2017年5月24日水曜日

Analyzing Rig Exploit Kit vol.3

First

Although I introduced RigEK's behavior several times so far, I will introduce about various changes. Please refer to those who do not know the previous RigEK.

https://github.com/nao-sec/RigEK/blob/master/README-en.md

Step 0

The beginning of this incident was @BroadAnalysis tweet.

EITest was again observed.

Rig Exploit Kit via EiTest campaign from 109.234.36.68 delivers Mole ransomware

I have not observed EITest since April 28. It has been observed again, please see the blog of @Broad Analysis for specific traffic.

What I will introduce this time is about the change in RigEK's behavior. I have been continuously observing Decimal IP and Seamless but they have been unable to observe from several days ago. It seems that RigEK was changing while I could not observe them.

Step 1

The beginning is nostalgic EITest's code.



The inject code of EITest dynamically generates an iframe and redirects it to RigEK. Previously, I returned a landing page containing JavaScript that was obfuscated by this redirect to the user, but now it is different.



Let's follow the process.

Step 2

This html is fired from the iframe of line 12. When the iframe is loaded, the onload event fires and start() is called. start() is as follows.



Call getBrowser() and check the user's fingerprint. Let's see getBrowser().



RigEK uses the information obtained in this way to check whether the user is the target environment. If the user does not misrepresent browser information and the browser is IE, a form tag is created and redirected to the next stage by HTTP POST method.

Step 3

After that, it is the same as before.The html which contains the obfuscated JavaScript is loaded, attacks which attack some kind of vulnerability are done.The exploit code used seems not to change in particular.

Finally

In this way, RigEK has changed to use POST request.This process is not uncommon, but it shows that RigEK is still evolving.I will continue to track RigEK in the future.

P.S.

Regarding the change of RigEK this time, my mal-getter is already supported :)

https://github.com/nao-sec/mal_getter

0 件のコメント:

コメントを投稿