Windows DDE Protocol Abused by Latest Flash 0-day

Last week, the latest Adobe patched a zero-day vulnerability (CVE-2016-4171) was used in targeted cyber-espionage attacks. According to the Russian security vendor Kaspersky Lab, the vulnerability abused the Windows DDE protocol in order to deliver malware.

The zero-day news came out on Tuesday, and on Thursday, Adobe released their Flash Player version trying to fix the zero-day and 35 other security bugs.

Kaspersky Lab discovered the zero-day, and according to the company’s initial report, the vulnerability was part of the arsenal of a cyber-espionage group they codenamed StarCruft. The report also stated that the group had carried out multiple cyber-attacks, which the company was tracking as Operation Erebus and Operation Daybreak.

The zero-day was part of the more recent Operation Daybreak campaign, during which Kaspersky says the group also employed two other Adobe exploits (CVE-2016-4117 and CVE-2016-0147) and an Internet Explorer exploit.

Regarding the Operation Erebus, Kaspersky said that the association used only CVE-2016-4117, which was served through watering hole attacks.

When it comes to the Operation Daybreak case, StarCruft used spear-phishing emails. These emails contained links that redirected targets to Web pages PDFs, but also hosting exploit kits. As soon as users accessed these URLs, the malicious websites would deliver three SWF files containing Flash exploits. The second SWF file in this chain carried the zero-day’s malicious code.

According to Kaspersky Lab, the zero-day exploited the Flash code which parses the ExecPolicy metadata information. The hackers were feeding invalid values to a key-value store which led to an out-of-bounds memory corruption issue, allowing the attackers to execute code on the infected PC.

StarCruft was force-feeding victims a DLL named yay_release.dll, which the crooks would load in Flash Player. The malicious code found inside this DLL contained a routine for bypassing security products.

Cyber criminals were using the Windows DDE component to create a malicious subroutine, which antivirus products wouldn’t be able to pick up.

According to Kaspersky, the updates made earlier this year to its security product allowed them to pick up the zero-day’s malicious routine. In addition, the company says that this is the second Flash zero-day their updated software was able to pick up this year alone, after the experts detected CVE-2016-1010 some time ago.

Windows DDE means for Dynamic Data Exchange and it is a protocol which details methods for transferring data between applications. Regarding the particular case, Kaspersky Labs notes that the hackers used a never-before-seen DDE trick.

The StarCruft attackers were employing the malicious yay_release.dll to tell Windows DDE to create an LNK file, which they launched into execution. This LNK file would execute a VBS script that would connect to a website and download a CAB file that contained a very rare trojan, used only in the StarCruft attacks.

Kaspersky also noted that StarCruft used the Flash zero-day to spy on targets such as a law enforcement agency in an Asian country, employees of one of the largest Asian trading companies, a restaurant located in Dubai’s biggest malls, and a mobile advertising company in the US.

In addition, the StarCruft APT also targeted members of the International Association of Athletics Federations.

Nowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky,” Kaspersky’s Costin Raiu and Anton Ivanov stated.

Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult,” the two experts added.

Kaspersky Lab has informed Microsoft of the Windows DDE attack. It is worth noting that while the DDE exploit managed to bypass some AV software, Microsoft EMET was able to detect and counteract the attack.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.