Thursday, May 18, 2017

Terror Evolved: Exploit Kit Matures

This post is authored by Holger Unterbrink and Emmanuel Tacheau


Executive Summary


Talos is monitoring the major Exploit Kits(EK) on an ongoing basis. While investigating the changes we recently observed in the RIG EK campaigns, we identified another well known candidate: Terror Exploit Kit.

Terror EK is one of the new players who showed up after the big Exploit Kit market consolidation last year. When Angler and friends disappeared new EKs started to try their luck. Many of them were far from Angler’s quality. One of these was Terror EK which appeared end of last year. It started with a very simple version,carpet bombing the victims with many exploits at the same time, no matter if the exploit matched the victim's browser environment or not. Unfortunately, they improved the kit step by step and we saw a fast evolution up to the latest version analysed in this report.

We identified a potentially compromised legitimate web site acting as a malware gate, redirecting visitors initially to a RIG exploit kit landing page, then switching to Terror exploit kit one day later.

This may indicate how these campaigns collaborate and share resources, or possibly one campaign pirating another. Terror seems to constantly evolving. In this campaign it has added further exploits and no longer carpet bombs the victim. Instead it evaluates data regarding the victim's environment and then picks potentially successful exploits depending on the victim's operating system, patch level, browser version and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have.

It is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit, e.g. cve2013-2551 = cve20132551 in the URL.




Technical Details:


The attack chain starts with a compromised website which redirects the victim to the EK landing page by using a HTTP 302 Moved Temporarily response. The landing page is filled with some random Lorem Ipsum text as you can see in Fig. A below.

Fig.A
As mentioned in the executive overview, it uses some obfuscated Javascript code to evaluate the victim's browser environment, for example it tries to get version information about the following plugins: ActiveX, Flash, PDF reader, Java, Silverlight, QuickTime, etc. Then it uses the return value of this function to submit the hidden form called ‘frm’. As you can see below, it is using these version information to fill them into the form. It looks like that the form names are generated dynamically, they vary in different sessions which we have recorded.

return 
document.getElementById("65c0cd56").value = r.flash, 
document.getElementById("1f57be6f").value = r.pdf, 
document.getElementById("1bc1bd0f").value = t() + "|" + r.silverlight, document.getElementById("3d64d278").value = r.quicktime, 
document.frm.submit(), r

At the end of the page you find this HTML form code:
Fig.B
For this session, we can resolve the names in the following way:

65c0cd56 = Flash version
1f57be6f  = PDF version
1bc1bd0f = Silverlight version
3d64d278 = Quicktime version

In other sessions these names changed to e.g.
A59117,B59117,C59117,Q59117,102b6031,80870248,55066b2d,40a632b5,7c5caca6

The first part of the form, up to the value "od50AA42KhpGDD69…<snip>...CRDXrL45PYMCC911K" is filled in by the server. We assume they are filled in dynamically and might add further information about the victim and the campaign.

The POST request generated by this page is answered with an HTML page including a JavaScript and a VBScript. These scripts include the URL pointing to the CVEs they are going to exploit. For a session with Win7 and Internet Explorer 8 they look like this for example:

JavaScript:
hxxp://146[.]185[.]166[.]209/d/9477ff41b6290c91547cc8e31ad53bee/?q=r4&r=c3c100b92ffbb7ca95d18559c72c1aff&e=cve20132551

VBScript:
hxxp://146[.]185[.]166[.]209/d/9477ff41b6290c91547cc8e31ad53bee/?q=r4&r=c3c100b92ffbb7ca95d18559c72c1aff&e=cve20146332

They are exploiting these vulnerabilities and then trying to download the final malware which is going to be installed on the victim's PC. It is interesting to note that the latter VBscript based request is no longer answered after the JavaScript exploit has already successfully installed the final malware.

The EK has clearly moved away from it’s carpet bombing approach and is now much more selective in the exploits it uses to infect the victim. If we access the site with a different browser e.g. IE11 instead of IE8 we get other files back. E.g. cve20160189 and cve20152419.

They also use cookie based authentication for downloading the exploits. The attack chain sets the following cookie (Fig.C):

Fig.C

This prevents anyone from downloading the exploits directly. Someone who did not follow the full attack chain may be a competitive cyber criminal who is trying to steal the exploits or a forensic investigator who is trying to see from where and how the victim was infected.

As mentioned above, the Javascript file exploits CVE 2013-2551. After exploitation, it generates another JScript file, writes it to disk and executes it via command line (Fig.D):

Fig.D


The beautified and more or less deobfuscated version of Zs3n.tmp looks like this:

Fig.E
This script downloads the encrypted binary stream from the EK website, decodes it, saves it to disk with a random name and finally executes it. In our case it is called rad9F6BA.tmp.exe (SHA1: e373b7f49e07d0c6176565357aedbe61e2d39306). You can find it in the process list below (Fig. F). This executable seems to be a variant of the Terdot.A/Zloader malware downloader. Beside of code sharing it also contains the same exact list of hardcoded ip addresses which are known for Zloader.

The Terdot.A/Zloader dropper rad9F6BA.tmp.exe is using a technique known as process hollowing to inject code into the explorer.exe(3148) process. After the unpacking stage it is using dll injection to inject code into explorer.exe (1968).

Fig.F

Process explorer.exe (1968) then downloads and drops multiple other files, plus creating and injecting code into dwm.exe(1924) and taskhost.exe(1996) processes via CreateRemoteThread.

