Milano: Hacking Team Malware Detection Utility
Newsletter
Stay ahead of the curve with alerts from Rook Security.
Overview
When news broke last week of the high profile Hacking Team Breach, Rook Security mobilized its Rapid Response Team to develop new technology to quickly conduct analysis of the exceptionally large, 400 GB, data sets.
Rook was the first to create use cases that could be leveraged by organizations to update their detection capabilities. Rook also was the first to identify key elements of the Hacking Team Breach files that were useful to federal law enforcement.
What Can You Do?
The Milano utility, which we, Rook Security, are sharing freely, scans for the presence of files associated with the recent Hacking Team breach. For this first iteration of our tool, we have conducted analysis on 93 Windows binaries released from the Hacked Team breach. These files were specific to the projects found on the Hacked Team git projects.
We are continuing to review the remaining files from the 400Gb and will provide more .ioc files as more information is available.
Milano can scan to find Hacking Team associated files in two different ways:
- Quick scan: This mode scans for files by filename. If a filename matches, it then checks if file’s computed hash matches the hash from the Hacking-Team-associated file. This approach is not comprehensive, but it is an OK starting point for detection. It is much faster than the deep scan approach.
- Deep scan: This approach checks all files (via their computed hash) against all md5s from Hacking-Team-associated files.
*UPDATE (7/31/15 22:12 GMT): Milano 1.1.0 released.This new release contains an updated list of IOC’s (154 in total) specifically focusing on indicators for Linux and Mac OSx all found in the Hacking Team files.
DOWNLOAD THE MILANO HACKING TEAM MALWARE DETECTION UTILITY HERE
Note (Thank you for the comment/suggestion): It is expected behavior for this file to be flagged by some AV vendors as malicious. There are some strings within the files residing in the Package_1.zip which could be misinterpreted by AV software as malicious. Feel free to disassemble and take a look, if you find anything that seems odd let us know and we will be sure to provide a detailed explanation.
SHA1: 9e8eb3a45a9a871ea3028bfbd63f30a24f8fb4c9
SHA256: 19cdc201f5d158f93e8fa3f9039814ac2f3700ab3d6dc047750c3fc8a57c0356
MD5: 9894e726a7e52338879c73a4d0b9d953
Content:
- Milano Executable
- More Technical Write-Up ‘HT_Malware_Observations.pdf’
Checksums for the Milano Utility files:
Windows ZIP:
-SHA256: 987854ac3330dd9670b5286704757c2d rookmilano.zip
-SHA1: a620411e677e25d75cafb952833fd5511eb7e3aa rookmilano.zip
-MD5: 987854ac3330dd9670b5286704757c2d rookmilano.zipWindows Installer (MSI ZIP):
-SHA256: 68d26e6c3330dc3341b231029cadec16b472357f9675dbc16e149babb7e8dac2 RookMilanoInstaller.zip
-SHA1: cb03207f025403e5c2cc1677974158bdb4e12bb9 RookMilanoInstaller.zip
-MD5: f23704369ece51ad8c94a60ab807029b RookMilanoInstaller.zip*nix / OSX:
-SHA256: 1dadf828d9e9d0e45674a38943661e9618a60cad1fc96639f98040ae6d4ae509 milano.tar.gz
-SHA1: ef7624d5030ae041a6af18c69318e0c022767612 milano.tar.gz
-MD5: f07b5655453b20ff9c98cb201f28ca1e milano.tar.gz
*UPDATE (7/21/15 18:28 GMT): Download latest IOC files here:
OpenIOC v1.0 Checksums:
SHA1: 60172d36159e837b73121e4901015d0dc02b92e2
SHA256: e805836cef04da66552b4fc755fb8aac0ad08120c3cc8ad5d0f6b86db63bc4d7
MD5: 3f8352da3cf648cd47466a42b6a95513
OpenIOC v1.1 Checksums:
SHA1: db2b294b8b04191a5cc7b1b7897c52b6cbf1782c
SHA256: f077d253c6d814d9147ee9afaa3cb43195421058d6a2894f70c42f864e6acc07
MD5: c1bb38fd4e1e242466bc1a5cc4968484
*UPDATE: We are using OpenIOC v1.1. We have found this is causing some issues with some tools. We are working to release a 1.0 and 1.1 version.
Technical Overview
We began our analysis by pulling down the ‘Hacked Team’ Github repository. Although this was an easy source of information it was incomplete due to the size of the vector-ni project (~42.7Gb). As a result we determined it best to focus on the data available from the original 400Gb data dump. This initial pass resulted in 53 git projects; see Table 1 in ‘HT_Malware_Observations.pdf’ for analysis.
Each of these projects were reviewed by Rook, consisting of 93 binary files. Upon manual review of these 93 binary files, we identified 300 files which have the highest likelihood of malicious use. We then separated these files into 4 categories (See Table 2 in ‘HT_Malware_Observations.pdf’ for categorized binary files.):
- VirusTotal (VT) identified the file as malicious
- An analyst has manually review and determined to be malicious
- Was utilized as a file in at least one of the projects
- Not in VT, Google, or can not determine intent
We also determined and then flagged if the files found could be weaponized (identified with a ‘(W)’ in Table 1 below). We were able to come to the above conclusions by conducting automated and manual analysis utilizing both open source (INetSim (Internet Services Simulation Suite), and TCPDump) and proprietary tooling(Procmon (Process Monitor) and internally developed tools). This resulted in host and network-level indicators of compromise for each of the files found.
