In describing the malicious infrastructure used in a recent drive-by download campaign, last week I provided an initial overview of the FlashPack Exploit Kit. This post completes that analysis and concludes discussion of the original observation that years later, initial AV detection rates are still low.
For reference, below are the final three URLs in the chain of requests that began with a visit to the index page of Alexa top-ranked website Indowebster[.]com and ended with the retrieval and installation of malicious software.
The previous post on FlashPack stopped after deobfuscation of mintelext.php, which represents the central component of the kit. An analysis of its contents reveals that nine different vulnerabilities across three distinct software components — Internet Explorer, Adobe Flash Player and the Java Web Plugin — were targeted. The corresponding CVEs for each software component are as follows.
Internet Explorer: CVE-2013-2551, CVE-2013-3918, and CVE-2014-0322
Adobe Flash Player: CVE-2013-0634, CVE-2014-0497, and CVE-2014-0515
Java Web Plugin: CVE-2011-3544, CVE-2013-2460, and CVE-2013-2471
In the above chain, sarmholsterthenc.php contains an exploit for CVE-2013-2551. Two weeks after the drive-by download campaign, VirusTotal results for that file reveal that AV detections are still low, as only 10 of 54 tools successfully identify it as malicious.
In Barracuda Lab's capture of the event, the exploit for CVE-2013-2551 succeeded and the resulting malware payload — lodyoathsk.php — was retrieved and executed. As predicted, the initially low (8/54) number of successful detections for the payload has improved dramatically over the last two weeks, and 43 of 55 tools now flag the executable as malicious. In fact, as of August 29 (just one week after the initial scan), detections had improved to 40 of 53 tools. While this timescale is a marked improvement from those of the late 2000s, future advances in threat detection must narrow the window much further in order to meaningfully degrade the utility of a compromised asset.