KIA: Reveton Ransomware Java 7 Exploit - CVE-2013-0431

Home/KIA/KIA: Reveton Ransomware Java 7 Exploit – CVE-2013-0431
KIA Reveton Ransomware Java 7 Exploit - CVE-2013-0431

We are doing some amazing things at Invincea to help combat the largest attack surface your organization faces – campaigns aimed at your users in the form of spear-phishing, watering hole and drive-by download attacks to name a few.  Recent studies by Mandiant and Trend Micro have estimated 95% of advanced threats originate with spear-phishing – making your users the primary attack surface and the endpoint the new perimeter. Below is the latest in a series of “KIA” blogs demonstrating the power of Invincea in standing up to today’s APT and zero-day threats. In this case, we dissect an attack using the Reveton ransomware exploit which Invincea thwarted in the wild.

Other recent examples of attacks killed in the wild include:

We think we’re on to something big at Invincea – a way to address the most significant attack surface area of your enterprise – your users. Invincea protects your network from your users’ mis-steps when they click on links, visit compromised sites, or open poisoned attachments by seamlessly opening the browser and document readers or editors in secure virtual containers. While we think we’re making great strides in an area that desperately needs innovation (endpoint security), we also recognize the critical importance of the defense in depth strategy in information security. We realize that there are no silver bullet solutions for every potential attack pathway and security vendors that claim to provide 100% protection clearly do not understand advanced threats well.  Invincea integrates with the security stack in the security operations center (SOC) empowering your other security investments with threat information we capture at the point of kill. We are glad to discuss how our integrated security stack approach is effective in holistically tackling the advanced and dynamic threats enterprises face today.
Now on to the evil stuff…

In this latest of our KIA blog series, Invincea security consultant Eddie Mitchell dissects a particularly pernicious form of malware known as the Reveton ransomware. If you’ve ever been victim to ransomware you know what a menace this threat is. The latest version of Reveton employs a web-based drive-by exploit of Java (CVE-2013-0431) to take over victim machines. Eddie’s analysis shows how the exploit works while demonstrating how Invincea Enterprise users are protected from this infection.

Reveton ransomware is among the most sophisticated ransomware that has led a resurgence in ransomware infections since late 2012 and continuing into 2013. Victims of Reveton ransomware generally lose control of their machines and are presented ominous warnings from what appears to be the FBI, Department of Justice, or other national level authorities (depending on the country of the victim) proclaiming to have evidence of pornography or other illicit materials on your desktop. Some Reveton ransom ware turns on the camera and uses this to show a live picture of the victim in a panel on the locked out screen it presents. The user is then forced into caving to demands to “release” the desktop by payment in order to regain control of the desktop and your data. In other words, these attacks, which are perpetrated by the Cool Exploit Kit (CoolEK) are among the nastiest attacks you can have on your machine driven by cyber crime.

On Monday, February 18, 2013, security researcher Kafeine tweeted that the well-known Cool Exploit Kit (CoolEK) is leveraging a new exploit for Java 7 Update 11 (CVE-2013-0431) in order to spread a new Reveton ransomware variant (https://twitter.com/kafeine/status/303551981170089984/photo/1).

Manually browsing to the URL of the landing page on a machine protected by Invincea Enterprise with Java 7 Update 11 installed shows the following infection detected:

Invincea Enterprise with Java 7 Update 11 installations

 

 

 

 

 

 

 

 

 

 

After letting the virtual container restore to its pristine state, we look at the threat analytics sent to Invincea’s Threat Data Server. The infection chain looks something like this:

 

 

 

 

 

 

 

 

 

 

 

 

Taking a look at the landing page (dive-marvellous.php), we can see that it loads a Java exploit (come-involve_eat-heat.jar) and the page also contains a large amount of obfuscated Javascript contained within a span tag.  The content of the span tag is later pulled off the page using a DOM getElementById operation:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In order to decode the contents of the landing page, we used the Revelo Javascript debugger available from Kahu Security.

