Hey all,
Today I’d like to introduce you to Stegano – a new exploit kit that was recently in use by malicious ads.
The exploit kit uses MS16-037 (a vulnerability for I.E.) to check if it runs on a malware analysis system. Based on server-side logic, the target is then served either a clean image or a malicious one: a script encoded in its alpha channel (which defines the transparency of each pixel). The script then redirects the user to another URL which attempts to exploit 3 different vulnerabilities for Flash (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the victim’s Flash version.
The attached image illustrates the attack.
What is interesting to note is that the exploit creators did not want it to be discovered. As such, the malware is not executed if one of the following processes/modules is running on the system:
• vmtoolsd.exe
• VBoxService.exe
• prl_tools_service.exe
• VBoxHook.dll
• SBIEDLL.DLL
• fiddler.exe (luckily for us, they also check if the tool is installed, so all Comsec’s consultants are in the clear )
• charles.exe
• wireshark.exe
• proxifier.exe
• procexp.exe
• ollydbg.exe
• windbg.exe
Here are all the details:
Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit