Summary
On October 24, 2013, the Check Point ThreatCloud Emulation Service received six PDF document files from a European Union official agency running a Check Point threat prevention gateway. Automated analysis in the Threat Emulation sandbox determined that these documents exploited an Adobe Reader vulnerability, and additional research revealed that these files were delivered via a dynamic URL scheme and were, at the time, detected by only 8% of antivirus solutions. The result was a potentially powerful targeted attack tool that would have evaded many other vendors’ defenses.
After we added detections to ThreatCloud, where they became available to Check Point threat prevention gateway customers worldwide, these gateways reported the detection and blocking of 500 more instances of this attack around the world over the next five days. Information from these events revealed that the attacks appear to be part of a widespread campaign that touches over 140 Web domains. The campaign uses this exploit to deliver the well-known NuclearPack kit to victims in the target organizations.
Read on for more details about this campaign, plus additional recommendations about measures customers and security decision-makers should take to protect themselves against this campaign.
Detailed Analysis
Observation of a malicious document arriving to an organization
On October 24th, Check Point’s ThreatCloud Emulation Cloud Service detected a few malicious documents arriving at several organizations, including a European-Union official agency. Seven users at this agency clicked a link that led them to download and view a PDF document.
Analysis by Check Point security researchers revealed that the campaign authors had engineered the infecting URL to avoid static detection by antivirus and resist analysis by security vendors through the use of a dynamic URL scheme which spans multiple domains and IP addresses. Through this technique, each user was led to a different URL; however, all URLs used a similar format, as seen in the following examples:
http://q6m9███.waxingtriumph.biz:33300/118bed3a4bd18606a38c507f████████/13826█████/ df68414aa896bf62c20671c1████████/13826█████.pdf
http://gacab███.waxingtriumph.biz:11139/2c2ab85f748e866c10d4b563████████/13826█████/ d214b5a049009f119557452c████████/13826█████.pdf
(Portions of each URL are hidden for your protection and due to ongoing research)
Check Point security researchers performed further analysis in order to uncover, from the few specific samples that we had, additional malicious domains participating in this attack.
Further analysis of malicious documents
Because the affected organization is using the Check Point ThreatCloud Emulation Service, all potentially malicious incoming documents are sent to the Emulation Service for sandboxing and analysis. During emulation, abnormal behavior was detected:
- The PDF document exploits a variant of a known vulnerability (CVE-2010-0188) of Adobe PDF Reader
- The document then initiates a network communication to the same URL, from which the document was downloaded
- This network connection attempts to download a malicious payload and run it on the end-user device. (The malicious payload can be any program as driven by the campaign, e.g. malware to steal user credentials, accounts, etc.)
More importantly, observing these samples at VirusTotal reveals show a low (<10%) detection rate: only 4 out of 46 available antivirus vendors were capable of detecting this malware at the original time of submission.
Example MD5s of documents that were downloaded by the end-users
-
837f58ade3fd6e24854ee480d6407a00
-
7b50e50321f79fde5bab15471a04cffb
Leveraging ThreatCloud to discover the extent of this malware campaign
Our analysis of this targeted attack enabled the creation of a generic anti-malware signature that does not contain a specific domain name, but is rather based on different properties observed in the URL generation algorithm.This signature was distributed via ThreatCloud to Check Point security gateways around the world and allowed collection of additional domains related to this campaign.
In the five days from detection on the 24th through October 29th, more than 500 events were observed from additional organizations around the world, which communicated with more than 140 unique domains that meet the dynamic signature.
Check Point security researchers have determined that this campaign is using the “NuclearPack” Exploit Kit. While the attackers’ dynamic URL technique is a powerful mechanism for distributing malware, ThreatCloud and Threat Emulation enabled us to activate threat prevention measures that provide Check Point customers with immediate protection against this type of attack.
Protecting your organization from this attack
All Organizations
Ensure that end-user systems are running the latest version of Adobe Reader. The samples we have observed so far exploit a known vulnerability in Adobe reader version 9.3, later Adobe reader versions are not vulnerable to these files.
Check Point Customers
Check Point customers who have activated the Anti-Bot and Anti-Virus blades are protected from this targeted campaign. No additional configuration is needed.
