2019年1月24日木曜日

In-Depth analysis of new Fallout Exploit Kit

First

Fallout Exploit Kit has been observed since August 2018. It is very popular and used in many attack campaigns. However, around the end of 2018 Fallout was no longer observed. It was a short break, he came back soon.

He came back and contained several changes.

1. HTTPS
  - Using Let's Encrypt
2. Landing Page
  - Changed code to generate code for exploitation
3. CVE-2018-8174
  - Changed shellcode
    - Using PowerShell
    - Bypass AMSI
4. CVE-2018-15982

In this article, I will look into these changes in detail.

HTTPS

Fallout began using HTTPS. This may make analysis and detection a bit more difficult. He uses Let's Encrypt.



Landing Page

JavaScript was not obfuscated in the previous landing page. Custom Base64 for generating exploitation code was easy to read and the table was written as it was.

All such processing is obfuscated in the new landing page. But you don't have to be afraid of it. Its obfuscation is very simple.

If you take out the last JavaScript and decode it, it looks something like this.

It will look like this if you clean it up.

Let's read in turn. The first line extracts necessary data from HTML. Decode this string to generate exploitation code. The second line defines the table of Custom Base64.


The next two functions are Custom Base64. This has not changed since the past.



Next Fallout is creating an embed element. Although src is encoded, it becomes a URL by decoding it. This reads the exploitation SWF of CVE-2018-15982.


Finally Fallout is creating a script element. VBScript text is the decoded version of HTML data read in line 1. This reads the exploitation code of CVE-2018-8174.


CVE-2018-8174

The code is exactly the same as PoC. shellcode has been updated.


Looking at shellcode, it contains encrypted data at the end. Run it on CreateProcess.


Data is encrypted by RC4.


The key is hard-coded, and when you decode it using it, you get such PowerShell code.


Decoding Base64 and formatting it look like this:

The first line is a technique to Bypass Anti Malware Scan Interface. Matt Graeber tweeted in 2016.

Next, the C # code is defined. When it shapes it, it looks like this. This will define CreateProcess.


Next is the process of downloading and saving malware. Previously it was encrypted with RC4, but now it is an exe file.


Finally, run the malware by CreateProcess.


CVE-2018-15982

In this update CVE-2018-15982 has been added to Fallout.


However, this is the same as PoC. Shellcode is the original but it is the same as the one already explained in 8174.



It is slightly different only in the final PowerShell code. Instead of executing malware with CreateProcess like 8174, it is running with Invoke-Expression.


Conclusion

Fallout made an interesting update such as exploiting CVE-2018-15982, downloading and executing malware with PowerShell by bypassing Anti Malware Scan Interface. 15982 has also been exploited in other exploit kits such as Underminer. Please pay attention to them.

Sample Data
- saz
  - 8174
    - a821dda3cba7851bf0baf4bce8da04d78107be846b18bcb6d29dc92d49973ca8
  - 15982
    - 71fcea2737551627e5bd9968903f68b7cb81a75b92fa9d10c767c1b23e6084ac
- swf
  - 15982
    - e82b042f438c173ae90d056a6c52c0a822d0f263bf8abab60503b9c5c6d68a9c

2018年11月13日火曜日

HookAds->FalloutEK pushes Vidar, And new GlobeImposter

Update: 2019-01-14
I wrote this as Nocturnal Stealer. But, with the help of Fumik0_, I understood that this is Vidar. Thank you Fumik0_!!

Ref: Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)

---

@malware_traffic posted about New GlobeImposter sample. And Bleeping Computer posted an article as well.
https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/

We also encountered new GlobeImposter with HookAds Campaign-> Fallout Exploit Kit in Japan.

https://app.any.run/tasks/7bbfdafe-4fee-4f26-8c3b-01d975868c02

Vidar


The first malware is a loader.
The following points are very similar to Nocturnal Stealer, but this is Vidar.

  • make those files
    • C:\ProgramData\BEJ9QK4EIV6EK30NDC91\files\passwords.txt
    • C:\ProgramData\BEJ9QK4EIV6EK30NDC91\files\infomation.txt
  • Contents of infomation.txt
These are similar to the information on the Proofpoint's blog.

Other gathering items.

GlobeImposter

Nocturnal Stealer downloaded the malware of the next step.
GlobeImposter is almost the same type as before.
Encrypted file extension changed to ".pptx".



Ransom Note [READ_ME.txt]



Payment Page

Conclusion

  • Fallout EK pushes Nocturnal Stealer
  • The information stealing by Nocturnal Stealer has changed.
  • Nocturnal Stealer downloads New GlobeImposter 
  • There were change in the extension, intimidation sentence, payment page.

