Open in app

Sign in

Write

Sign in

Milano: Hacking Team Malware Detection Utility

Newsletter

Rook Security
SECOPS
8 min readJul 17, 2015

--

Stay ahead of the curve with alerts from Rook Security.

Sign up

Overview

When news broke last week of the high profile Hacking Team Breach, Rook Security mobilized its Rapid Response Team to develop new technology to quickly conduct analysis of the exceptionally large, 400 GB, data sets.

Rook was the first to create use cases that could be leveraged by organizations to update their detection capabilities. Rook also was the first to identify key elements of the Hacking Team Breach files that were useful to federal law enforcement.

What Can You Do?

The Milano utility, which we, Rook Security, are sharing freely, scans for the presence of files associated with the recent Hacking Team breach. For this first iteration of our tool, we have conducted analysis on 93 Windows binaries released from the Hacked Team breach. These files were specific to the projects found on the Hacked Team git projects.

We are continuing to review the remaining files from the 400Gb and will provide more .ioc files as more information is available.

Milano can scan to find Hacking Team associated files in two different ways:

  1. Quick scan: This mode scans for files by filename. If a filename matches, it then checks if file’s computed hash matches the hash from the Hacking-Team-associated file. This approach is not comprehensive, but it is an OK starting point for detection. It is much faster than the deep scan approach.
  2. Deep scan: This approach checks all files (via their computed hash) against all md5s from Hacking-Team-associated files.

*UPDATE (7/31/15 22:12 GMT): Milano 1.1.0 released.This new release contains an updated list of IOC’s (154 in total) specifically focusing on indicators for Linux and Mac OSx all found in the Hacking Team files.

DOWNLOAD THE MILANO HACKING TEAM MALWARE DETECTION UTILITY HERE

Note (Thank you for the comment/suggestion): It is expected behavior for this file to be flagged by some AV vendors as malicious. There are some strings within the files residing in the Package_1.zip which could be misinterpreted by AV software as malicious. Feel free to disassemble and take a look, if you find anything that seems odd let us know and we will be sure to provide a detailed explanation.

Content:

  • Milano Executable
  • More Technical Write-Up ‘HT_Malware_Observations.pdf’

Checksums for the Milano Utility files:

*UPDATE (7/21/15 18:28 GMT): Download latest IOC files here:

OpenIOC v1.0 Checksums:

OpenIOC v1.1 Checksums:

*UPDATE: We are using OpenIOC v1.1. We have found this is causing some issues with some tools. We are working to release a 1.0 and 1.1 version.

Technical Overview

We began our analysis by pulling down the ‘Hacked Team’ Github repository. Although this was an easy source of information it was incomplete due to the size of the vector-ni project (~42.7Gb). As a result we determined it best to focus on the data available from the original 400Gb data dump. This initial pass resulted in 53 git projects; see Table 1 in ‘HT_Malware_Observations.pdf’ for analysis.

Each of these projects were reviewed by Rook, consisting of 93 binary files. Upon manual review of these 93 binary files, we identified 300 files which have the highest likelihood of malicious use. We then separated these files into 4 categories (See Table 2 in ‘HT_Malware_Observations.pdf’ for categorized binary files.):

  1. VirusTotal (VT) identified the file as malicious
  2. An analyst has manually review and determined to be malicious
  3. Was utilized as a file in at least one of the projects
  4. Not in VT, Google, or can not determine intent

We also determined and then flagged if the files found could be weaponized (identified with a ‘(W)’ in Table 1 below). We were able to come to the above conclusions by conducting automated and manual analysis utilizing both open source (INetSim (Internet Services Simulation Suite), and TCPDump) and proprietary tooling(Procmon (Process Monitor) and internally developed tools). This resulted in host and network-level indicators of compromise for each of the files found.

Network Indicators

No network traffic was identified from the 300 malicious files identified due to consisting primarily of tools and utilities (exploit and malware frameworks, DLL’s to include in compiled malware, etc). A Snort signature for CVE-2015–5122 is provided

Host Indicators

We focused our analysis on the git projects available from the the original 400Gb data leaked from the Hacking Team compromise. We found a total of 53 git projects. Each of these projects were reviewed by Rook, consisting of 93 binary files. Upon manual review of the 93 files we identified about 300 which have the highest likelihood of malicious use. Open IOC format of indicators can be found in ht_malicious_windows_files.ioc.

  • *UPDATE (7/21/15 18:28 GMT): See the OpenIOC v1.0 and OpenIOC v1.1 files above.
  • ht_malicious_windows_files.ioc — Contains hashes for 40 Windows executable and library files. These files have been analyzed by Rook Security, and have been deemed to have the highest likelihood of malicious use. These files have been analyzed using dynamic, static, and manual analysis. We also compared these files against VirusTotal, Kaspersky Whitelisting, and PaloAlto Firewalls Wildfire. Hosts containing any of the files found in this list should be considered compromised.

