Threat Emulation Exposes Widespread Malware Campaign

Summary

On October 24, 2013, the Check Point ThreatCloud Emulation Service received six PDF document files from a European Union official agency running a Check Point threat prevention gateway. Automated analysis in the Threat Emulation sandbox determined that these documents exploited an Adobe Reader vulnerability, and additional research revealed that these files were delivered via a dynamic URL scheme and were, at the time, detected by only 8% of antivirus solutions. The result was a potentially powerful targeted attack tool that would have evaded many other vendors’ defenses.

After we added detections to ThreatCloud, where they became available to Check Point threat prevention gateway customers worldwide, these gateways reported the detection and blocking of 500 more instances of this attack around the world over the next five days. Information from these events revealed that the attacks appear to be part of a widespread campaign that touches over 140 Web domains. The campaign uses this exploit to deliver the well-known NuclearPack kit to victims in the target organizations.

Read on for more details about this campaign, plus additional recommendations about measures customers and security decision-makers should take to protect themselves against this campaign.

Detailed Analysis

Observation of a malicious document arriving to an organization

On October 24^th, Check Point’s ThreatCloud Emulation Cloud Service detected a few malicious documents arriving at several organizations, including a European-Union official agency. Seven users at this agency clicked a link that led them to download and view a PDF document.

Analysis by Check Point security researchers revealed that the campaign authors had engineered the infecting URL to avoid static detection by antivirus and resist analysis by security vendors through the use of a dynamic URL scheme which spans multiple domains and IP addresses. Through this technique, each user was led to a different URL; however, all URLs used a similar format, as seen in the following examples:

http://q6m9███.waxingtriumph.biz:33300/118bed3a4bd18606a38c507f████████/13826█████/
df68414aa896bf62c20671c1████████/13826█████.pdf

http://gacab███.waxingtriumph.biz:11139/2c2ab85f748e866c10d4b563████████/13826█████/
d214b5a049009f119557452c████████/13826█████.pdf

(Portions of each URL are hidden for your protection and due to ongoing research)

Check Point security researchers performed further analysis in order to uncover, from the few specific samples that we had, additional malicious domains participating in this attack.

Further analysis of malicious documents

Because the affected organization is using the Check Point ThreatCloud Emulation Service, all potentially malicious incoming documents are sent to the Emulation Service for sandboxing and analysis. During emulation, abnormal behavior was detected:

The PDF document exploits a variant of a known vulnerability (CVE-2010-0188) of Adobe PDF Reader
The document then initiates a network communication to the same URL, from which the document was downloaded
This network connection attempts to download a malicious payload and run it on the end-user device. (The malicious payload can be any program as driven by the campaign, e.g. malware to steal user credentials, accounts, etc.)

More importantly, observing these samples at VirusTotal reveals show a low (<10%) detection rate: only 4 out of 46 available antivirus vendors were capable of detecting this malware at the original time of submission.

Example MD5s of documents that were downloaded by the end-users

```
837f58ade3fd6e24854ee480d6407a00
```
```
7b50e50321f79fde5bab15471a04cffb
```

Leveraging ThreatCloud to discover the extent of this malware campaign

Our analysis of this targeted attack enabled the creation of a generic anti-malware signature that does not contain a specific domain name, but is rather based on different properties observed in the URL generation algorithm.This signature was distributed via ThreatCloud to Check Point security gateways around the world and allowed collection of additional domains related to this campaign.

In the five days from detection on the 24^th through October 29^th, more than 500 events were observed from additional organizations around the world, which communicated with more than 140 unique domains that meet the dynamic signature.

Check Point security researchers have determined that this campaign is using the “NuclearPack” Exploit Kit. While the attackers’ dynamic URL technique is a powerful mechanism for distributing malware, ThreatCloud and Threat Emulation enabled us to activate threat prevention measures that provide Check Point customers with immediate protection against this type of attack.

Protecting your organization from this attack

All Organizations

Ensure that end-user systems are running the latest version of Adobe Reader. The samples we have observed so far exploit a known vulnerability in Adobe reader version 9.3, later Adobe reader versions are not vulnerable to these files.

