Summary:

This is the first time i’ve detected a decimal redirect to Rig EK. The mechanism is described by Malwarebytes. The redirect led to a file called “rig.php” which is something I have not seen before. The page then displays a “loading” GIF which makes it appear as if something should be happening. Something is indeed happening – Smoke loader was dropped and I have demonstrated before what happens if you leave it running.

Apologies for an incomplete picture. I bodged it together with Paint as my current tools are not available.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Decimal Redirects

https://blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/

Downloads

(in password protected zip)

• 2017-Apr-27-Rig-Smoke-PCAP -> Pcap
• 2017-Apr-27-Smoke-Loader -> Smoke Loader (0f391cb9897dfd4ad91c66a7b17f28df8c82d8ece937a411394a7bee27a6e330)
• 2017-Apr-27-Rig-Smoke-CSV – CSV of URL’s.

Details of infection chain:

(click to enlarge!)

Decimal Redirect to Rig EK which drops smoke loader.

Full Details:

There is a URL request from the compromised site to “1755118211” which the browser interprets as an IP address (104.156.250.131).  This then 302’s to an IP hosting a PHP file.

This leads to a file amusingly named “rig.php”. This contains an iframe to Rig EK and a GIF file which makes it appear as if the website is “loading”.

Rig then dropped Smoke Loader. The only thing that I have not seen before is Rig using a 5th level domain.

I still continue to look at Magnitude now that I have managed to get it to drop a payload. I’m amazed at how different the flows appears to look each time. It is a lot more interesting to witness than Rig EK.

Currently Magnitude is still region locked and “private” however it is still very active in these regions and is certainly a big threat to anyone using an outdated version of Flash, Windows or IE.

Here I have four samples which all dropped the latest version of Cerber Ransomware. I have created a CSV which contains all the URL’s for easier copy pasting for IOC’s.

Background Information

I came across this article which contains very good information about Magnitude and is mostly still relevant.

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

Some hints as to how to deobfuscate Magnitude:

https://pcsxcetrasupport3.wordpress.com/2017/04/24/a-look-at-the-magnitude-exploit-kit-encoding/

Details of infection chain:

(click to enlarge!)

This image shows flows of the latest Magnitude sample. The commands are taken from another sample that is also included in the pcaps.

Magnitude EK starting with mymoneybit.com

 

Magnitude EK starting with paplauskaja.net

 

 

Magnitude EK starting with webinvestfx.com

 

Full Details:

The Cerber Decryptor asks for  a language. There are multiple not show here and the text cycles the languages.

It then asks to solve a captcha for a “security” check. I was unable to solve the puzzle so could not continue to the payment part.

Lastly this icon appears on the decryptor.

Perseverance is the key sometimes. I finally got Magnitude to drop a payload so yes Cerber is back on the EK table after the PseudoDarkleech gate seemed to vanish.

This is a very interesting sample. Aside from the usual scriptlet and sctask I also saw powershell and several new URL’s using a user agent named “contype”. There is lots to review here to determine what exactly happened which I will look into in the future.

For now hope you enjoy digging through the PCAP. Note I used a proxy so the destination IP addresses are not all accurate.

Details of infection chain:

(click to enlarge!)

Magnitude drops Cerber. A lot is going on here including some powershell.

If you don’t know about Cerber Ransomware then where have you been! Probably the one of the most mature ransomwares, Cerber encrypts files and requests bitcoin in order to decrypt them. This sample encrypted files with the .ba89 extension.

Here are the VirusTotal report on the Flash exploit 59l8x35td53g4256.swf. Magnitude’s Flash exploits always have a very low detection rate. I’m surprised to see McAfee is the only one to detect this.

I’ve been keeping track of Magnitude EK lately and have observed it changing a fair bit however the payload still fails to download. I decided to collect a number of flows from 14-20 April and display them below. You may argue that this EK does not seem to drop a payload anymore and is only active in a specific region of the world and so the threat is low but I have seen it change so it is still actively being developed. For as long as it is being developed it could post a serious threat if a new exploits are discovered.

The URL’s may be useful for regex detections however the landing page for the latest sample has no URL pattern. I have also seen a .pw domain used which is a bit different as many of the previous use TLD’s which spell words such as “.space”.

Also of note is that Magnitude drops a file in Temp which is used to download the payload and create a scheduled task which then runs it. At the same time it also requests a scriptlet which attempts to download and execute a payload. This meant a single flow was creating  5+ payloads.

