Month: April 2018

Rig EK via Malvertising drops Smoke Loader

/ zerophage / Leave a comment

Summary:

This is a quick blog about a Rig EK detection I found on Friday. I had tweeted it out as I could not figure out the payload but I also did not have time to blog it. The community all chipped in and discovered it was a new version of Smoke Loader.

Background Information:

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

RigSmokePic

Rig EK via malvertising drops Smoke Loader

Full Details:

As you may know, Rig EK is now using the Flash exploit 2018-4878. You can view my previous post to see a few more details about this. Essentially they appear to have just replaced the old flash file with the new one without any major changes.

During this run I had the same setup. A series of 302 redirects led to Rig EK. This malvertising chain was not as complex as my previous blog but the payload was a surprise.
SHA256: 77f9f74f074dcb5fe5c5dfb7127f6d4932f08963e9d6cb6051f802583a317a65
File name: b6.exe
Detection ratio: 19 / 65
Analysis date: 2018-04-13 20:48:12 UTC ( 2 days, 10 hours ago )
Initially I had noted some familiar observations on my endpoint. Namely that the payload immediately closed all Sysinternal tools I had opened and would not let me open them again. I have only seen this behaviour with Smoke Loader.
I also observed that the program periodically stopped and started. I did not catch any C2’s other than a DNS request or other payloads dropped on my lab. Unsure of what this was, I used Any Run to see if I could tease out any more IOC’s. You can view the run here:
AnyRun
In order to identify it I decided to ask the Twitter community what they thought about it. A lot of people chipped in and the consensus is that it was a new version of Smoke Loader.
The above run, I did browse to one of the C2’s in the sandbox which auto redirected me to a search engine. The malicious activity was before I opened Chrome.
InitialTweet

Essentially a number of Twitter users replied to this tweet with some very interesting information about the payload.

 

Please follow the Twitter thread or the hashtag #smokeloader and follow all of these great people.

 

This slideshow requires JavaScript.

zerophageicon2

 

Rig EK drops GandCrab Ransomware Via CVE-2018-4878

/ zerophage / 3 Comments

Summary:

After some absence, I have returned to blog on Rig EK’s inclusion of CVE-2018-4878. This was reported by @nao_sec and then @kafeine. Initially I had planed to blog about a maldoc. I had obtained a sample of a #ThreadKit document that had recently included this Flash exploit and so I updated my lab in order to display it and give me something to blog about. That’s when I saw the Twitter posts and went hunting for Rig EK instead.

Using a fully patched Win 7 64 bit machine with IE 11 and Flash player 28,0,0,126 I found a malvertising chain which in itself is very interesting. No more simple iframes and long 302 redirects, this one used multiple JavaScripts. The payload was GandCrab ransomware which encrypted my files with .CRAB.

The blog is not so detailed I’m afraid but hopefully the PCAP will be useful to some.

 

Background Information:

Downloads

(in password protected zip)

Details of infection chain:

(click to enlarge!)

 

RigEKGandCrab.png

Win 7 64 bit, IE 11 and Flash 28,0,0,126 – Rig EK drops GandCrab ransomware via CVE-2018-4878

 

Full Details:

 The infection chain begins with malvertising. Compared to past infection chains that used old techniques such as iframes and 302 redirects, this flow appears to use a series of JavaScripts to direct the user to Rig EK. There is a lot going on here but the end result is a redirect to Rig EK.
It’s been a while since I actually looked at Rig in detail but at a glance I can see the obfuscation has changed somewhat from the older regex. I had heard it changed to a simple base64 encoding.
RigEkLandingPAge
 Testing that base64 idea reveals two URL’s which together download the Flash file along with the RC4 key “P6L5N93wsds“.
Flashpart.PNG
For this run I was using a fully patched Win 7 64 bit machine with an up to date IE 11. My Flash version was 28,0,0,126. CVE-2018-4878 is described as “A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161.”
 FlashExploit
The flash object was already on VirusTotal.
ESET-NOD32 a variant of SWF/Exploit.CVE-2018-4878.J
SHA256: 437520117f4deb7691bc0975e413b72c862aef8b18851930f515a385a6a3d54f
File name: 177_.swf
Detection ratio: 9 / 59
The payload was GandCrab ransomware which encrypted files with the .CRAB extension and left a ransom note. However it also continually restarted my PC so I was forced to suspend the process. This also meant I lost some analysis due to the way I have things setup.
GandCrab2
This is the payment page for GandCrab which states that the cost will double if I don’t pay up soon.
GandCrab

 

 

I found this flow relatively quickly after hearing about the implementation of this CVE into Rig EK. Time will tell if this exploit will evolve Rig EK or not.

That is all for now!

zerophageicon2