Check Point Customers

Check Point customers who have activated the Anti-Bot and Anti-Virus blades are protected from this targeted campaign. No additional configuration is needed.

Non-Check Point Customers

Apply filtering rules to block URL requests to these domains. Note that this list is continuously growing as new domains are discovered. (See Appendix below)

Resources

Submit a suspicious file for Threat Emulation: https://threatemulation.checkpoint.com/teb/upload.jsp

Appendix

The following is a list of all URLs that were found as spreading the malicious campaign, generated by the “Nuclear” exploit kit:

r2xcp.heliumvenal.biz

wr0xt1wt.precessionrelieved.biz

bvxdfs.precessionrelieved.biz

ue86au.waxingtriumph.biz

rzmewg5.waxingtriumph.biz

lm6dvq8.waxingtriumph.biz

ucah7mwh.planetarycontentment.biz

u9gh7.planetarycontentment.biz

st9rge5o.planetarycontentment.biz

r8puq8pn.planetarycontentment.biz

faxzw1i.jellyrollplantain.biz

u07eb.jellyrollplantain.biz

joq4h4.cupcakelemon.biz

gtnd1.planetarycontentment.biz

ixed9l.jellyrollplantain.biz

yzr24.gelatolime.biz

ws3hs45j.custardpeach.biz

y38s9q.tortekiwi.biz

w71by.heliumvenal.biz

quc97.heliumvenal.biz

a0u91z17.heliumvenal.biz

kvl2ogx.precessionrelieved.biz

z45ijt.planetarycontentment.biz

agx02.jellyrollplantain.biz

q9r69.jellyrollplantain.biz

d2ntd.gelatolime.biz

kxjp8.gelatolime.biz

e70x1.truffleraspberry.biz

ei7jfjmz.zabicoconut.biz

qo95e051.zabicoconut.biz

mekru3.bombepear.biz

f50zpga.eclairapple.biz

um7bvhqs.meringuebreadfruit.biz

jytyi1.zabicoconut.biz

t76sqfz.zabicoconut.biz

czyfajk.custardpeach.biz

diwkkwrd.christmasglamour.biz

xw4ul.christmasglamour.biz

rnq812w.christmasglamour.biz

w1lp7h7.blackholerapture.biz

wpxfdqk2.blackholerapture.biz

gqao4enh.heliumvenal.biz

u8iacq2d.synodicintent.biz

tph24.meringuebreadfruit.biz

km4wg.meringuebreadfruit.biz

z8htywrv.meringuebreadfruit.biz

ws8n9y.meringuebreadfruit.biz

i4jr4jkf.zabicoconut.biz

hwws2w6e.zabicoconut.biz

amocr.eclairapple.biz

tw4bq.meringuebreadfruit.biz

ozsws0dl.meringuebreadfruit.biz

iafjik.zabicoconut.biz

ujr3nt.zabicoconut.biz

eogsjx.custardpeach.biz

p62gf.custardpeach.biz

k43wq1.custardpeach.biz

acoya5u.sundaebanana.biz

ixul0.bombepear.biz

rkkly.thanksgivingcharm.biz

gioas6.cincodemayogold.biz

e84g4bfs.cincodemayogold.biz

u3qs4kyi.heliumvenal.biz

pcrr8sxp.heliumvenal.biz

kik10nlz.precessionrelieved.biz

urpc04.precessionrelieved.biz

m9tro.waxingtriumph.biz

gacabfr7.waxingtriumph.biz

s3cte.waxingtriumph.biz

fya1mkmj.christmasglamour.biz

uw74zamb.blackholerapture.biz

pw13g45.precessionrelieved.biz

jnc415z.precessionrelieved.biz

ike1f.waxingtriumph.biz

t4mzw.waxingtriumph.biz

w44ifyv.waxingtriumph.biz

z940j7c5.planetarycontentment.biz

ujl94u1.planetarycontentment.biz

c8rb4feh.planetarycontentment.biz

n5qwnv3.jellyrollplantain.biz

e2ydts7s.jellyrollplantain.biz

bqeor0.jellyrollplantain.biz

tgrsl4i6.jellyrollplantain.biz

w4zr7.meringuebreadfruit.biz