I also began to attempt to deobfuscate the landing page to attempt to figure out what all the URL’s mean. Some appear to give a 404 error. It is likely these are payload requests but there is no payload to download hence the 404.

Anyway I hope the URL’s are interesting. I have included the latest PCAP as well. Overall I was hoping to do a lot more with Magnitude but I have not got round to it. I hope this article explains this rarer EK a bit more.

Details of infection chain:

(click to enlarge!)

Magnitude EK As of 20 April does not appear to have a landing page URL pattern.

 

• The Magnitude gate is very similar to that on the compromised website. So far it has only led to Magnitude and an unknown EK. 

• The landing page URL does not have a URL pattern in the latest sample. The script at the top calls the Flash exploit. The rest of the page is obfuscated. Each letter calls an array and it is all then concatenated together. By printing the contents of the array then substituting  the values, almost all obfuscation of the VBscript section is removed. The landing page actually contains a lot of junk code.
• This is a deobfuscated page of another Magnitude flow. I began to decode and realised I had done the wrong sample.. For illustration purposes though you can see the junk variables interlaced with legitimate variables and the Godmode exploit.
• 
• Magnitude EK has a second page of exploits which is requested at the end of the first landing page. It also uses an array however this one is different. In fact all samples I have seen have a different array.
• Below is a section of the deobfuscated page showing CVE-2014-6332.
• This is the Flash exploit. The resulting URL returned 404. It is likely it would have downloaded a payload.
• Magnitude EK creates a file in Temp with a “rad” naming theme. The script downloads the payload and creates a scheduled task which then executes it. The payloads always fail on my host (they are 0kb)
• 
• This is a deobfuscated scriplet (.sct) which also attempts to download and execute the payload and also fails.

Here are the VirusTotal report on the Flash exploit 7o3uf4dblbta.swf. Magnitude’s Flash exploits always have a very low detection rate. I’m surprised to see McAfee is the only one to detect this.

Overall it is clear Terror EK is in development by whomever controls it now. This version appears to look more like a main stream EK. All it needs is some strong obfuscation to slow down researchers especially if a new exploit is discovered.

Terror EK using 4 Flash Exploits and Silverlight as well as the usual IE exploits drops Smoke Loader.

For comparison here was my last Terror EK detection:

Terror EK delivers K.I.N.S

• The landing page contains a single iframe that loads multiple Flash exploits and a Silverlight. This has changed from multiple iframes. After this comes the usual landing page exploits. Nothing appeared to be obfuscated beyond some URL encoding. At the end of the script is a call to the payload.

• The iframe from the landing page redirects to a page that contains 4 Flash exploits and one Silverlight. One of the Flash exploits had not been uploaded to VT in 5 months. 

• Payload is dropped. This time without mentioning which CVE it had exploited.

Here are the VirusTotal reports note  9AJ1ib4oMs7f.swf is the “newer” Flash exploit:

Summary:

Whilst hunting for Magnitude EK I cam across an “unknown EK” from the Magnitude Gate. It’s hard to say if it is an EK as it only appeared to use one exploit however it;s similarities to Magnitude were close. The gate returned 404 many times until one day it delivered. Magnitude currently has two gates. The first is on the compromised website which crafts a URL using random numbers, screen size and the referrer (a thanks to @Ledtech3 for deobfuscation).

At first I hit Magnitude EK which filled my screen and processes with scheduled tasks and ultimately failed to download a payload. I’m not sure if this was my hosts problem or a malfunction with Magnitude EK. After PseudoDarkleech gate has seemingly disappeared which always delivered Cerber ransomware then it is possible that Cerber is no longer delivered by Magnitude and that they may be making changes.

The unknown EK I witnessed appeared to be in a testing phase. My first run showed that it had a very easy to read landing page and lots of logging. The 2nd run it was obfuscated a little and did not log. Both times a 1kb executable was dropped which may act as a loader for more malware.

It is possible this EK is testing being performed by the Magnitude EK threat actors. By the fact that it did successfully drop a payload and execute it and that Magnitude seem to fail suggests there could be problems with the EK. I have not enough visibility of Magnitude to report on payloads that it has been dropping as of the last 5 days.

Anyway, it’s always interesting to see something different. Hope you enjoy the pcaps and pictures.