Important files downloaded (see IOC section for hash):
C:\Users\<USER>\AppData\Roaming\Romaa\php.exe
C:\Users\<USER>\AppData\Roaming\Romaa\php5ts.dll
C:\Users\<USER>\AppData\Roaming\Hele\fido.onm
C:\Users\<USER>\AppData\Roaming\Xunup\quis.voz
C:\Users\<USER>\AppData\Roaming\Romaa\miemr.php
C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

Terdot.A/Zloader makes itself persistent by downloading the PHP Interpreter environment and an obfuscated PHP script (miemr.php). To make sure the malware gets executed at startup, it adds a link to ‘C:\Users\<name>\AppData\Roaming\Romaa\php.exe miemr.php’ in the Autostart folder.

The obfuscated miemr.php script does nothing else than generating the same binary file which was already downloaded as rad9F6BA.tmp.exe (SHA1 e373b7f49e07d0c6176565357aedbe61e2d39306) via the Exploit Kit attack chain. The script decrypts the file quis.voz which is one of the files dropped by the explorer.exe (1968) process, which also dropped the php files during the initial infection. This is a behaviour which was already described in some Sundown EK campaigns dropping Zloader. Terror EK is known for using Exploits used by Sundown, so it seems to be they also use payloads from Sundown. The PHP script in this campaign is not the same but similar to the one described in the report above (Fig.G).
Fig.G

 See Fig.H for deobfuscated version (unarmed to decode the quis.voz file):
Fig.H

 

Conclusion


We have seen that the exploit kit market is experiencing an ongoing change. Big players in this market disappear while new ones show up. The new players are fighting for customers by constantly improving they quality and techniques. They modify these techniques on an ongoing basis to improve their capability to bypass security tools. This clearly shows how important it is to make sure that all your systems are up to date. Utilizing a multi-layered defensive architecture will help organizations be able to detect and protect against threats like this. Talos continues to monitor Terror EK as it evolves to ensure that we continue to effectively protect our customers. We strongly encourage users and organizations to follow recommended security practices, such as installing security patches as they become available, exercising caution when receiving messages from unknown third-parties, and ensuring a robust offline backup solution is in place. These practices will help reduce the risk of a compromise and aid in the recovery of any such attack.


IOC


Summarized network communication:

Fig.H

Samples:

C:\Users\<USER>\AppData\Roaming\Hele\fido.onm
MD5: c7f52f5d46474128c51d097a07068ed5
SHA1: 0994f518b405efce77fb743b899782bdf37fef55
SHA256: 5a51865eee18a520035248344f7c00a4de95a500c6356687d67e09a1e4fcdbb8

C:\Users\<USER>\AppData\Local\Temp\1wfaqsy8.exe
MD5: fa9db03e1f07e45e48f05684da255c85
SHA1: e373b7f49e07d0c6176565357aedbe61e2d39306
SHA256: 9ae356843ccbda7747e45b292fcf0c3eebbcc4a93101752a0007c9abaa79037a

C:\Users\<USER>\AppData\Roaming\Xunup\quis.voz
MD5: 134393b69f946ae8b8cf2560579209f8
SHA1: 96cbd5e76b91c611430f221613480b4480ccc6c4
SHA256: d2e9530c350ac6b421cf2ab4a70cad11565cfee67c5688d88cf559f161d199f3

C:\Users\<USER>\AppData\Roaming\Romaa\miemr.php
MD5: e20a6d41f64fb0a78598b1ff188ad92e
SHA1: 049b107574ca8500c05424d6974b42ce57c868ac
SHA256: 0664e690254622bd7a00c03fce2abe119bdebbc0cc773b68772f8fed66e5d2c6

C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk
MD5: 0aa9719e0b8474a88b90976a5eb3ee55
SHA1: b6f37f41594c65cad716ed486e9bc679186fdc37
SHA256: 3ec95a014dea4f47adc7715650ec17b7f60701422efbded181cb1cd154af5748

Related Samples:

f31869dd3f48f24b72ed2040eceefbcaeb4f2b93b79e75dd952aa1d3d5b022de


Full URL:

hxxp://beutifulcars222[.]website

hxxp://146[.]185[.]166[.]209/e71cac9dd645d92189c49e2b30ec627a/9477ff41b6290c91547cc8e31ad53bee

hxxp://146[.]185[.]166[.]209/9477ff41b6290c91547cc8e31ad53bee/166070/5911e2bedcb0b

hxxp://146[.]185[.]166[.]209//d/9477ff41b6290c91547cc8e31ad53bee/?q=r4&amp;r=c3c100b92ffbb7ca95d18559c72c1aff&amp;e=cve20146332

hxxp://146[.]185[.]166[.]209//d/9477ff41b6290c91547cc8e31ad53bee/?q=r4&amp;r=c3c100b92ffbb7ca95d18559c72c1aff&amp;e=cve20132551

hxxp://dogpaste[.]ru/2fwCCnphQ/2g56[.]php

hxxp://emptysand[.]ru/2fwCCnphQ/2g56[.]php


Hardcoded IPs: 

185.121.177.53
185.121.177.177
45.63.25.55
111.67.16.202
142.4.204.111
142.4.205.47
31.3.135.232
62.113.203.55
37.228.151.133
144.76.133.38

Coverage


Snort Rule: 25050, 39754, 37909, 26638, 23179


Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Additional ways our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks. Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. Umbrella prevents DNS resolution of the domains associated with malicious activity. Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.

No comments:

Post a Comment