In this blog we provide an analysis of two versions of the script and share details about the associated attacks against Windows, Linux and OS X systems.
According to ESET’s LiveGrid® telemetry, the server at the IP address 220.127.116.11, which was hosting the malicious script, has been up since July 27, 2015. Also we can find corroboration on one of the compromised forums:
Operatives from the Department on Combating Cybercrime of the Ministry of Internal Affairs of Ukraine, who responded promptly to our notification, have also confirmed that the malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.
According to our monitoring of the threat, the server became inactive on August 8, 2015.
The script used is not obfuscated and easy to analyze. Nevertheless, the code shows that the attackers had good knowledge of Firefox internals.
The exploit is very reliable and works smoothly. However, it may display a warning which can catch the attention of tech-savvy users.
After successful exploitation of the bug, execution passes to the exfiltration part of code. The script supports both the Linux and Windows platforms. On Windows it searches for configuration files belonging to popular FTP clients (such as FileZilla, SmartFTP and others), SVN client, instant messaging clients (Psi+ and Pidgin), and the Amazon S3 client.
These configuration files may contain saved login and password details.
On the Linux systems, the script sends following files to the remote server:
It also parses the /etc/passwd file in the order to get the home directories (homedir) of users on the system. The script then searches files by mask in the home directories collected, and it avoids searching in the home directories of standard system users (such as daemon, bin, sys, sync and so forth).
It collects and uploads such files as:
- history (bash, MySQL, PostgreSQL)
- SSH related configuration files and authorization keys
- Configuration files for remote access software – Remmina
- FileZilla configuration files
- PSI+ configuration
- text files with possible credentials and shell scripts
As is evident here, the purpose of the first version of the malicious script was to gather data used mostly by webmasters and site administrators. This allowed attackers to move on to compromising more websites.
The second version
The day after Mozilla released the patch for Firefox the attackers decided to go “all-in”: they registered two new domains and improved their script.
The two new malicious domains were maxcdnn[.]com (18.104.22.168) and acintcdn[.]net (22.214.171.124). The second IP address is the same one as used in the first version. Attackers selected these names because the domains look as if they belong to a content delivery network (CDN).
The improved script on the Windows platform not only collects configuration files for applications; it also collects text files containing almost all combinations of words of possible value to attackers (such as password, accounts, bitcoins, credit cards, exploits, certificates, and so on):
The attackers improved the Linux script by adding new files to collect and also developed code that works on the Mac OS X operating system:
Some Russian-speaking commentators misattributed this code to the Duqu malware, because some variables in the code have the text “dq” in them.
A copycat attack
Since the bug is easy to exploit and a working copy of the script is available to cybercriminals, different attackers have started to use it. We have seen that various groups quickly adopted the exploit and started to serve it, mostly on adult sites from google-user-cache[.]com (126.96.36.199)
This malicious script does all the same things as the original script, but it collects different files:
The recent Firefox attacks are an example of active in-the-wild exploitation of a serious software vulnerability. The exploit shows that the malware-writers had a deep knowledge of Firefox internals. It is also an interesting one, since in most cases, exploits are used as an infection vector for other data-stealing trojans. In this instance, however, that was not necessary, because the malicious script alone was able to steal sensitive files from victims’ systems.
Additionally, the exploit started to be reused by other malware operators shortly after its discovery. This is common practice in the malware world.
ESET detects the malicious scripts as JS/Exploit.CVE-2015-4495. We also urge Firefox users to update their browser to the patched version (39.0.3). The internal Firefox PDF reader can also be disabled by changing the pdfjs.disabled setting to true.
Indicators of Compromise
A partial list of compromised servers:
Servers used in attack:
Credit: Anton Cherepanov