Attacks Simultaneously Exploiting Vulnerability in IE (CVE-2020-0674) and Firefox (CVE-2019-17026)

On 8 January 2020, Mozilla released an advisory regarding a vulnerability in Firefox. On 17 January, Microsoft reported that 0-day attacks exploiting a vulnerability in Internet Explorer (IE) had been seen in the wild. JPCERT/CC confirmed attacks exploiting both vulnerabilities at once and issued a security alert.
This article explains the details of these attacks.

Attack overview

In this attack, victims are redirected to an attack site through a compromised website. Figure 1 shows the flow of events from a victim accessing a compromised site until being infected with malware.

Flow of events
Figure 1: Flow of events

When a victim is redirected to a malicious website on IE or Firefox, different exploit code is sent back depending on the browser. Figure 2 shows a part of the code to check the browser. Although this attack targets both 32bit and 64bit OS, it is only successful on 64bit OS as the malware which is finally deployed in this attack is only compatible with 64bit OS.

Part of JavaScript to check the victim’s browser
Figure 2: Part of JavaScript to check the victim’s browser

If the attack is successful, the exploit code is downloaded once again as a Proxy Auto Configuration file (PAC file). The code is executed as a PAC file, and then malware is downloaded and executed.
The following sections will explain the exploit code for IE/Firefox and malware.

Attacks exploiting a vulnerability in IE

Figure 3 shows a part of exploit code targeting IE. Usually, the C&C servers of malware downloaded by executing exploited code are embedded in Shellcode. However, the exploit code contains a URL to download the malware at the beginning, which is then embedded in the Shellcode when executing the code. Presumably, it makes it easier for attackers to modify the exploit code.

Part of JavaScript for IE Exploit
Figure 3: Part of JavaScript for IE Exploit

The Shellcode executed by this exploit code retrieves the current process name and checks if it is “svchost.exe” or not. Figure 4 shows a part of code to check the process name.

Part of code to check process name
Figure 4: Part of code to check process name

If the retrieved process name is "svchost.exe", the Shellcode downloads malware and executes it. However, in this attack, the exploit code is loaded on the browser; the retrieved process name is specific to the browser itself (e.g. iexplorer.exe). This exploit code does not download the malware when it is loaded on the browser. If the process name is not "svchost.exe", the Shellcode code downloads itself once again as a PAC file with WinHttpGetProxyForUrl as in Figure 5. When this exploit is loaded as a PAC file, the retrieved process name will be "svchost.exe", and the Shellcode downloads the malware and executes it (Figure 6).

Part of code to download PAC file
Figure 5: Part of code to download PAC file

Part of code to download and execute the malware
Figure 6: Part of code to download and execute the malware

When the malware is downloaded and executed, only the code in Figure 6 is executed in any OS except for Windows 10. However, on Windows 10, the code in Figure 7 attempting privilege escalation (Juicy Potato [1]) is also executed at the same time.

Part of code attempting privilege escalation
Figure 7: Part of code attempting privilege escalation

Attacks exploiting a vulnerability in Firefox

Figure 8 shows a part of code attacking Firefox. The Shellcode is almost the same as in Figure 5, which re-downloads the exploit code as a PAC file. The exploit code downloaded here is for IE environment. The behaviour after executing the PAC file is the same as in the IE exploit.

Part of JavaScript for FireFox Exploit
Figure 8: Part of JavaScript for FireFox Exploit

Malware

If the attack is successful, eventually, the victim is infected with Gh0st RAT. The source code of the malware used in this attack is almost identical to the leaked code of Gh0st RAT [2] as Figure 9 describes.

Comparison of source code of the malware and Gh0st RAT
Figure 9: Comparison of source code of the malware and Gh0st RAT
(Left: Malware used in the attack / Right: Gh0stRAT)

The malware uses a custom protocol, and the data sent to a C&C server begins with the fixed string ”afxcbyzt”. The data to send is compressed with zlib, and the first 2-byte is XOR-ed with 0x88.

Example of data sent
Figure 10: Example of data sent

In closing

JPCERT/CC has confirmed that the attack was successful in Windows7 x64 (with patches released in December 2019) and Windows8.1 x64 (with patches released in January 2020), and the malware was executed in these environments. However, the malware infection was not confirmed in Windows 10 (with patches released in January 2020). It is likely that the exploit code is not compatible with Windows10.
The hash value of a sample and C&C servers are listed in Appendix A and B. Please make sure that none of your devices is accessing these hosts.

Shusei Tomonaga
(Translated by Yukako Uchida)

Reference

[1] Juicy Potato (abusing the golden privileges)
http://ohpe.it/juicy-potato/

[2] Github - iGh0st / gh0st3.6_src
https://github.com/iGh0st/gh0st3.6_src

Appendix A: C&C server

  • last.tax-lab.net
  • cnnmedia.servepics.com

Appendix B: SHA-256 value of a sample

  • c9e7467c88d391cecc0535f0c1576c30033791a94cec676d6bbc9a37931daf20
Back
Top
Next