At the bottom of the code, we notice that a Javascript “eval” operation is being performed on variable “a”:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

We’ll copy the entire content of the landing page into Revelo and select the option to redirect variable “(a)”:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now we can navigate to the Results tab and copy out the de-obfuscated code:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In addition to fingerprinting the browser and associated plugins, we can see that the landing page attempts to load several PDF files from functions p1-p3 depending on the version of the Reader plugin present:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

According to the following logic, function p1 is loaded when Acrobat Reader is less than version 8.x.  Function p2 is loaded when Acrobat Reader is version 8.x to 9.3.x and function p3 is loaded when Reader is version 9.4.x to 10.103.

The PDF attempting to exploit CVE-2012-0775 on version 9.4.x and above (drive-hypothesis_earn.pdf – md5: a5b994eb1bb5d2a2b00f1c6fd190ebb6) is not successful in exploiting Adobe Reader X when protected by Invincea (shown below).   When manually launched, a dialog box is displayed to the user and no other events are recorded:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

However, the Java exploit for CVE-2013-0431 (come-involve_eat-heat.jar – md5: 97ad65a3458e4d8551e4bc0ff4a8f97c) is successful in exploiting Java 7 Update 11.  The following screen capture shows the decompiled hw.class object triggering vulnerability in JMX Introspector:

 

decompiled hw.class object triggering vulnerability in JMX Introspector

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Java 7 Update 11 is shown below retrieving the encoded Reveton binary:

 

Java 7 Update 11 retrieving the encoded Reveton binary

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Current virustotal.com detection ratio is 4/46 on the Java archive (JAR):

 

 virustotal.com detection ratio on the Java archive

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The Reveton binary (calc.dll – md5: 1a75eac33b907e36527488aa814e0375) is encoded during transfer with a 256-byte XOR key.

Once decoded, the Reveton binary (ADMPARSE.DLL – md5: 403ae6ac88ba99a6051bc91fd3a199b4) has a 6/46 detection ratio on virustotal.com:

Once decoded, Reveton binary has a 6/46 detection ratio on virustotal.com:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Pulling up the infection details from the Invincea Threat Data Server, we can see that the Reveton binary was written to disk at location C:Documents and Settings<current user><random_number>.dll.  We can also see that cmd.exe was launched in order to run regsvr32.exe and perform the installation:

 

Reveton binary was written to disk and cmd.exe was launched

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A script file is dropped to the filesystem that executes a WSH shell to launch rundll32.exe with the path to the dropped .dll file:

 

 script file dropped to the filesystem that executes a WSH shell to launch rundll32.exe

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

“runctf.lnk” is also created in the user’s startup folder to ensure that Reveton is launched each time the user logs in:

 

to ensure that Reveton is launched each time the user logs in:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Further down in the analysis, we can see that iexplore.exe was launched and a network connection was opened over port 80 to IP address 66.197.196.117:

 

 iexplore.exe was launched and a network connection was opened over port 80

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The content of the download is written to 9721832.pad in the user’s “Application Data” directory which is decrypted and provides the content for the ransomware page that is displayed to the user once the system is hijacked.

The following screen capture shows the download of the encoded content written to the .pad file from 66.197.196.117:

 

 download of the encoded content written to the .pad file

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Illustration of Reveton screen lock:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You can see that the user’s screen shows an ominous warning that looks like it came from the US Dept of Justice, while asking the user to pay a release fee of $300 using MoneyPak. It’s a sophisticated extortion scheme you and yours may encounter simply by browsing the net. Protect your click with Invincea!

Summary

The analysis of the latest version of Reveton via the Cool Exploit Kit shows ever-growing sophistication by cyber crime. The exploit employs CVE-2013-0431 to launch a driveby-download exploit against Java7 Update 11. In addition, the code checks the victim machine to determine which version of Adobe Reader is running and then downloads a weaponized PDF that in theory exploits that particular version. Our version of Adobe Reader X protected by Invincea was not successfully exploited. Our analysis of the extracted JAR file that was successful and the embedded binary shows low detection rates in VirusTotal.

Finally, Reveton lives up to its reputation by locking the screen while demanding ransom payment of $300 to “release” the machine back to the victim. No doubt many victims will fall prey to this ransomware. Invincea Enterprise customers are fully protected against this exploit.

Leave a Comment