Victims are lured with a generic phishing email whose text is very similar to spam messages. In an example provided by FireEye the bait used was an offer for a refurbished iMac system certified by Apple, with a discount between $200 and $450 (€180 – €400); the email further enticed the recipient with availability of one-year extendable warranty for the product.
Clicking on the provided link redirected to a server with scripts that checked if the visitor’s computer was worth compromising. If it presented no interest, the user would receive non-harmful content; otherwise, the victim was served malicious SWF and FLV files. The vulnerability exploited in the attack is a heap buffer overflow, now identified as CVE-2015-3113.
FireEye says that the attack code relies on common vector corruption techniques to get past the Address Space Layout Randomization (ASLR) protection from buffer overflow events; it also relies on a new ROP (Return-Oriented Programming) technique to bypass Data Execution Prevention (DEP) and other protection mechanisms, such as ROP detection.
The latest campaign from APT3 has dubbed Operation Clandestine Wolf and the researchers say that it is also responsible for other previously identified campaigns (Operation Clandestine Fox) and it is known for producing browser-based zero-day exploits for Internet Explorer, Firefox and Flash Player.