2018年9月1日土曜日

Hello "Fallout Exploit Kit"

First

At the end of August 2018, we observed a new Exploit Kit. Its behavior (code generation using html) and URL pattern are similar to Nuclear Pack Exploit Kit. Therefore we named it "Fallout Exploit Kit". Fallout Exploit Kit is using CVE-2018-4878 and CVE-2018-8174. That code is distinctive and interesting.

Traffic

On the afternoon of August 29th, we met the Fallout Exploit Kit when we are crawling ad-networks using Japanese IP address.


Accessing their landing page will read the exploit code of CVE-2018-8174 consisting of large span tag and the exploit code of CVE-2018-4878 consisting of object tag.

CVE-2018-4878

The swf file read by the object tag uses CVE-2018-4878.


The swf file is very similar to PoC.


CVE-2018-8174

The large span tag is VBScript code encoded with custom Base64, it is decoded with JavaScript and executed by "ExecuteGlobal" of VBScript.




If execution fails, change window.location. The redirect destination loads the landing page again. If it fails, the dummy website will be displayed.



The decoded result is obfuscated PoC of CVE-2018-8174. The basic structure does not change.


Shellcode generation processing which is the core of this exploit code is encoded by custom Base64.


Shellcode

The shell code flow is as follows.
[Download Encoded Payload] -> [Decode Payload] -> [Execute]


stage1:
Shellcode was further encoded by xor 0x43.



In the decoded code, the following URL is hard-coded. In this case, malware download URL is "http[:]//naosecgomosec[.]gq/Elisions-Riboza-Rigwiddy-Heapstead/8275tv9/PMJqV/Begirdle.cfml?2TV5pG=hOqeWMno&OIfd64x=Shallops_Summative_1050_Parvenu".



stage2:
Shellcode used the ror13AddUpperDllnameHash32 algorithm for the API hash.
Here is a list of hashed APIs.
The download payload is encoded. Payload is encoded using xor with hard-coded key. In this case, key is "APyfhCxJ". It can be decoded with the algorithm of the following script.

Malware

The exe file executed by shellcode is "Nullsoft Installer self-extracting archive". This will run SmokeLoader and two exe files will be downloaded.


New.exe
This is a .NET binary obfuscated by Eazfuscator .NET. We read this, but we could not find the family name. Probably it is Bot. This program contained strings encrypted by RijndaelManaged.


Searching these strings, we found VK_Intel's tweet. It probably is related.


Loader.exe

It uses vbs and ps1 to create a file called "vstools.exe" and run it.


"vstools.exe" is obfuscated by ".NET Reactor". When decoding it, you can see that it is CoalaBot.


IOC

Fallout Exploit Kit


  • naosecgomosec.gq (185.243.112.198)
  • c148012f9ce59daea1abce2cfaac9c0732e86b7eb00468222b63436306c39d26

Nullsoft Installer self-extracting archive


  • 60d8c76564e9c6ca8435b8e83be9743cc7793091856d7d624eb5f899d055024a

SmokeLoader


  • killermansopitu.com (185.177.23.245)
  • 6626c19e3f0d2fa6d2a16dcda9e3907c1af6acb223d58815ff6bb8f538b698f4
  • 6625c5281a46079b5f9b20ded3426d2022a4f796f2325878bdc59d6bb9c7c36c
  • 5b5a961e9f5bc9e8adc9562caa8c6e99be456fa211d9df7df996b2a18e896d74
  • 82.196.2.225
  • 185.170.43.95

Bot (New.exe)


  • 845888758736860a37b969cadcbaa6ed8f7db601c3597ecae477331bf6b81eb4
  • karnevallizdageil.com (185.239.238.204)
  • idontlikeitwhenyoudoit.ru
  • merhabaslm.su
  • ichockealotkrug.com
  • wheniseeyourdedows.com
  • justreggitifyouknowit.ru
  • himynameisnoah.su
  • iliketopunchnoah.com

CoalaBot


  • 65f85f643efdcde095b905aabbaa40fbdae89a0209614ada8f43f1d6295f7045
  • 185.170.43.95


2018年6月23日土曜日

Analyzing Shellcode of GrandSoft's CVE-2018-8174

First

CVE-2018-8174 exploit code published in 2018-05-21.

GrandSoft Exploit Kit used to be CVE-2016-0189 before. Now, it's using CVE-2018-8174. It's almost the same as PoC, except that some obfuscation has been added. However shellcode is unique. Previously VBScript (CVE-2016-0189) code generated cryptographic keys and decoded the payload. It was changed to doing in shellcode.

