I’ve been keeping track of Magnitude EK lately and have observed it changing a fair bit however the payload still fails to download. I decided to collect a number of flows from 14-20 April and display them below. You may argue that this EK does not seem to drop a payload anymore and is only active in a specific region of the world and so the threat is low but I have seen it change so it is still actively being developed. For as long as it is being developed it could post a serious threat if a new exploits are discovered.

The URL’s may be useful for regex detections however the landing page for the latest sample has no URL pattern. I have also seen a .pw domain used which is a bit different as many of the previous use TLD’s which spell words such as “.space”.

Also of note is that Magnitude drops a file in Temp which is used to download the payload and create a scheduled task which then runs it. At the same time it also requests a scriptlet which attempts to download and execute a payload. This meant a single flow was creating  5+ payloads.

I also began to attempt to deobfuscate the landing page to attempt to figure out what all the URL’s mean. Some appear to give a 404 error. It is likely these are payload requests but there is no payload to download hence the 404.

Anyway I hope the URL’s are interesting. I have included the latest PCAP as well. Overall I was hoping to do a lot more with Magnitude but I have not got round to it. I hope this article explains this rarer EK a bit more.

Details of infection chain:

(click to enlarge!)

Magnitude EK As of 20 April does not appear to have a landing page URL pattern.

 

• The Magnitude gate is very similar to that on the compromised website. So far it has only led to Magnitude and an unknown EK. 

• The landing page URL does not have a URL pattern in the latest sample. The script at the top calls the Flash exploit. The rest of the page is obfuscated. Each letter calls an array and it is all then concatenated together. By printing the contents of the array then substituting  the values, almost all obfuscation of the VBscript section is removed. The landing page actually contains a lot of junk code.
• This is a deobfuscated page of another Magnitude flow. I began to decode and realised I had done the wrong sample.. For illustration purposes though you can see the junk variables interlaced with legitimate variables and the Godmode exploit.
• 
• Magnitude EK has a second page of exploits which is requested at the end of the first landing page. It also uses an array however this one is different. In fact all samples I have seen have a different array.
• Below is a section of the deobfuscated page showing CVE-2014-6332.
• This is the Flash exploit. The resulting URL returned 404. It is likely it would have downloaded a payload.
• Magnitude EK creates a file in Temp with a “rad” naming theme. The script downloads the payload and creates a scheduled task which then executes it. The payloads always fail on my host (they are 0kb)
• 
• This is a deobfuscated scriplet (.sct) which also attempts to download and execute the payload and also fails.

Here are the VirusTotal report on the Flash exploit 7o3uf4dblbta.swf. Magnitude’s Flash exploits always have a very low detection rate. I’m surprised to see McAfee is the only one to detect this.