Attackers use a new ROP technique to bypass protection

Jun 23, 2015 21:41 GMT  ·  By

A zero-day Flash Player vulnerability, patched today by Adobe, is currently being exploited by an advanced threat group from China in cyber-espionage operations.

Security researchers at FireEye named the group APT3 and say that it targets organizations from industry sectors like aerospace and defense, construction and engineering, high tech, telecommunications and transportation.

Generic phishing message used as bait

Victims are lured with a generic phishing email whose text is very similar to spam messages. In an example provided by FireEye, the bait used was an offer for a refurbished iMac system certified by Apple, with a discount between $200 and $450 (€180 - €400); the email further enticed the recipient with availability of one-year extendable warranty for the product.

Clicking on the provided link redirected to a server with scripts that checked if the visitor’s computer was worth compromising. If it presented no interest, the user would receive non-harmful content; otherwise, the victim was served malicious SWF and FLV files. The vulnerability exploited in the attack is a heap buffer overflow, now identified as CVE-2015-3113.

APT3 is a group of skillful hackers

FireEye says that the attack code relies on common vector corruption techniques to get past the Address Space Layout Randomization (ASLR) protection from buffer overflow events; it also relies on a new ROP (Return-Oriented Programming) technique to bypass Data Execution Prevention (DEP) and other protection mechanisms, such as ROP detection.

The latest campaign from APT3 has been dubbed Operation Clandestine Wolf and the researchers say that the group is also responsible for other previously identified campaigns (Operation Clandestine Fox) and is known for producing browser-based zero-day exploits for Internet Explorer, Firefox and Flash Player.

“After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors,” FireEye said in a blog post on Tuesday.

Although the group’s activity is known to FireEye, tracking down its command and control infrastructure is not an easy task because the attacker does not use the same assets in multiple campaigns.