Previously flow is as follows:
    Random Number Generation -> Generate key Using Random Number -> 
    Add the key to the End of URL -> Download Encrypted Malware -> 
    Decode by the key

new flow is as follows:
    Random key Generation ->  Add the key to the End of URL -> 
    Download Encrypted Malware -> Decode by the key

      in shellcode

Traffic

First let's see the recent GrandSoft traffic. The link of saz file is introduced in Kafeine's blog.
https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html

Looking at this saz file, it looks like the following.


The flow of traffic is the same. It consists of Landing Page, Exploit and Malware. CVE-2018-8174 is used for exploit, which downloads and executes malware. Malware payload is encrypted. Therefore, the shellcode decrypts the malware using some numerical values of the URL.

CVE-2018-8174

For technical explanation of CVE-2018-8174 please refer to other articles.
https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/

Actually the code used in GrandSoft is like this.

Dead code is included, but it is basically the same as PoC. What is different is PoC with GetShellcode part. GrandSoft's GetShellcode function has been renamed to the c111111 function, and it is such a function.


Shellcode

Shellcode calls API using hash, however this hash differs from well-known one.




Shellcode Hash Algorithm is ror14AddHash32.
pseudocode is as follows:



Shellcode uses GetTickCount function to generate keys.


Decoding algorithm was not changed as of vbs.


pseudocode is as follows:


Conclusion

GrandSoft got CVE-2018-8174. This may be a bit more powerful. Shellcode is a little characteristic. Enjoy analysis of shellcode!

2018年2月12日月曜日

Analyzing GrandSoft Exploit Kit

First

I didn't know GrandSoft EK several weeks ago. Because GrandSoft EK was active around 2012~13, but I started studying web security since 2017. I thought he was the same as a lot of EKs that was not active. However, as Kafeine tweeted on January 30, they resumed their activities.


Looking at this tweet, I immediately investigated GrandSoft EK. Even if I search "GrandSoft Exploit Kit" on Google, I didn't get much info (only Kafeine's awesome blogs were found). But these were written in 2012~13 (a little old).

http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html
http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html

When you look at MISP Galaxy, you get info about it.


https://github.com/MISP/misp-galaxy/blob/master/clusters/exploit-kit.json#L323-L338

According to this, GrandSoft EK was active around 2012~13. It seems that it has not been observed since March 2014. This info is old. When you search on Twitter, there are records that were observed in September 2017.


After this, for the time being a blank, events of the other day occur. In January 2018, it was observed that GrandSoft EK is sending GandCrab.

https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/
https://zerophagemalware.com/2018/02/10/grandsoft-ek-via-slots-drops-leviarcoin-miner/

Jerome and Zerophage wrote wonderful articles. Just reading these can get a lot of info about attacks. But I knew a little about what is not written in these. So, I write some of the info I got here.

Traffic Analysis

I analyze this traffic this time. Please refer my saz file if necessary.

https://traffic.moe/2018/02/09/index.html

The beginning is the ad network. When you browse legitimate websites, you reach the Gate of attack campaign (some people call this "Slots Campaign") from certain ad networks.

Please see this for "Slots Campaign".


In Slots Campaign's Gate, redirect is done by HTTP Location Header. This will reach the Landing Page of GrandSoft EK.


The Landing Page checks the user's environment. He gets the info as URL strings and sends attack codes.


GrandSoft EK only uses CVE-2016-0189. CVE-2016-0189 is frequently used in other EK. It's no longer fun itself. However, GrandSoft EK code is a little different from other EK. Let's see the GrandSoft EK code.

https://gist.github.com/anonymous/3dfd73cb212ecfe4c100bd356e429403

GrandSoft EK is mixing unnecessary code. Deleting all of them will result in a familiar code. For example, these codes are not necessary.

z9TmaQnrKIX = "Set t7BdKL = New Q6dZEWZ End Function End Function "

Dim Q0GzfxxyDx2

GrandSoft EK is different from the current code around January 30th. There was another obfuscation in the past. This is the previous code. This was a bit annoying...


https://gist.github.com/anonymous/089810f4581b86edf27827a0a4ebeff4

Well, you deobfuscate this, basically it's the same code as other EK. What is different is the process of generating a URL for downloading malware and the process of decrypting the downloaded file by it.


A value called "keyRand" is generated and becomes part of the URL. "keyRand" is also used to decrypt files. Like RIG, GrandSoft EK downloads RC4 encoded malware.


"arcnsave" is also in RIG. Such a code.


For this reason, encryption key is not hard-coded. In order to know the key, it's necessary to obtain the URL from the traffic.


Finally

GrandSoft EK is not an advanced EK. But there was a little fun feature. I want to follow up on future updates😊