Background Information:

• A few articles and samples on Magnitude exploit kit:

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

http://www.broadanalysis.com/2016/06/27/magnitude-exploit-kit-sends-cerber-ransomware-via-malvertising/

http://www.malware-traffic-analysis.net/2016/08/10/index.html

https://www.zscaler.com/blogs/research/top-exploit-kit-activity-roundup-winter-2017

Downloads

(in password protected zip)

• MagnitudeandUnknown -> Pcaps for Magnitude and both Unknown EK flows.
• LoaderAndFlash -> Magnitude Flash and Unknown EK’s “loader”

Details of infection chain:

(click to enlarge!)

Unknown EK creates a file in Documents and runs a scheduled task which downloads a 1kb loader.

Magnitude EK creates a file in temp which contains a command that creates a scheduled task and downloads a payload. In this case the payload failed to download.

Full Details:

• Magnitude is found via malvertising chains exclusively in the Southeast Asia region. I came across another EK using Magnitude’s gate. It may be tricky to call it an EK since it only appeared to exploit CVE-2016-0189. However it appeared to be in test phase as it was logging information and was not obfuscated on first run.
• The compromised sites contain a JavaScript gate which uses the URL, screen resolution and random numbers to create a unique request to the Magnitude Gate.
  
• The second gate is similar however for the Unknown EK it simply did a 302 redirect. For a Magnitude redirect the gate is similar however “KASPERSKY.IEVIRTUALKEYBOARDPLUGIN.JAVASCRIPTAPI” is called which checks for Kaspersky AV or at least some components of it.
• After this we see the usual Magnitude landing page. However instead of dropping a payload directly, Magnitude places a files in appdata/local/temp. This 2kb file with the usual “rad” named theming contains a command that creates a scheduled task that attempts to download a payload. In my tests multiple scheduled tasks were created and no actual payload was delivered. See the screenshots below
• Once again only one AV detected Magnitude’s Flash exploit:

• SHA256:	733dd2aa5b3b6f315ea076134cd21797b2feb6c81bbf047ff0c2345f71ccac07
  File name:	MagnitudeFlash
  Detection ratio:	1 / 56

  AhnLab-V3

  SWF/Magnitude

• Right now to the Unknown EK. As said above instead of JavaScript, a simple 302 redirect was observed after the initial gate.
• This EK seemed to only use CVE-2016-0189. The exploit seemed very similar to a Metasploit version here.
• What I observed was the EK dropped a file in Documents instead of Temp and then downloaded and execute a 1kb payload. This payload has a URL within it and may act as a loader. However it did not appear to do anything. The EK traffic also contained a lot of what appeared to be logging.

• SHA256:	a5e0767171ee9556dea9e2985a25f1a8b338e59d6d0ebc1486f3609956786a01
  File name:	loader0.exe
  Detection ratio:	30 / 61

• I attempted the EK again on a second run a day or so after and the landing page was now obfuscated and no “logging” was observed. The actions however were slightly different. A file was dropped in temp which created a scheduled task which downloaded the loader.
• Now I may have got some parts of this analysis muddled up. Unfortunately I deleted the VM before I could look at the exact flow of traffic. I had hit so many Magnitude flows that my VM was infested with processes. I eventually tired and figured I could understand it all from the pcaps anyway.

Summary:

I have been tracking a Rig EK campaign that drops Bunitu. It appears to be cycling domains often. I originally found it via my usual malvertising chain (Popads). Every site always has an iframe to another domain usually on the same IP which then leads to Rig EK. I believe the gate requires a correct referrer in order to appear. I’m not sure if this gate exists anywhere else in the wild or whether it is unique to the threat actors behind Bunitu.

I noticed some DNS traffic everytime a client connected to the infected host that did not trigger an ET signatures but I’m fairly sure it is Bunitu.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

Downloads

(in password protected zip)

• 100417-RigBunitu -> Pcap
• 100417-Bunitu -> Bunitu (exe and dll)

Notable Details:

• 206.54.163.50 – onclkds.com – 302 Malvertising
• 174.137.133.18 – xml.mediacpc.com  – 302 Malvertising
• 78.46.232.211– lifeerotic011.info – Compromised Site
• 78.46.232.211 – llifesdfgdhfjgkhlj.info – Compromised Site
• 46.173.219.21 – admin.lauraducharme.com – Rig EK
• 200.43.39.88 – u.dreamlifedust.net – Bunitu DNS Lookup 
• 200.43.39.88 – z.dreamlifedust.net – Bunitu DNS Lookup
• Payload was 2p8uomsp.exe -> VirusTotal
• Payload created noxiubc.dll -> VirusTotal

Details of infection chain:

(click to enlarge!)

