2017年10月17日火曜日

Response of Rig Exploit Kit has changed

First

On 15th October, I noticed the change of Rig Exploit Kit. It's a very small change, there will be some people who have not noticed. The resulting impact is limited. However, it has been troublesome for some researchers. I'll introduce this change.

Change of RigEK

First of all, do you know about the nature of RigEK? RigEK uses functions that interfere with several analyzes. Besides obfuscating code, there is a function that controls access. Simply, RigEK will not attack even if you access the same IP address more than once consecutively. If you accessed more than once, you will be redirected to the general website (Strictly there is a grace period of one and a half to two minutes). This makes analysis difficult.

This is the response of the previous RigEK landing page.



Response when accessing for the first time on top. Below is the response when accessing twice with the same IP address.

Looking at the response below, you can see that it's a very characteristic response. It's redirected to the website in Location header with HTTP Status Code 302, but the body containing the attack code still exists. Therefore, by ignoring the Location header, it was possible to analyze RigEK any number of times.

However, response changed for the second time or later two days ago. The new response is as follows.


Instead of HTTP Status Code 302, a string of "not found" has been sent at 200. This is a small change, but it certainly shows that RigEK is changing.

Finally

Such changes will continue to occur. Also note small changes, I will continue to observe RigEK in the future.

2017年9月27日水曜日

Looking into Drive-by Mining

First

Recently, reports on Mining from ESET, Sucuri and Malwarebytes were released. Drive-by Download is not as strong as before, but Drive-by Mining is trying to rise. Drive-by Mining has two pattern, tampering general websites and Malvertising. Similar traffic was also observed in my traffic observation environment. I noticed that there are several campaigns, and one of them is very interesting. About it, I show a simple report.

Traffic Analysis

Entrance is a general website. This website was loading advertisements. It causes Malvertising. In this website, this code was loaded.



About "code[.]moviead55[.]ru", you can refer to the ESET report.
"Cryptocurrency web mining: In union there is profit"

But, it generated traffic that was slightly different from the report.

The read code is simple obfuscated. When it is decoded, after some processing, an iframe is generated.



This iframe loads html. That html contained such a code.



Let's see JavaScript registered in Worker.



This is the wasm that is being loaded.
https://www.virustotal.com/#/file/1fd2bc9a5011ad82b543b51b8f800d47bc5d8229a01263de620f878088ff585a/detection

convert.js was similar to the code published on GitHub. It was a very similar code.
https://github.com/mtve/yazecminer

Finally, this is traffic chain.

While accessing, my CPU was high load.

Conclusion

Attackers always use the latest technology. I found a lot of sites using coin-hive etc in Drive-by Mining. If you have high load on CPU when accessing websites, possibility of Mining.




2017年8月5日土曜日

Malware dropped by RIG(2017 July)

These are malware that I drop on RIG which I observed in July .

If you have additional information please contact Twitter(@nao_sec).

2017年7月22日土曜日

Seamless Campaign Dropping Ramnit Continuously 1

Please read the previous blog about malware in May and June.
http://www.nao-sec.org/2017/07/malware-dropped-by-rig2017-may-june.html

The addresses of the known C2 servers that are introduced in some blogs are as follows

  • 142.4.204.195
  • 34.194.213.50 - aofmfaoc.com
  • 87.106.190.153
  • 62.173.141.41 – gssbjwhoose.com
  • 185.118.65.143 - hdyejdn638ir8.com

Refer to the following

Domain name is changed immediately. IP address is used several times. I'll report  malware C2 related to Ramnit that connect with these C2.

Network Based IOCs

  • 162.255.119.204 - onaxjbfinflx.com
  • 162.255.119.206 - lwqmgevnftflytvbgs.com
  • 162.255.119.18 - sinjydtrv.com
  • 162.255.119.193 - mrthpcokvjc.com
  • 185.118.66.222 - xomeommdilsq.com
  • 166.78.144.80 - ydchosmhwljjrq.com
  • 185.20.225.124 - g283yr84iri4i.com
  • 62.173.141.42 - ypfptjsuthmaaebx.com

Malware Correlation





2017年7月12日水曜日

Malware dropped by RIG(2017 May-June)

These are malware that I drop on RIG which I observed between May and June. If you have additional information please contact Twitter(@nao_sec).

2017年7月5日水曜日

Seamless localized to Japan

An article published by malwarebreakdown two days ago was very interesting.
https://malwarebreakdown.com/2017/07/03/seamless-campaign-leads-to-rig-ek-at-188-225-79-43-and-drops-ramnit/

I supplement that article. This is an article for that.

---

In that wonderful article some redirect flows and the latter half were introduced. I introduce the flow of the first half.

First redirected to "194.58.60.51/usa" by some malicious Ad. "usa" looks like a general web site, showing part of the actual code.



It looks like a general code, but there is an obfuscated code. It's decoded as follows.



This looks like code for Google Analytics, but it's actually different. It's sending a POST request to "usa".



It uses JavaScript to acquire time zone information and send it. When sending Japanese information at this time, it will be redirected to a general website. In the case of the USA it will lead to the next flow.

This is redirecting to "outedward-engrees.com". When you access "outedward-engrees.com", it looks like this.



Please see the malwarebreakdown article after this :)

---

Well, I had a chance interesting discovery. I investigated "194.58.60.51" in VirusTotal. Then I got this information.


Surprisingly, "japan.php" exists on the same server!

"japan.php" code is exactly the same as "usa", but you have to set the time zone to be sent to Japan so that you will be connected to RigEK.



"usa" was redirected to "signup3.php", but "japan.php" redirects to "signup1.php".

The dropped malware is Ramnit as usual.
https://www.hybrid-analysis.com/sample/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361?environmentId=100
https://virustotal.com/en/file/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361/analysis/1499245648/

---

P.S. added pcap link
https://gist.github.com/koike/8f3fcbb2e6906e29155a57d6f87df396


Localization other than Japan may also exist.
If you knew, please let me know ;)

2017年5月25日木曜日

New EITest's Cloaking

First

(In the case of JST) EITest has been observed again since last night, but many researchers say that they can not observe it. In conclusion, It seems that EITest this time is targeting only some Asian countries including Japan.

Experiment

I accessed EITest 's Compromised site using IP from various countries, and the results are as follows.

Japan



HongKong



UK



America



Netherlands



Singapore



Finally

I found out that there were three types of EITest inject codes. They are switched with Geo. I don't know the details, but UK and America seem to be redirected to a different place from RigEK. It seems that only some Asian countries, such as Japan and Hong Kong, are redirecting to RigEK.