Non-Check Point Customers
Apply filtering rules to block URL requests to these domains. Note that this list is continuously growing as new domains are discovered. (See Appendix below)
Resources
Submit a suspicious file for Threat Emulation: https://threatemulation.checkpoint.com/teb/upload.jsp
Appendix
The following is a list of all URLs that were found as spreading the malicious campaign, generated by the “Nuclear” exploit kit:
r2xcp.heliumvenal.biz wr0xt1wt.precessionrelieved.biz bvxdfs.precessionrelieved.biz ue86au.waxingtriumph.biz rzmewg5.waxingtriumph.biz lm6dvq8.waxingtriumph.biz ucah7mwh.planetarycontentment.biz u9gh7.planetarycontentment.biz st9rge5o.planetarycontentment.biz r8puq8pn.planetarycontentment.biz faxzw1i.jellyrollplantain.biz u07eb.jellyrollplantain.biz joq4h4.cupcakelemon.biz gtnd1.planetarycontentment.biz ixed9l.jellyrollplantain.biz yzr24.gelatolime.biz ws3hs45j.custardpeach.biz y38s9q.tortekiwi.biz w71by.heliumvenal.biz quc97.heliumvenal.biz a0u91z17.heliumvenal.biz kvl2ogx.precessionrelieved.biz z45ijt.planetarycontentment.biz agx02.jellyrollplantain.biz q9r69.jellyrollplantain.biz d2ntd.gelatolime.biz kxjp8.gelatolime.biz e70x1.truffleraspberry.biz ei7jfjmz.zabicoconut.biz qo95e051.zabicoconut.biz mekru3.bombepear.biz f50zpga.eclairapple.biz um7bvhqs.meringuebreadfruit.biz jytyi1.zabicoconut.biz t76sqfz.zabicoconut.biz czyfajk.custardpeach.biz diwkkwrd.christmasglamour.biz xw4ul.christmasglamour.biz rnq812w.christmasglamour.biz w1lp7h7.blackholerapture.biz wpxfdqk2.blackholerapture.biz gqao4enh.heliumvenal.biz u8iacq2d.synodicintent.biz tph24.meringuebreadfruit.biz km4wg.meringuebreadfruit.biz z8htywrv.meringuebreadfruit.biz ws8n9y.meringuebreadfruit.biz i4jr4jkf.zabicoconut.biz hwws2w6e.zabicoconut.biz |
amocr.eclairapple.biz tw4bq.meringuebreadfruit.biz ozsws0dl.meringuebreadfruit.biz iafjik.zabicoconut.biz ujr3nt.zabicoconut.biz eogsjx.custardpeach.biz p62gf.custardpeach.biz k43wq1.custardpeach.biz acoya5u.sundaebanana.biz ixul0.bombepear.biz rkkly.thanksgivingcharm.biz gioas6.cincodemayogold.biz e84g4bfs.cincodemayogold.biz u3qs4kyi.heliumvenal.biz pcrr8sxp.heliumvenal.biz kik10nlz.precessionrelieved.biz urpc04.precessionrelieved.biz m9tro.waxingtriumph.biz gacabfr7.waxingtriumph.biz s3cte.waxingtriumph.biz fya1mkmj.christmasglamour.biz uw74zamb.blackholerapture.biz pw13g45.precessionrelieved.biz jnc415z.precessionrelieved.biz ike1f.waxingtriumph.biz t4mzw.waxingtriumph.biz w44ifyv.waxingtriumph.biz z940j7c5.planetarycontentment.biz ujl94u1.planetarycontentment.biz c8rb4feh.planetarycontentment.biz n5qwnv3.jellyrollplantain.biz e2ydts7s.jellyrollplantain.biz bqeor0.jellyrollplantain.biz tgrsl4i6.jellyrollplantain.biz w4zr7.meringuebreadfruit.biz v6cuda.meringuebreadfruit.biz csebs.precessionrelieved.biz tpaeoki.planetarycontentment.biz q8h4o.planetarycontentment.biz fnxoqhmc.jellyrollplantain.biz k48j4f7r.jellyrollplantain.biz dqnoc6.cupcakelemon.biz mpl1pf6.gelatolime.biz drriq5.gelatolime.biz blieuhlm.eclairapple.biz kta6inz.meringuebreadfruit.biz vlvxy9k.azimuthcalculating.biz w15s3.zabicoconut.biz |
ihnd1f7d.waxingtriumph.biz xgwd9p.planetarycontentment.biz sbgu1.planetarycontentment.biz n69jq.planetarycontentment.biz c6oc77bp.jellyrollplantain.biz svi51aj.jellyrollplantain.biz gq0g933c.jellyrollplantain.biz l28rcsx8.triflecrabapple.biz wfrmnt.triflecrabapple.biz wxk4c.zabicoconut.biz a3sukqv.sundaebanana.biz rgowlusl.bombepear.biz f0w9ov9.christmasglamour.biz nst0uc7a.synodicintent.biz ohx7kj8.precessionrelieved.biz xkjg2jm.precessionrelieved.biz u09ghx.precessionrelieved.biz xw591k.waxingtriumph.biz q6m91up.waxingtriumph.biz y0nk8.waxingtriumph.biz x66q5s.planetarycontentment.biz uj531r8w.sundaebanana.biz ou0ewyg.heliumvenal.biz ei2ghf.synodicintent.biz tx78fi.synodicintent.biz d5l7v57.waxingtriumph.biz lnzjbywx.waxingtriumph.biz q3zl4.planetarycontentment.biz f9irv4k1.planetarycontentment.biz qrgtpmuf.planetarycontentment.biz vana9.planetarycontentment.biz jmvnir.jellyrollplantain.biz dezn2za.cupcakelemon.biz zr4ru9.gelatolime.biz fsx7415a.precessionrelieved.biz ikz8yy8x.waxingtriumph.biz i9q2co.planetarycontentment.biz a2wxn.planetarycontentment.biz bhcr3.planetarycontentment.biz sfeqq7.jellyrollplantain.biz cd7xg.triflecrabapple.biz rrkyk.eclairapple.biz ihyjj.zabicoconut.biz eurb150.sundaebanana.biz d1yvliiu.heliumvenal.biz jdb4av5e.heliumvenal.biz liy7xs.custardpeach.biz dzg81jb.custardpeach.biz |