Brief History

Since the release of Hacking Team data on 2015–07–05, there have been a number of 0-Day exploits released. Below is the list we are aware of at this point along with some reference material to assist in any further research.

Internet Explorer Memory Corruption Vulnerability (CVE-2015–2425)

This zero-day vulnerability is a just-in-time (JIT) function UAF (Use-After-Free) vulnerability in jscript9.dll, specifically in the MutationObserver object. It has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15–065. It has been designated as CVE-2015–2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability. Only Internet Explorer 11 is affected, as the older versions of the browser do not support this feature.

References

  1. Microsoft Security Bulletin MS15–065: Security Update for Internet Explorer (3076321)

KB811769: STOP 0x00000050 in Error Message in Atmfd.dll (CVE-2015–2387)

During the rendering of an Adobe PDF document using the Adobe Font Type 1, you may receive the following error message in Atmfd.dll:






0x00000050 (0xf0009ed5, 0x00000000, 0xbee02ab3, 0x00000002)PAGE_FAULT_IN_NO_PAGED_AREA
This behavior occurs because a null pointer is returned when you use an Adobe Type 1 font that contains a data structure that is not valid. A null pointer may be returned with valid fonts, but in such cases the computer is under high stress. The high stress causes a synchronization problem between the asynchronous transfer mode (ATM) font cache and the current thread that is trying to access a font that has been removed from the cache Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by Windows and provides support for OpenType fonts. A memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts. it has been confirmed that the exploit code successfully obtains local system privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit.

References

  1. https://support.microsoft.com/en-us/kb/811769
  2. Vulnerability Note VU#103336 — Windows Adobe Type Manager privilege escalation vulnerability — http://www.kb.cert.org/vuls/id/103336
  3. http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vulnerability-from-the-hacking-team-leak/
  4. http://www.checkpoint.com/defense/advisories/public/2015/cpai-2015-0808.html — Microsoft Windows Font Glyphs Kernel Code Injection (CVE-2015–2387)
  5. Microsoft Security Bulletin MS15–077: Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657)

CVE-2015–5119: Use-after-free vulnerability in the ByteArray class

Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a ValueOf function, as exploited in the wild in July 2015.

References

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119
  2. This appears to be the same “ByteArray” UAF vulnerability which is discussed by Trend Micro
  1. Additionally, this is the same vulnerability which was first publicly highlighted by security researcher ‘Webdevil’ in a tweet
  1. Security Advisory for Adobe Flash Player (APSA15–03) & Adobe Security Bulletin (APSB15–16)

CVE-2015–5122: TextLine object within the valueOf function

The PoC also uses similar constructs for exploiting the Use-After-Free vulnerability in DisplayObject opaqueBackground. The vulnerability is triggered by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine’s opaqueBackground. Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98)

Exploitation continues by finding the corrupted Vector object by its length, which will be greater than 100. This enables the object to change an adjacent Vector object’s length to 0x40000000. Once exploit achieves this, it follows the same mechanism that was used in CVE-2015–5119 PoC.

References

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5122
  2. https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
  3. http://www.symantec.com/connect/blogs/second-poc-exploit-adobe-flash-player-discovered-after-hackers-hire-company-breach
  4. https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html

CVE-2015–5123: BitmapData object

This vulnerability is also of the valueOf trick bug mentioned in CVE-2015–5122. However, compared to the first two reported Flash zero-day exploits, it involves the BitmapData object and not the TextLine and ByteArray. This vulnerability is rated as critical and can allow an attacker to take control of the affected system once successfully exploited. It affects all versions of Adobe Flash in Windows, Mac, and Linux.
The following steps can trigger the vulnerability:

  1. From a new BitmapData object, prepare two Array objects, new two MyClass objects, and assign the MyClass object to each Array objects.
  2. Once the valueOf function of MyClass is override, it calls the BitmapData.paletteMap with the two Array objects as parameters. The BitmapData.paletteMap will trigger the valueOf function.
  3. In the valueOf function, it will call BitmapData.dispose() to dispose the underlying memory of BitmapData object, thus causing Flash Player to crash.

References

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5123
  2. https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
  3. http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-in-adobe-flash-emerges-from-hacking-team-leak/

Adobe Flash Player Use-After-Free Vulnerability (CVE-2015–0349)

One of the Flash Player vulnerabilities found in the HT dump is believed to be CVE-2015–0349 which was patched by Adobe in April 2015

References

  1. http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/
  2. Adobe Security Bulletin (APSB15–06)
Featured
General Security
Compliance
Data Breach
Data Loss Prevention

--

--

Rook Security
SECOPS

Written by Rook Security

446 Followers

Global provider of IT security solutions protecting against dynamic, emerging threats. -- Inc. 500 Company in 2014.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams