[B](http://www.twitter.com/volexity) [M](http://www.volexity.com/blog/?feed=rss2)


Incident Response &

Suppression


[Home](http://www.volexity.com/blog/)


# APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)

[Posted on July 8, 2015 by Steven Adair](http://www.volexity.com/blog/?p=158)

[As if the recent breach and subsequent public data dump involving the Italian company Hacking Team wasn’t bad](http://www.csoonline.com/article/2943968/data-breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html)

enough, it all gets just a little bit worse. Emerging from the bowels of Hacking Team data dump was a Flash 0-day

[exploit (CVE-2015-5119) that was just patched today by Adobe as covered in APSB15-16. The exploit has since been](https://helpx.adobe.com/security/products/flash-player/apsb15-16.html)

[added into the Angler Exploit Kit and integrated into Metasploit. However, not to be out done, APT attackers have](http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html)

also started leveraging the exploit in targeted spear phishing attacks as well. Before we start dishing the details,

there is going to be one main takeaway from this blog post: If you haven’t already, update/patch your Adobe Flash

now.

## Spear Phishing

This morning, a well known APT threat group, often referred to as Wekby, kicked off a rather ironic spear phishing

campaign. The attackers launched spoofed e-mail messages purporting to be from Adobe. The e-mail messages

references an Adobe Flash update and encourage the recipients to click a link to download and install the update.

Take a look at an example of the spear phish e-mail message below.


-----

The visible and spoofed source e-mail address for “Andre Vangils” is avangils@adobe.com. This is not a particularly

advanced spear phish message. However, the visible link http://get.adobe.com, as you have likely guessed, does not

actually go to Adobe’s website. Instead it leads to index.htm on an IP address belonging to a hosting provider

named PEG TECH INC. This page is far less helpful than one would hope. Instead of providing a legitimate Adobe

Flash update, the page loads a malicious SWF file instead. The following contents are found from the HTML page

from the link:

<body>

<div style=”position:fixed; top:50%; left:50%; width:600; height:400; margin-left:-300; margin-top:-200;”>

<object classid=”clsid:D27CDB6E-AE6D-11cf-96B8-444553540000″ id=”swf” width=”600″ height=”400″>

<param name=”movie” value=”movie.swf” />

<param name=”allowScriptAccess” value=”always” />

<embed src=”movie.swf” width=”600″ height=”400″ allowScriptAccess=”always” type=”application/x
shockwave-flash” />

</object>

</div>

</body>

</html>

If you guess this was a Flash exploit, then you are 100% correct.

## Exploits and Malware

The aforementioned exploit works on Adobe Flash versions all the way up to 18.0.0.194. You need to have updated

your Flash since this morning to be safe from its grips The attackers appear to have modified one of the exploits that


-----

file is LZMA compressed and has the ZWS file header. There are plenty of great tools out there that can be used to

[look at Flash files. One of our favorites is SWF Investigator from Adobe. Poking around a bit we can see a few](http://labs.adobe.com/downloads/swfinvestigator.html)

interesting labels that appear to reference Hacking Team, such as the one shown below:

Notice the “HT_exploit” label. Further down in the file is a class with the same name. These appear to be not so subtle

references to the source of this exploit. We did not see these labels or class names in any of the other files we

observed thus far, so we presume these were recently created as part of this new exploit file. At the end of the day,

the goal of this attack is to install malware on target systems. If a vulnerable system were to visit the exploit site from

the spear phish message, this is exactly what would happen. In this case the flash file would drop an executable into

the victim user’s Temp directory similar to the path shown below:

**C:\Users\$Username\AppData\Local\Temp\Rdws.exe**

The malware would then execute and immediately start beaconing to the Singapore IP address 223.25.233.248 on TCP

**port 80. This is a well known Wekby command and control (C2) IP address that has been used for years. Currently**

there a few other active DNS names that resolve to IP such as gmail.bkz88.com and info.imly.org. Any connection

involving this IP address or these hostnames should be consider hostile and a likely indicator of compromise.

The 223.25.233.248 IP address has served as a C2 server for a variety of different malware in the past (Poison Ivy,

Gh0st, Remote RSS, etc.). However, this go around the malware is a modified version of the Gh0st remote access

trojan (RAT). Typically the default version of Gh0st sends a packet flag of “Gh0st” in the first 5-bytes. This has been

heavily modified over the years and several custom versions of Gh0st have emerged with dozens and dozens of

customer packet flags such as cb1st, Winds, https, and so on. However, the Wekby APT actor last year started using a

modified version that has an 18 character packet flag. This version was reused in this attack and an infected system

will send a rather peculiar packet flag as seen in the image below:


-----

You are reading that correctly, it’s sending: HTTP\1.1 Sycmentec. Presumably this is a poor attempt to blend in as

HTTP traffic and appear to be affiliated with Symantec. There are plenty of signatures in the Emerging Threats

rulesets to pick up on Gh0st, but you can use the signature below to pickup on this specific instance of Gh0st.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”Volexity – Wekby Gh0st Variant [HTTP\1.1

Sycmentec]”; flow:to_server,established; content:”HTTP|5c|1.1 Sycmentec”; depth:18; sid:201507081;)

You can add in a check for two null bytes followed by zlib header (“|000789c|”) for an additional match. However,

chances are a hit on that string by itself is probably bad news and solid enough. Add a rule for the reverse direction to

catch the server’s response as well.

Also, pretty interesting and funny is what happens is your version of Flash is up-to-date when you visit the exploit

page. Instead of silently failing in the background, it instead results in the rather obvious popup:

Your eyes are not deceiving you. It says faile! right on the screen. It looks like the attackers may have left a debug

message from their testing. Not very subtle at all.

## File Details and Persistence

Here’s what to look for when it comes to file indicators.

|Filename|movie.swf|
|---|---|


-----

|MD5|079a440bee0f86d8a59ebc5c4b523a07|
|---|---|
|SHA1|7389e78cca58de6cb2cbe2b631d2fec259e9cdcc|
|Notes|Malicious flash file that drops Wekby Gh0st RAT.|

|Filename|Rdws.exe|
|---|---|
|File size|138240 bytes|
|MD5|cfbcb83f8515bd169afd0b22488b4430|
|SHA1|959638ee177b51bda8701c10258b4956f8b1c367|
|Notes|HTTP\1.1 Sycmentec packet flag malware.|


The malware sets its persistence adding an entry to the HKCU “RUN” key

(HKCU\Software\Microsoft\Windows\CurrentVersion\Run):

**NAME: CSics**

**DATA: C:\Users\$User\AppData\Local\Rdws.exe**

## Conclusion

Volexity is aware of multiple other ongoing APT and non-APT cyber attacks leverage CVE-2015-5119. While it is always

important to patch your software and keep it up-to-date, it is CRITICAL that you patch your Adobe Flash immediately.

The attackers are having a field day with this exploit and will not slow down any time soon. Patching is the most

prudent course of action to deal with this exploit that is very much in the wild. Additionally, as always, for Microsoft

[Windows users, looking at deploying the Enhance Mitigation Experience Toolkit (EMET) would also be advised.](https://support.microsoft.com/en-us/kb/2458544)

[FOLLOW US ON TWITTER @VOLEXITY.](https://twitter.com/volexity)

[This entry was posted in Adobe Flash, APT, China, Exploits, Vulnerabilities. Bookmark the permalink.](http://www.volexity.com/blog/?cat=13)


[« Afghan Government Compromise: Browser Beware](http://www.volexity.com/blog/?p=134) Virtual Private Keylogging: Cisco Web VPNs Leveraged for

Access and Persistence »


Search …


**Recent Posts**

f[Virtual Private Keylogging:]

[Cisco Web VPNs Leveraged for](http://www.volexity.com/blog/?p=179)

Access and Persistence

f[APT Group Wekby]


-----

f[Afghan Government]

Compromise: Browser Beware

f[A New Shellshock Worm on]

the Loose

f[Drupal Vulnerability: Mass]

Scans & Targeted Exploitation


**Archives**

[f[October 2015]](http://www.volexity.com/blog/?m=201510)

[f[July 2015]](http://www.volexity.com/blog/?m=201507)

[f[June 2015]](http://www.volexity.com/blog/?m=201506)

[f[April 2015]](http://www.volexity.com/blog/?m=201504)

[f[October 2014]](http://www.volexity.com/blog/?m=201410)

[f[September 2014]](http://www.volexity.com/blog/?m=201409)


**Categories**

[f[Adobe Flash]](http://www.volexity.com/blog/?cat=13)

[f[APT]](http://www.volexity.com/blog/?cat=4)

[f[China]](http://www.volexity.com/blog/?cat=6)

[f[Digital Surveillance]](http://www.volexity.com/blog/?cat=9)

[f[Drupal]](http://www.volexity.com/blog/?cat=10)

[f[Exploits]](http://www.volexity.com/blog/?cat=3)

[f[Hong Kong]](http://www.volexity.com/blog/?cat=7)

[f[Japan]](http://www.volexity.com/blog/?cat=5)

[f[Java]](http://www.volexity.com/blog/?cat=8)

[f[Scanning]](http://www.volexity.com/blog/?cat=11)

[f[Vulnerabilities]](http://www.volexity.com/blog/?cat=2)


[© 2015 Volexity, LLC](http://www.volexity.com/blog/www.volexity.com)


-----