Network Indicators
No network traffic was identified from the 300 malicious files identified due to consisting primarily of tools and utilities (exploit and malware frameworks, DLL’s to include in compiled malware, etc). A Snort signature for CVE-2015–5122 is provided
Host Indicators
We focused our analysis on the git projects available from the the original 400Gb data leaked from the Hacking Team compromise. We found a total of 53 git projects. Each of these projects were reviewed by Rook, consisting of 93 binary files. Upon manual review of the 93 files we identified about 300 which have the highest likelihood of malicious use. Open IOC format of indicators can be found in ht_malicious_windows_files.ioc.
- *UPDATE (7/21/15 18:28 GMT): See the OpenIOC v1.0 and OpenIOC v1.1 files above.
- ht_malicious_windows_files.ioc — Contains hashes for 40 Windows executable and library files. These files have been analyzed by Rook Security, and have been deemed to have the highest likelihood of malicious use. These files have been analyzed using dynamic, static, and manual analysis. We also compared these files against VirusTotal, Kaspersky Whitelisting, and PaloAlto Firewalls Wildfire. Hosts containing any of the files found in this list should be considered compromised.
Brief History
Since the release of Hacking Team data on 2015–07–05, there have been a number of 0-Day exploits released. Below is the list we are aware of at this point along with some reference material to assist in any further research.
Internet Explorer Memory Corruption Vulnerability (CVE-2015–2425)
This zero-day vulnerability is a just-in-time (JIT) function UAF (Use-After-Free) vulnerability in jscript9.dll, specifically in the MutationObserver object. It has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15–065. It has been designated as CVE-2015–2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability. Only Internet Explorer 11 is affected, as the older versions of the browser do not support this feature.
References
- Microsoft Security Bulletin MS15–065: Security Update for Internet Explorer (3076321)
- https://technet.microsoft.com/library/security/MS15-065
- http://blog.trendmicro.com/trendlabs-security-intelligence/gifts-from-hacking-team-continue-ie-zero-day-added-to-mix/
KB811769: STOP 0x00000050 in Error Message in Atmfd.dll (CVE-2015–2387)
During the rendering of an Adobe PDF document using the Adobe Font Type 1, you may receive the following error message in Atmfd.dll:
0x00000050 (0xf0009ed5, 0x00000000, 0xbee02ab3, 0x00000002)PAGE_FAULT_IN_NO_PAGED_AREA
This behavior occurs because a null pointer is returned when you use an Adobe Type 1 font that contains a data structure that is not valid. A null pointer may be returned with valid fonts, but in such cases the computer is under high stress. The high stress causes a synchronization problem between the asynchronous transfer mode (ATM) font cache and the current thread that is trying to access a font that has been removed from the cache Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by Windows and provides support for OpenType fonts. A memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts. it has been confirmed that the exploit code successfully obtains local system privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit.
References
- https://support.microsoft.com/en-us/kb/811769
- Vulnerability Note VU#103336 — Windows Adobe Type Manager privilege escalation vulnerability — http://www.kb.cert.org/vuls/id/103336
- http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vulnerability-from-the-hacking-team-leak/
- http://www.checkpoint.com/defense/advisories/public/2015/cpai-2015-0808.html — Microsoft Windows Font Glyphs Kernel Code Injection (CVE-2015–2387)
- Microsoft Security Bulletin MS15–077: Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657)
CVE-2015–5119: Use-after-free vulnerability in the ByteArray class
Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a ValueOf function, as exploited in the wild in July 2015.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119
- This appears to be the same “ByteArray” UAF vulnerability which is discussed by Trend Micro
- Additionally, this is the same vulnerability which was first publicly highlighted by security researcher ‘Webdevil’ in a tweet
- Security Advisory for Adobe Flash Player (APSA15–03) & Adobe Security Bulletin (APSB15–16)
- https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
- https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
- Patched Adobe Flash version = 18.0.0.203
CVE-2015–5122: TextLine object within the valueOf function
The PoC also uses similar constructs for exploiting the Use-After-Free vulnerability in DisplayObject opaqueBackground. The vulnerability is triggered by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine’s opaqueBackground. Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98)
Exploitation continues by finding the corrupted Vector object by its length, which will be greater than 100. This enables the object to change an adjacent Vector object’s length to 0x40000000. Once exploit achieves this, it follows the same mechanism that was used in CVE-2015–5119 PoC.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5122
- https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
- http://www.symantec.com/connect/blogs/second-poc-exploit-adobe-flash-player-discovered-after-hackers-hire-company-breach
- https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html
CVE-2015–5123: BitmapData object
This vulnerability is also of the valueOf trick bug mentioned in CVE-2015–5122. However, compared to the first two reported Flash zero-day exploits, it involves the BitmapData object and not the TextLine and ByteArray. This vulnerability is rated as critical and can allow an attacker to take control of the affected system once successfully exploited. It affects all versions of Adobe Flash in Windows, Mac, and Linux.
The following steps can trigger the vulnerability:
- From a new BitmapData object, prepare two Array objects, new two MyClass objects, and assign the MyClass object to each Array objects.
- Once the valueOf function of MyClass is override, it calls the BitmapData.paletteMap with the two Array objects as parameters. The BitmapData.paletteMap will trigger the valueOf function.
- In the valueOf function, it will call BitmapData.dispose() to dispose the underlying memory of BitmapData object, thus causing Flash Player to crash.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5123
- https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-in-adobe-flash-emerges-from-hacking-team-leak/
Adobe Flash Player Use-After-Free Vulnerability (CVE-2015–0349)
One of the Flash Player vulnerabilities found in the HT dump is believed to be CVE-2015–0349 which was patched by Adobe in April 2015
References
- http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/
- Adobe Security Bulletin (APSB15–06)
- https://helpx.adobe.com/security/products/flash-player/apsb15-06.html
- Patched Adobe Flash version = 17.0.0.169