2017年11月20日月曜日

Analyzing KaiXin Exploit Kit

First

Yesterday, the activity of KaiXin Exploit Kit has been reported by Brad.

http://malware-traffic-analysis.net/2017/11/17/index.html

I began learning about EK from February this year. Therefore, I didn't know about KaiXin EK, so I tried to analyze.

What is KaiXin Exploit Kit

According to "Recent example of KaiXin exploit kit", KaiXin EK has been observed since August 2012. It's mainly used for attack campaign targeting China, and in recent years almost no activity has been reported. What kind of mechanism is attacking?

Traffic Chain

First, I briefly introduce the chain of traffic generated by KaiXin EK. Please look at the images.


When accessing KaiXin EK's landing page, multiple attack codes are loaded. The attack code branches depending on the user's environment (IE, JRE, Flash Player version, etc). Ultimately, if the user is an attack target, malware (exe file) will be downloaded and executed.

Lansing Page

KaiXin EK obfuscates JavaScript including attack code. Landing page is also obfuscated, but very simple. When decrypting according to the flow, the following code is obtained.

https://gist.github.com/koike/5fe67c5c608ef76f735119be8f6e7f79

Using the version information of JRE or IE, branch the next processing.


For example, if JRE version is between 17006 and 17011, load Java Applet "EyDsJd.jar". At that time, malware ("11.7.exe") URL is passed as argument, and jar downloads and executes that malware by exploiting the vulnerability of JRE.


The vulnerabilities used by each jar files are these.

BvJfRc.jar CVE-2012-4681
EyDsJd.jar CVE-2013-0422
XlGaYb.jar CVE-2011-3544

After that, EK uses vulnerabilities other than JRE.


Let's look at each of the html files that are being loaded.

RfVvPx.html

"RfVvPx.html" is always loaded. It attacks Adobe Flash Player vulnerabilities.

https://gist.github.com/koike/d958b5ea79a558e5f440008d2abc1ae7


Use the version information of Flash Player and IE to change the swf file to be loaded. I don't know swf, but EK downloads and executes malware using some Adobe Flash Player's vulnerability.


XsSgBz.html

"XsSgBz.html" is loaded when user is using Edge on Windows 10. This html attacks CVE-2016-7200 and CVE-2016-7201. This vulnerability was used in multiple EKs. Details are described on Kafeine's blog.

http://malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html

The first part contains the code to decode the URL of the download destination and the shellcode to download and execute the malware.

https://gist.github.com/koike/01bea2bcd1ec805d4fc67a2514e95aef


shellcode is published in github below.

https://github.com/stephenbradshaw/shellcode/blob/master/descript.asm

The second part is an exploit for Microdoft Edge. (CVE-2016-7200 and CVE-2016-7201). Just deleting comments etc. will almost match the code published on the following github page.

https://github.com/theori-io/chakra-2016-11/blob/master/exploit/FillFromPrototypes_TypeConfusion_NoSC.html

OvTiFx.html and HiFyUd.html

"OvTiFx.html" and "HiFyUd.html" use CVE-2016-0189. This vulnerability is also used in RigEK and others. For details, please see here.

https://gist.github.com/koike/7aae4bdd11cd415c83f2cea4cddc9d03


Malware

This malware is used by KaiXin EK. I cannot identify this. Please tell me if you can analyze.

MD5 : 1a1929f525a710c81dfb7873ddad9d33
SHA256 : f710f3c77276e7082d68d365413a658d80b6cac66c8b0c9a67b20426259a2035

https://www.hybrid-analysis.com/sample/f710f3c77276e7082d68d365413a658d80b6cac66c8b0c9a67b20426259a2035?environmentId=100
https://www.virustotal.com/#/file/f710f3c77276e7082d68d365413a658d80b6cac66c8b0c9a67b20426259a2035/detection

Finally

KaiXin EK didn't have much complicated mechanism, but logic was interesting. The vulnerabilities used by EK are old and not very strong, but I enjoyed the analysis ;)

Zip archive of the IOC files is here
https://gist.github.com/koike/276628c896f572a7ebc9e0b933d27c78

2017年10月17日火曜日

Response of Rig Exploit Kit has changed

First

On 15th October, I noticed the change of Rig Exploit Kit. It's a very small change, there will be some people who have not noticed. The resulting impact is limited. However, it has been troublesome for some researchers. I'll introduce this change.

Change of RigEK

First of all, do you know about the nature of RigEK? RigEK uses functions that interfere with several analyzes. Besides obfuscating code, there is a function that controls access. Simply, RigEK will not attack even if you access the same IP address more than once consecutively. If you accessed more than once, you will be redirected to the general website (Strictly there is a grace period of one and a half to two minutes). This makes analysis difficult.

This is the response of the previous RigEK landing page.



Response when accessing for the first time on top. Below is the response when accessing twice with the same IP address.

Looking at the response below, you can see that it's a very characteristic response. It's redirected to the website in Location header with HTTP Status Code 302, but the body containing the attack code still exists. Therefore, by ignoring the Location header, it was possible to analyze RigEK any number of times.