Malvertising leads to Rig EK which delivers Bunitu proxy trojan. Bots can be seen connecting.

Full Details:

• A malvertising chain leads to Rig EK which delivers Bunitu. The website contains an iframe which leads to another domain on the same IP which contains an iframe to Rig EK.
• The payload was 2p8uomsp.exe

• SHA256:	032d620e3229f62622a4bf0f150bf00876c7ea08bc4c004f16ac1cc2d5fac6ee
  File name:	2p8uomsp.exe
  Detection ratio:	7 / 61

• Bunitu uses a DLL called noxiubc.dll.
  

  SHA256:	f6ff9029fe8193563a9804313b39b2f8f16f6c640cfaa33373a2d2b84a52e05c
  File name:	noxiubc.dll
  Detection ratio:	27 / 61

• Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
• Three bots can be seen using the proxy. According to forum posts such as this “clients.your-server.de” is suspected to be bot traffic:
• qv-in-f100.1e100.net
  static.114.34.40.188.clients.your-server.de
  static.87.34.40.188.clients.your-server.de
• Everytime a client connects, Bunitu issues a DNS request. Although these did not trigger any ET signatures I am sure they are initiated by Bunitu.

Summary:

After having found the previous Terror EK I went searching for it again a few days later. I found what I initially thought was Terror EK but did not get any ET signatures for the landing page. I then saw it did not appear to resemble my last analysis as in there were no Flash exploits. Instead there was a SilverLight exploit.

I decided to tweet it out to the wider community of a few EK hunters I know:

https://twitter.com/Zerophage1337/status/847225885610491905

It was confirmed by all to be Terror EK. Infact I had missed a Snort rule which said it was Terror EK. Often Snort rules don’t seem to pick up landing pages so I had thought not to look there. I shall from now on! Several people got involved so many thanks to them especially for identifying the payload.

For this sample I dug a bit further into the landing page code which you can see later on.

Background Information:

• An article on Terror exploit kit and my previous detection for comparison:

https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit–More-like-Error-Exploit-Kit/

https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/

• Article about Terror EK dropping coin miner:

https://blog.malwarebytes.com/cybercrime/2017/01/the-curious-case-of-a-sundown-ek-variant-dropping-a-cryptocurrency-miner/

• Exploits used by this version of Terror EK:

http://malware.dontneedcoffee.com/2013/11/cve-2013-0074-silverlight-integrates.html

http://malware.dontneedcoffee.com/2014/11/cve-2014-6332.html

http://malware.dontneedcoffee.com/2013/11/cve-2013-2551-and-exploit-kits.html

Downloads (in password protected zip)

• PCAP-290317-TerrorEK – PCAP
• Coin Miner – Payload

Notable Details:

• 173.208.245.114 – sexyvideos.club – 302 redirect
• 159.203.185.4 – Terror EK traffic
• 69.65.17.35 – a.pomf.cat – Miner CnC (from Hybrid Analysis)
• Payload was rad5DA27.tmp.dll-> VirusTotal (71ea85fd9a93949b4a22ed0ac43caebf991f9c046318bf6a490fe1ecb95537fe
• It was submitted to Hybrid Analysis.

Details of infection chain:

(click to enlarge!)

Terror EK, absent of Flash exploits drops a BitCoin miner.

Full Details:

• The payload claims to be a Steam DLL.
• This payload was dropped however did not run on my environment. Possibly it did not meet the requirements.

• This is the final executable after being unzipped.

•  The payload downloads a filed called “miner.zip” and uses 7zip is unzip it.

• This variant of Terror EK did not use any Flash exploits. It appeared to use 3 other exploits.
• The initial landing page seemed to contain tracking and adverts which could a sort of pre-landing page. I could not locate any exploits within it. It however creates a POST request to the “real” landing page where the exploits are contained.
• On the landing page is an iframe leading to a metasploit SilverLight exploit.

• This is CVE-2013-0074

• This is part of CVE-2014-6332 AKA Godmode. Note the payload URL contains the CVE number.

• And finally CVE-2013-2551 which is exploit that compromised my endpoint if you look at the URL on the main picture.