{"id":84199,"date":"2017-04-25T14:28:48","date_gmt":"2017-04-25T08:58:48","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84199"},"modified":"2017-04-25T14:32:04","modified_gmt":"2017-04-25T09:02:04","slug":"anatomy-flash-exploit-cve-2015-8651-integrated-rig-exploit-kit","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/anatomy-flash-exploit-cve-2015-8651-integrated-rig-exploit-kit\/","title":{"rendered":"Anatomy of Flash Exploit (CVE-2015-8651) integrated into Rig Exploit Kit"},"content":{"rendered":"

We all know how the infamous RIG Exploit Kit<\/a> have been used to infect the end users. We are seeing a constant spike in the usage of the RIG Exploit Kit by malware actors to spread malware. Its use has been noticed in different campaigns such as EITest, pseudoDarkleech, and AFRAIDGATE. The RIG Exploit Kit is mostly used to drop ransomware on targeted machines. We have recently observed an upsurge in the usage of Adobe Flash Player Exploit (CVE-2015-8651<\/a>) by the RIG Exploit Kit. The infection chain starts with a compromised web page which redirects the user to a landing page and then loads the Flash exploit as shown in Fig 1.<\/p>\n

\"Fig
Fig 1. RIG Exploit Kit infection cycle<\/figcaption><\/figure>\n

In this blog post, we will discuss the working of the Adobe Flash exploit (CVE-2015-8651<\/a>).The Flash exploit has 5 DefineBinary tags which hold obfuscated data. After analysing the DefineBinary tags, we found that two DefineBinary tags data are encrypted by RC4 encryption algorithm and their keys are kept in other DefineBinary tags. Let\u2019s take a closer look at these DefineBinary tags.<\/p>\n

DefineBinary Tag-1<\/strong><\/p>\n

\"Fig
Fig 2. Decryption key present in DefineBinary Tag-1<\/figcaption><\/figure>\n

The \u2018DefineBinary Tag-1\u2019 shown in Fig 2 contains the decryption key. This key is used to decrypt the data present in DefineBinary Tag-2. After the decryption of DefineBinary Tag-2, we found the below strings.<\/p>\n

DefineBinary Tag-2<\/strong><\/p>\n

\"Fig
Fig 3. Decryption of strings using Fig 2 Key<\/figcaption><\/figure>\n

Also, there was another decryption key in the \u2018DefineBinary Tag-4\u2019. This key is used to decrypt the data present in \u2018DefineBinary Tag-3\u2019.<\/p>\n

DefineBinary Tag-4<\/strong><\/p>\n

\"Fig
Fig 4. Decryption Key present in DefineBinary Tag-4<\/figcaption><\/figure>\n

DefineBinary Tag-3<\/strong><\/p>\n

\"Fig
Fig 5. Decryption of strings using the key shown in Fig 4<\/figcaption><\/figure>\n

The decrypted data shows strings which are used in shellcode preparation by the exploit.<\/p>\n

The Exploit Entry Point<\/strong><\/p>\n

The code snippets in Fig 6 shows the entry point of Flash execution. In method_6 given argument -1820302796 gets XOR\u2019ed with 0x93806237 (present in DefineBinary tag-5 data) gives the index value as \u20183\u2019 which represents string \u201ciQWERddQWERqd\u201d. The _loc5_ variable holds \u201ciddqd\u201d which is decoded from the string \u201ciQWERddQWERqd\u201d after removing \u201cQWER\u201d. This iddqd variable holds data which is passed as a parameter to the current Flash file. Then _loc6_ variable holds hex data which is decoded by replacing \u201cQWER\u201d by \u201cE\u201d by the earlier XOR process and those strings are also stored in DefineBinary tag-3.<\/p>\n

\"Fig
Fig 6. Start of exploitation<\/figcaption><\/figure>\n

The function call \u2018this.sdfghfghfgj\u2019 triggers the exploit code. It performs fingerprinting and version checks to obtain the version of the installed Flash player. If a vulnerable Flash installation is found, it triggers the vulnerability and carries out heap spray. The function \u2018get_big_ba\u2019<\/strong> triggers the well-known integer overflow vulnerability (CVE-2015-8651<\/a>).<\/p>\n

\"Fig
Fig 7. Function Call flow depicting vulnerability trigger<\/figcaption><\/figure>\n

Exploit Checks<\/strong><\/p>\n

The function \u2018is_vuln\u2019<\/strong> performs Exploit checks.<\/p>\n

\"
Fig 8. Exploit checks<\/figcaption><\/figure>\n

Below are the checks:<\/p>\n