Summary

On October 24, 2013, the Check Point ThreatCloud Emulation Service received six PDF document files from a European Union official agency running a Check Point threat prevention gateway. Automated analysis in the Threat Emulation sandbox determined that these documents exploited an Adobe Reader vulnerability, and additional research revealed that these files were delivered via a dynamic URL scheme and were, at the time, detected by only 8% of antivirus solutions. The result was a potentially powerful targeted attack tool that would have evaded many other vendors’ defenses.

After we added detections to ThreatCloud, where they became available to Check Point threat prevention gateway customers worldwide, these gateways reported the detection and blocking of 500 more instances of this attack around the world over the next five days. Information from these events revealed that the attacks appear to be part of a widespread campaign that touches over 140 Web domains. The campaign uses this exploit to deliver the well-known NuclearPack kit to victims in the target organizations.

Read on for more details about this campaign, plus additional recommendations about measures customers and security decision-makers should take to protect themselves against this campaign.

Detailed Analysis

Observation of a malicious document arriving to an organization

On October 24th, Check Point’s ThreatCloud Emulation Cloud Service detected a few malicious documents arriving at several organizations, including a European-Union official agency. Seven users at this agency clicked a link that led them to download and view a PDF document.

Analysis by Check Point security researchers revealed that the campaign authors had engineered the infecting URL to avoid static detection by antivirus and resist analysis by security vendors through the use of a dynamic URL scheme which spans multiple domains and IP addresses. Through this technique, each user was led to a different URL; however, all URLs used a similar format, as seen in the following examples:

http://q6m9███.waxingtriumph.biz:33300/118bed3a4bd18606a38c507f████████/13826█████/
df68414aa896bf62c20671c1████████/13826█████.pdf
http://gacab███.waxingtriumph.biz:11139/2c2ab85f748e866c10d4b563████████/13826█████/
d214b5a049009f119557452c████████/13826█████.pdf

(Portions of each URL are hidden for your protection and due to ongoing research)

Check Point security researchers performed further analysis in order to uncover, from the few specific samples that we had, additional malicious domains participating in this attack.

Further analysis of malicious documents

Because the affected organization is using the Check Point ThreatCloud Emulation Service, all potentially malicious incoming documents are sent to the Emulation Service for sandboxing and analysis. During emulation, abnormal behavior was detected:

  • The PDF document exploits a variant of a known vulnerability (CVE-2010-0188) of Adobe PDF Reader
  • The document then initiates a network communication to the same URL, from which the document was downloaded
  • This network connection attempts to download a malicious payload and run it on the end-user device. (The malicious payload can be any program as driven by the campaign, e.g. malware to steal user credentials, accounts, etc.)

More importantly, observing these samples at VirusTotal reveals show a low (<10%) detection rate: only 4 out of 46 available antivirus vendors were capable of detecting this malware at the original time of submission.

Example MD5s of documents that were downloaded by the end-users

  • 837f58ade3fd6e24854ee480d6407a00
  • 7b50e50321f79fde5bab15471a04cffb

Leveraging ThreatCloud to discover the extent of this malware campaign

Our analysis of this targeted attack enabled the creation of a generic anti-malware signature that does not contain a specific domain name, but is rather based on different properties observed in the URL generation algorithm.This signature was distributed via ThreatCloud to Check Point security gateways around the world and allowed collection of additional domains related to this campaign.

In the five days from detection on the 24th through October 29th, more than 500 events were observed from additional organizations around the world, which communicated with more than 140 unique domains that meet the dynamic signature.

Check Point security researchers have determined that this campaign is using the “NuclearPack” Exploit Kit. While the attackers’ dynamic URL technique is a powerful mechanism for distributing malware, ThreatCloud and Threat Emulation enabled us to activate threat prevention measures that provide Check Point customers with immediate protection against this type of attack.

Protecting your organization from this attack

All Organizations

Ensure that end-user systems are running the latest version of Adobe Reader. The samples we have observed so far exploit a known vulnerability in Adobe reader version 9.3, later Adobe reader versions are not vulnerable to these files.

Check Point Customers

Check Point customers who have activated the Anti-Bot and Anti-Virus blades are protected from this targeted campaign. No additional configuration is needed.

Non-Check Point Customers

Apply filtering rules to block URL requests to these domains. Note that this list is continuously growing as new domains are discovered. (See Appendix below)

Resources

Submit a suspicious file for Threat Emulation: https://threatemulation.checkpoint.com/teb/upload.jsp

Appendix

The following is a list of all URLs that were found as spreading the malicious campaign, generated by the “Nuclear” exploit kit:

