We have recently observed an increase in the exploitation of the famous ‘GodMode’ exploit of the vulnerability CVE-2014-6332. The reliable proof of concept (POC) or exploit code for CVE-2016-6332 is readily available on the Internet. This makes it easy for attackers to integrate the exploit in various campaigns. They just have to flip the malware payload to start a new campaign. Most of the active Exploit Kits (EKs) such ‘RIG’ and ‘Sundown’ have integrated exploits for CVE-2014-6332. Apart from EKs, the exploit is also spreading through various compromised, malicious websites.
In this blog post, we will take a look at the one such attack where exploitation of the ‘GodMode’ vulnerability CVE-2014-06332 was dropping a malware payload called DDoS Nitol.
The exploit was being dropped from domain ‘1128[.]me’ and was resolving to IP 43.249.8[.]78. The exploit domain is registered in ‘Panama’ as per whois lookup. The Geo-location of the IP lies in ‘China’. The domain names observed in the DDoS campaigns were short in length and had numerical values as part of the domain name.
The exploit first does version checking of Windows OS and Internet Explorer to check the compatibility. The exploit code only gets loaded on 32 bit Windows OS and on Internet Explorer.
After version checking, the exploit code moves ahead and the function ‘Over’ is called. The type confusion vulnerability is triggered when resizing of array ‘aa’ is done. The detailed analysis of the vulnerability can be found here.
Disabling ‘safemode’ Flag
By default, the usage of VBScript functionality in browsers is restricted. This restriction is a controlled by ‘safemode’ flag. The default value of ‘safemode’ flag is always ‘0xE’. If the default value of ‘safemode’ flag is changed then using VBScript, malicious activity can be performed. Controlling of ‘safemode’ flag using VBScript in web browsers has been called ‘GodMode’. Thus, this exploit is famously known as ‘GodMode’ exploit.
The exploit code shown in Fig 4 changes the ‘safemode’ flag value to ‘0’ using ‘setnotsafemode’ function.
After ‘safemode’ flag is disabled, the ‘runmumaa’ function is called which downloads the malware from the URL ‘hxxp://98.126.14[.]54/api/ax.exe’ and executes it using ‘wscript’.
The payload ‘ax.exe’ is executed by the exploit code and performs the activities mentioned below.
Important activities observed:
Network Spreading Activity
For spreading on shared drives on the victim’s system, it uses a quick dictionary attack using all possible combinations from the usernames and passwords mentioned below.
The malware tries to connect to each shared drive using API ‘WNetAddConnection2A’.
Once access to any shared drive is gained using the dictionary attack, the malware copies itself to that shared drive using API ‘CopyFileA’.
Once copied, it executes the copied malware using command ‘at’ on a specified scheduled time such as ‘13:11’ shown in Fig 10.
The malware receives commands from the CnC server in order to initiate DDoS attacks. The CnC server sends commands of various combinations with the parameters mentioned below.
DDoS command parameters:
Command Code, Target webiste, Port Number, IE version, NT version, User-Agent, Referrer, etc.
At the time of analysis, the CnC server was inactive, so we did not receive actual commands from the server. The unidentified CnC parameters in the commands listed below are mentioned with ‘%s’ or ‘%d’. The malware supports 22 commands which specify the type of DDoS attacks to be carried out on the target website. The CnC commands also access various types of resources such as text, image, etc., for the attack. They also use different user agents such as ‘Baiduspider’. Below are some of the DDoS commands.
The following figure shows the loop for DDoS attacks carried out through ‘send’ API request.
Also, you can see many branches coming to the same code at the top, as shown in Fig 12. This is because commands are different but many of them use same ‘send’ API for the attack.
The CnC server address is kept in an encrypted form in malware payload; a two-level encryption is used. The first level is base64 and second level is custom ADD + XOR encryption as shown in Fig 13.
DDoS.Nitol Hits Trend
As observed in Quick Heal Labs, below is the trend of the DDoS Nitol over the last month.
Indicator of Compromise
|Exploit Server IP
|Paylaod CnC URLs
By using reliable exploit codes available on the Internet for CVE-2014-6332, it’s becoming easier for attackers to launch various types of mass infection campaigns. As we have seen in this case, a DDoS attack can be launched by dropping the DDoS malware Nitol. With the network spreading functionality inside, Nitol makes it for a deadlier attack as it can compromise mass machines present on the network. We strongly recommend users to update the Windows Operating Systems and use a multilayered security software such as Quick Heal.
Subject Matter Experts