However, response changed for the second time or later two days ago. The new response is as follows.


Instead of HTTP Status Code 302, a string of "not found" has been sent at 200. This is a small change, but it certainly shows that RigEK is changing.

Finally

Such changes will continue to occur. Also note small changes, I will continue to observe RigEK in the future.

2017年9月27日水曜日

Looking into Drive-by Mining

First

Recently, reports on Mining from ESET, Sucuri and Malwarebytes were released. Drive-by Download is not as strong as before, but Drive-by Mining is trying to rise. Drive-by Mining has two pattern, tampering general websites and Malvertising. Similar traffic was also observed in my traffic observation environment. I noticed that there are several campaigns, and one of them is very interesting. About it, I show a simple report.

Traffic Analysis

Entrance is a general website. This website was loading advertisements. It causes Malvertising. In this website, this code was loaded.



About "code[.]moviead55[.]ru", you can refer to the ESET report.
"Cryptocurrency web mining: In union there is profit"

But, it generated traffic that was slightly different from the report.

The read code is simple obfuscated. When it is decoded, after some processing, an iframe is generated.



This iframe loads html. That html contained such a code.



Let's see JavaScript registered in Worker.



This is the wasm that is being loaded.
https://www.virustotal.com/#/file/1fd2bc9a5011ad82b543b51b8f800d47bc5d8229a01263de620f878088ff585a/detection

convert.js was similar to the code published on GitHub. It was a very similar code.
https://github.com/mtve/yazecminer

Finally, this is traffic chain.

While accessing, my CPU was high load.

Conclusion

Attackers always use the latest technology. I found a lot of sites using coin-hive etc in Drive-by Mining. If you have high load on CPU when accessing websites, possibility of Mining.




2017年8月5日土曜日

Malware dropped by RIG(2017 July)

These are malware that I drop on RIG which I observed in July .

If you have additional information please contact Twitter(@nao_sec).

2017年7月22日土曜日

Seamless Campaign Dropping Ramnit Continuously 1

Please read the previous blog about malware in May and June.
http://www.nao-sec.org/2017/07/malware-dropped-by-rig2017-may-june.html

The addresses of the known C2 servers that are introduced in some blogs are as follows

  • 142.4.204.195
  • 34.194.213.50 - aofmfaoc.com
  • 87.106.190.153
  • 62.173.141.41 – gssbjwhoose.com
  • 185.118.65.143 - hdyejdn638ir8.com

Refer to the following

Domain name is changed immediately. IP address is used several times. I'll report  malware C2 related to Ramnit that connect with these C2.

Network Based IOCs

  • 162.255.119.204 - onaxjbfinflx.com
  • 162.255.119.206 - lwqmgevnftflytvbgs.com
  • 162.255.119.18 - sinjydtrv.com
  • 162.255.119.193 - mrthpcokvjc.com
  • 185.118.66.222 - xomeommdilsq.com
  • 166.78.144.80 - ydchosmhwljjrq.com
  • 185.20.225.124 - g283yr84iri4i.com
  • 62.173.141.42 - ypfptjsuthmaaebx.com

Malware Correlation





2017年7月12日水曜日

Malware dropped by RIG(2017 May-June)

These are malware that I drop on RIG which I observed between May and June. If you have additional information please contact Twitter(@nao_sec).

2017年7月5日水曜日

Seamless localized to Japan

An article published by malwarebreakdown two days ago was very interesting.
https://malwarebreakdown.com/2017/07/03/seamless-campaign-leads-to-rig-ek-at-188-225-79-43-and-drops-ramnit/

I supplement that article. This is an article for that.

---

In that wonderful article some redirect flows and the latter half were introduced. I introduce the flow of the first half.

First redirected to "194.58.60.51/usa" by some malicious Ad. "usa" looks like a general web site, showing part of the actual code.



It looks like a general code, but there is an obfuscated code. It's decoded as follows.



This looks like code for Google Analytics, but it's actually different. It's sending a POST request to "usa".



It uses JavaScript to acquire time zone information and send it. When sending Japanese information at this time, it will be redirected to a general website. In the case of the USA it will lead to the next flow.

This is redirecting to "outedward-engrees.com". When you access "outedward-engrees.com", it looks like this.



Please see the malwarebreakdown article after this :)

---

Well, I had a chance interesting discovery. I investigated "194.58.60.51" in VirusTotal. Then I got this information.


Surprisingly, "japan.php" exists on the same server!

"japan.php" code is exactly the same as "usa", but you have to set the time zone to be sent to Japan so that you will be connected to RigEK.



"usa" was redirected to "signup3.php", but "japan.php" redirects to "signup1.php".

The dropped malware is Ramnit as usual.
https://www.hybrid-analysis.com/sample/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361?environmentId=100
https://virustotal.com/en/file/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361/analysis/1499245648/

---

P.S. added pcap link
https://gist.github.com/koike/8f3fcbb2e6906e29155a57d6f87df396


Localization other than Japan may also exist.
If you knew, please let me know ;)