082fdd4a69f
Remote sites giving back exploits to RTF Documents with embedded SWF:
With additional analysis by Francis Antazo and Jeanne Jocson