v6cuda.meringuebreadfruit.biz

csebs.precessionrelieved.biz

tpaeoki.planetarycontentment.biz

q8h4o.planetarycontentment.biz

fnxoqhmc.jellyrollplantain.biz

k48j4f7r.jellyrollplantain.biz

dqnoc6.cupcakelemon.biz

mpl1pf6.gelatolime.biz

drriq5.gelatolime.biz

blieuhlm.eclairapple.biz

kta6inz.meringuebreadfruit.biz

vlvxy9k.azimuthcalculating.biz

w15s3.zabicoconut.biz

ihnd1f7d.waxingtriumph.biz

xgwd9p.planetarycontentment.biz

sbgu1.planetarycontentment.biz

n69jq.planetarycontentment.biz

c6oc77bp.jellyrollplantain.biz

svi51aj.jellyrollplantain.biz

gq0g933c.jellyrollplantain.biz

l28rcsx8.triflecrabapple.biz

wfrmnt.triflecrabapple.biz

wxk4c.zabicoconut.biz

a3sukqv.sundaebanana.biz

rgowlusl.bombepear.biz

f0w9ov9.christmasglamour.biz

nst0uc7a.synodicintent.biz

ohx7kj8.precessionrelieved.biz

xkjg2jm.precessionrelieved.biz

u09ghx.precessionrelieved.biz

xw591k.waxingtriumph.biz

q6m91up.waxingtriumph.biz

y0nk8.waxingtriumph.biz

x66q5s.planetarycontentment.biz

uj531r8w.sundaebanana.biz

ou0ewyg.heliumvenal.biz

ei2ghf.synodicintent.biz

tx78fi.synodicintent.biz

d5l7v57.waxingtriumph.biz

lnzjbywx.waxingtriumph.biz

q3zl4.planetarycontentment.biz

f9irv4k1.planetarycontentment.biz

qrgtpmuf.planetarycontentment.biz

vana9.planetarycontentment.biz

jmvnir.jellyrollplantain.biz

dezn2za.cupcakelemon.biz

zr4ru9.gelatolime.biz

fsx7415a.precessionrelieved.biz

ikz8yy8x.waxingtriumph.biz

i9q2co.planetarycontentment.biz

a2wxn.planetarycontentment.biz

bhcr3.planetarycontentment.biz

sfeqq7.jellyrollplantain.biz

cd7xg.triflecrabapple.biz

rrkyk.eclairapple.biz

ihyjj.zabicoconut.biz

eurb150.sundaebanana.biz

d1yvliiu.heliumvenal.biz

jdb4av5e.heliumvenal.biz

liy7xs.custardpeach.biz

dzg81jb.custardpeach.biz

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Check Point is 100% Channel. Grow Your Business with Us!

See how use cases come to life through Check Point's customer stories.

Threat Emulation Exposes Widespread Malware Campaign

Summary

Detailed Analysis

Observation of a malicious document arriving to an organization

Further analysis of malicious documents

Leveraging ThreatCloud to discover the extent of this malware campaign

Protecting your organization from this attack

All Organizations

Check Point Customers

Non-Check Point Customers

Resources

Appendix

Summary

Detailed Analysis

Observation of a malicious document arriving to an organization

Further analysis of malicious documents

Leveraging ThreatCloud to discover the extent of this malware campaign

Protecting your organization from this attack

All Organizations

Check Point Customers

Non-Check Point Customers

Resources

Appendix

You may also like

When Ransomware Stopped Working Harder and Started Working Smarter

Protecting Small Businesses from Massive Attacks: Check Point Infinity Recognized by Gartner

March’s Most Wanted Malware: Cryptomining Malware That Works Even Outside the Web Browser on the Rise

How Can Your Business Score Touchdowns Without An Offensive Line?