2017年4月28日金曜日

How to get malware dropped from RigEK

I have been investigating RigEK for about 4 months, but its analysis is very troublesome. In particular, it is my most time consuming to find out what malware comes down from RigEK.

Because I don't have a dynamic analysis environment. I tried to make it before, but I stopped making it because of problems such as cost and lack of knowledge... So, I only do static analysis on DbD and EK.

So, I created a tool to retrieve malware from RigEK just by static analysis. The way to do it is simple, RigEK just keeps track of the process of dropping malware to users. By using this tool, I can now get malware in 1/100 of the previous time.

I named the tool mal_getter. The code is here.
https://github.com/nao-sec/mal_getter

---

I briefly explain how to use it.

1. This tool uses PHP 7 and Composer. Install them.
2. Clone mal_getter
3. Prepare necessary files using Composer
4. Give the necessary information to main.php and get the malware

For Example,

Please read the README for details ;)

---

I skip the explanation about the code. That is because it is meaningless. mal_getter depends heavily on RigEK and Campaign code. It will stop working soon. I do not feel the future with this tool. So I will make it public. Although I intend to fix it each time, I think that in the future I will reimplement it by using a browser sandbox etc.

Have a good analysis day😉

2017年4月26日水曜日

Ransomware Matrix Analysis

Matrix

I observed that EITest Campaign redirected to RigEK and Matrix was dropped.
It is classified as Version 3 by BleepingComputer.
Please refer to the following Web site.

Can not analyze with Cuckoo

In malwr's analysis report it was displayed as follows.
Maybe cuckoo`s function hook was modified by matrix.
Sorry, I have not found that code yet.
Also, I could not analyze it in my sandbox(Cuckoo 2.0.1). 



Behavior

Memory write and child process generation

Matrix writes the code in memory.
One of them is packed by upx.


Matrix execution file creates a copy of itself with a random_name in the following folder.
%APPDATA%\MICROS~1\[random].exe%APPDATA%\[random]\[random].exe%LOCALAPPDATA%\MICROS~1\%TEMP%\[random].exe 
%TEMP% 

Then, it is executed as a child process.
They have the same hash.
Files under the following folders are deleted after encryption.
%APPDATA%\MICROS~1\[random].exe%APPDATA%\[random]\[random].exe%LOCALAPPDATA%\MICROS~1\%TEMP%\[random].exe  

Executed command

Matrix erases the shadow copy of the volume using the cmd.exe command.
Also Disable startup repair (Windows Recovery Environment) at boot time.

%APPDATA%\[random].cmd
echo vlc091eFKxql4VW4M
ping -n 6 localhost
wmic.exe process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
echo vlc091eFKxql4VW4M
ping -n 3 localhost
cmd.exe /C vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
ping -n 3 localhost
echo vlc091eFKxql4VW4Mg

Hybrid-analysis.com`s reports show Child process execution parameters of matrix.



This value is sent to the external server with status.



 Show ransom note

Register HTA file ransom note in the startup menu.
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[randam].hta

Encrypt

Recursively encrypt files in the following two folders.
C:\Users\All Users\ 
C:\Users\user_name\
According to the malware author, it is encrypted by RSA 2048.
Unfortunately it is under investigation.


Analysis report

  • https://malwr.com/analysis/ZWYyY2RiNDFlYzc5NDI2NzkyNWIyYmYxYTUzZmY4NDk/
  • https://www.hybrid-analysis.com/sample/7aeaec6fa2ac8a5d4b9f0de78c39ba978b9b3f39ad422b12d567ed730a54be47


2017年4月18日火曜日

Analyzing Rig Exploit Kit vol.1

First

When I began writing this article, I didn't know that Talos is writing detailed articles about RigEK. I read it after I finished writing this article, but it was a very nice and detailed analysis report. If you want to do a detailed analysis on RigEK, I recommend you refer to that article.
http://blog.talosintelligence.com/2016/11/rig-exploit-kit-campaign-happy-puzzling.html

This article is a memo to keep information that is somewhat concisely summarized about RigEK for me in the future who will write a college graduation thesis after a few months ;)

Step 0

There is a pcap that I captured by myself, but pcap that Brad organized is more beautiful than that, so I will use it. I appreciate Brad every day. Thank you for writing about the Drive-by Download attack and Exploit Kit.

Download pcap from Malware-traffic-analysis.
http://www.malware-traffic-analysis.net/2017/04/16/index.html

Step 1

Kindly enough, zip contains html of Landing Page, but let's investigate in order this time.

First, I look at the end of html obtained when accessing the Compromised site, then a script is injected that tells it is EITest at first sight.



With this script tag "side[.]chobaniandyr[.]com" is read in iframe.

Step 2

Let's see the Landing page of the loaded RigEK. You will see obfuscated code that is very verbose and difficult for humans to read.



As you can see from reading the code, this code consists of three JavaScript elements. I will call them Part 1, Part 2, Part 3. In the previous version of RigEK it was not divided into three parts, only Part 3 existed. Please refer to the RSA analysis article for details.
https://community.rsa.com/community/products/netwitness/blog/2017/02/01/rig-ek-chronology-of-an-exploit-kit

It is divided into three below.




Step 3

The obfuscation logic of Part 1~3 is common, it is very simple. Here I show the procedure to cancel obfuscation only for Part 3, which has the smallest code amount. In the same way Part 1 and Part 2 can also cancel obfuscation.



First of all, a string containing a lot of unfamiliar symbols appears, but it is split with a character string that is not familiar. By doing the following, it will become visually easy to understand.





As you can see from here, by combining the first array and the second array, a new JavaScript is generated. In other words, JavaScript retrieves the first array in reverse order and concatenates them to the second element, respectively. Such processing will be done in subsequent processing.

When I read the code, it try to dynamically generate JavaScript code and execute it with eval. If you get the character string passed to eval with Part 1~3, it will be as follows.





I could decipher the obfuscation of the first step. Let's decipher the following obfuscation.

Step 4

Obfuscation at the second stage is easy. You can see at a glance by looking at the code. It is only obfuscated by Base64. The result of decoding the base64 encoded character string is as follows.





Step 5

I will analyze each part. In the following, Part 1 is VBScript, Part 2 is JavaScript (VML), Part 3 is JavaScript (Flash), but the order seems random. In each part, they strike the vulnerability of each application and let it execute arbitrary code. As a result, malware is dropped and infected.

Part1

There is a great article below about this.
http://marcoramilli.blogspot.jp/2017/03/a-quick-revenge-analysis.html

Part2

There is a great article below about this.
http://binaryhax0r.blogspot.jp/2016/09/rig-exploit-kit-shellcode-spwans.html

Part3

I am ignorant about swf, so I omit it.

Finally

In this way, RigEK sends malware to users with a bit of obfuscation and multiple exploit codes. Perhaps after a few days or weeks these contents will change with RigEK updates. If I could observe it, I would write another article again.

Have a good analysis day😉