{"id":83861,"date":"2017-01-19T18:21:18","date_gmt":"2017-01-19T12:51:18","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=83861"},"modified":"2017-01-19T18:35:39","modified_gmt":"2017-01-19T13:05:39","slug":"ddos-attacks-spreading-godmode-exploit-cve-2014-6332","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/ddos-attacks-spreading-godmode-exploit-cve-2014-6332\/","title":{"rendered":"DDoS attacks spreading through \u2018GodMode\u2019 exploit – CVE-2014-6332"},"content":{"rendered":"

We have recently observed an increase in the exploitation of the famous \u2018GodMode\u2019 exploit of the vulnerability CVE-2014-6332<\/a>. The reliable proof of concept (POC) or exploit code for CVE-2016-6332 is readily available on the Internet. This makes it easy for attackers to integrate the exploit in various campaigns. They just have to flip the malware payload to start a new campaign. Most of the active Exploit Kits (EKs) such \u2018RIG\u2019 and \u2018Sundown\u2019 have integrated exploits for CVE-2014-6332. Apart from EKs, the exploit is also spreading through various compromised, malicious websites.<\/p>\n

In this blog post, we will take a look at the one such attack where exploitation of the \u2018GodMode\u2019 vulnerability CVE-2014-06332 was dropping a malware payload called DDoS Nitol<\/a>.<\/p>\n

Exploitation Cycle<\/strong><\/p>\n

The exploit was being dropped from domain \u20181128[.]me\u2019 and was resolving to IP 43.249.8[.]78. The exploit domain is registered in \u2018Panama\u2019 as per whois lookup<\/a>. The Geo-location<\/a> of the IP lies in \u2018China\u2019. The domain names observed in the DDoS campaigns were short in length and had numerical values as part of the domain name.<\/p>\n

\"Fig
Fig 1. Exploitation Cycle<\/figcaption><\/figure>\n

Exploit Analysis<\/strong><\/p>\n

The exploit first does version checking of Windows OS and Internet Explorer to check the compatibility. The exploit code only gets loaded on 32 bit Windows OS and on Internet Explorer.<\/p>\n

\"Fig
Fig 2. Version Checking of Windows OS and Internet Explorer<\/figcaption><\/figure>\n

After version checking, the exploit code moves ahead and the function \u2018Over\u2019 is called. The type confusion vulnerability is triggered when resizing of array \u2018aa\u2019 is done. The detailed analysis of the vulnerability can be found here<\/a>.<\/p>\n

\"Fig
Fig 3. Vulnerability (CVE-2014-06332) trigger code<\/figcaption><\/figure>\n

Disabling \u2018safemode\u2019 Flag<\/strong><\/p>\n

By default, the usage of VBScript functionality in browsers is restricted. This restriction is a controlled by \u2018safemode\u2019 flag. The default value of \u2018safemode\u2019 flag is always \u20180xE\u2019. If the default value of \u2018safemode\u2019 flag is changed then using VBScript, malicious activity can be performed. Controlling of \u2018safemode\u2019 flag using VBScript in web browsers has been called \u2018GodMode\u2019. Thus, this exploit is famously known as \u2018GodMode\u2019 exploit.<\/p>\n

\"Fig
Fig 4. \u2018setnotsafemode\u2019 function<\/figcaption><\/figure>\n

The exploit code shown in Fig 4 changes the \u2018safemode\u2019 flag value to \u20180\u2019 using \u2018setnotsafemode\u2019 function.<\/p>\n

\"Fig
Fig 5. \u2018safemode\u2019 flag value changed<\/figcaption><\/figure>\n

After \u2018safemode\u2019 flag is disabled, the \u2018runmumaa\u2019 function is called which downloads the malware from the URL \u2018hxxp:\/\/98.126.14[.]54\/api\/ax.exe\u2019 and executes it using \u2018wscript\u2019.<\/p>\n

\"Fig
Fig 6. Payload and execution<\/figcaption><\/figure>\n

Payload Analysis<\/strong><\/p>\n

The payload \u2018ax.exe\u2019 is executed by the exploit code and performs the activities mentioned below.<\/p>\n