2017年5月8日月曜日

Analyzing Rig Exploit Kit vol.2

First

About 1 month ago I wrote an article "Analyzing Rig Exploit Kit vol.1" but I observed something different from the payload I introduced at that time, so I will introduce about it.

Step 0

About the behavior of RigEK, please read the previous article first, since it is common to Step 4, I will skip this time. In the last time I introduced the one using vulnerability of CVE-2016-0189, CVE-2015-2419, swf (I don't have knowledge of swf, so I omitted it this time).

Analyzing Rig Exploit Kit vol.1

Step 1

As before, as you read the obfuscated RigEK code, 3 payloads will appear.The first one uses the same CVE-2016-0189 as the previous one, the second one as well It is one using swf, and the payload to be introduced this time.It is the following code immediately after canceling obfuscation.

Step 2

The code is VCScript, just a bit of it is similar to CVE-2016-0189, but let's read the code in order.

About the function sdefgfss(), which is written at the beginning, there are strange binaries that are not common, but the one that is rewritten for clarity is the following code.

In VBScript "&" is used for string concatenation, if you have studied about Drive-by Download or Exploit Kit so far, it will be a familiar code.This function is "o32.tmp" which is a function that is executing. The URL drops malware with x-msdownload from RigEK, and key is used to decode the dropped malware with RC4.

Step 3

Next, let's look at the function periphery called Begin(). First They decide from the UserAgent whether the user is 32bit or 64bit. This attack target seems to be a 32bit user, from which meaningless processing Continuing, these are the payload of CVE-2014-6332. Please check the following article for details.
http://malware.dontneedcoffee.com/2014/11/cve-2014-6332.html

CVE-2014-6332 is a vulnerability that is used in many EKs, which was previously incorporated in RigEK, which means that we observed it this time.

Finally

Rig just changed the URL parameter the other day, the payload may also be updated, I will write an article if I observe it.

Have a good analysis day😉

0 件のコメント:

コメントを投稿