r2xcp.heliumvenal.biz
wr0xt1wt.precessionrelieved.biz
bvxdfs.precessionrelieved.biz
ue86au.waxingtriumph.biz
rzmewg5.waxingtriumph.biz
lm6dvq8.waxingtriumph.biz
ucah7mwh.planetarycontentment.biz
u9gh7.planetarycontentment.biz
st9rge5o.planetarycontentment.biz
r8puq8pn.planetarycontentment.biz
faxzw1i.jellyrollplantain.biz
u07eb.jellyrollplantain.biz
joq4h4.cupcakelemon.biz
gtnd1.planetarycontentment.biz
ixed9l.jellyrollplantain.biz
yzr24.gelatolime.biz
ws3hs45j.custardpeach.biz
y38s9q.tortekiwi.biz
w71by.heliumvenal.biz
quc97.heliumvenal.biz
a0u91z17.heliumvenal.biz
kvl2ogx.precessionrelieved.biz
z45ijt.planetarycontentment.biz
agx02.jellyrollplantain.biz
q9r69.jellyrollplantain.biz
d2ntd.gelatolime.biz
kxjp8.gelatolime.biz
e70x1.truffleraspberry.biz
ei7jfjmz.zabicoconut.biz
qo95e051.zabicoconut.biz
mekru3.bombepear.biz
f50zpga.eclairapple.biz
um7bvhqs.meringuebreadfruit.biz
jytyi1.zabicoconut.biz
t76sqfz.zabicoconut.biz
czyfajk.custardpeach.biz
diwkkwrd.christmasglamour.biz
xw4ul.christmasglamour.biz
rnq812w.christmasglamour.biz
w1lp7h7.blackholerapture.biz
wpxfdqk2.blackholerapture.biz
gqao4enh.heliumvenal.biz
u8iacq2d.synodicintent.biz
tph24.meringuebreadfruit.biz
km4wg.meringuebreadfruit.biz
z8htywrv.meringuebreadfruit.biz
ws8n9y.meringuebreadfruit.biz
i4jr4jkf.zabicoconut.biz
hwws2w6e.zabicoconut.biz
amocr.eclairapple.biz
tw4bq.meringuebreadfruit.biz
ozsws0dl.meringuebreadfruit.biz
iafjik.zabicoconut.biz
ujr3nt.zabicoconut.biz
eogsjx.custardpeach.biz
p62gf.custardpeach.biz
k43wq1.custardpeach.biz
acoya5u.sundaebanana.biz
ixul0.bombepear.biz
rkkly.thanksgivingcharm.biz
gioas6.cincodemayogold.biz
e84g4bfs.cincodemayogold.biz
u3qs4kyi.heliumvenal.biz
pcrr8sxp.heliumvenal.biz
kik10nlz.precessionrelieved.biz
urpc04.precessionrelieved.biz
m9tro.waxingtriumph.biz
gacabfr7.waxingtriumph.biz
s3cte.waxingtriumph.biz
fya1mkmj.christmasglamour.biz
uw74zamb.blackholerapture.biz
pw13g45.precessionrelieved.biz
jnc415z.precessionrelieved.biz
ike1f.waxingtriumph.biz
t4mzw.waxingtriumph.biz
w44ifyv.waxingtriumph.biz
z940j7c5.planetarycontentment.biz
ujl94u1.planetarycontentment.biz
c8rb4feh.planetarycontentment.biz
n5qwnv3.jellyrollplantain.biz
e2ydts7s.jellyrollplantain.biz
bqeor0.jellyrollplantain.biz
tgrsl4i6.jellyrollplantain.biz
w4zr7.meringuebreadfruit.biz
v6cuda.meringuebreadfruit.biz
csebs.precessionrelieved.biz
tpaeoki.planetarycontentment.biz
q8h4o.planetarycontentment.biz
fnxoqhmc.jellyrollplantain.biz
k48j4f7r.jellyrollplantain.biz
dqnoc6.cupcakelemon.biz
mpl1pf6.gelatolime.biz
drriq5.gelatolime.biz
blieuhlm.eclairapple.biz
kta6inz.meringuebreadfruit.biz
vlvxy9k.azimuthcalculating.biz
w15s3.zabicoconut.biz
ihnd1f7d.waxingtriumph.biz
xgwd9p.planetarycontentment.biz
sbgu1.planetarycontentment.biz
n69jq.planetarycontentment.biz
c6oc77bp.jellyrollplantain.biz
svi51aj.jellyrollplantain.biz
gq0g933c.jellyrollplantain.biz
l28rcsx8.triflecrabapple.biz
wfrmnt.triflecrabapple.biz
wxk4c.zabicoconut.biz
a3sukqv.sundaebanana.biz
rgowlusl.bombepear.biz
f0w9ov9.christmasglamour.biz
nst0uc7a.synodicintent.biz
ohx7kj8.precessionrelieved.biz
xkjg2jm.precessionrelieved.biz
u09ghx.precessionrelieved.biz
xw591k.waxingtriumph.biz
q6m91up.waxingtriumph.biz
y0nk8.waxingtriumph.biz
x66q5s.planetarycontentment.biz
uj531r8w.sundaebanana.biz
ou0ewyg.heliumvenal.biz
ei2ghf.synodicintent.biz
tx78fi.synodicintent.biz
d5l7v57.waxingtriumph.biz
lnzjbywx.waxingtriumph.biz
q3zl4.planetarycontentment.biz
f9irv4k1.planetarycontentment.biz
qrgtpmuf.planetarycontentment.biz
vana9.planetarycontentment.biz
jmvnir.jellyrollplantain.biz
dezn2za.cupcakelemon.biz
zr4ru9.gelatolime.biz
fsx7415a.precessionrelieved.biz
ikz8yy8x.waxingtriumph.biz
i9q2co.planetarycontentment.biz
a2wxn.planetarycontentment.biz
bhcr3.planetarycontentment.biz
sfeqq7.jellyrollplantain.biz
cd7xg.triflecrabapple.biz
rrkyk.eclairapple.biz
ihyjj.zabicoconut.biz
eurb150.sundaebanana.biz
d1yvliiu.heliumvenal.biz
jdb4av5e.heliumvenal.biz
liy7xs.custardpeach.biz
dzg81jb.custardpeach.biz

 


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please complete the equation to verify your submission. * Time limit is exhausted. Please reload the CAPTCHA.