When analyzing network traffic, we can often find patterns belonging to the already known Angler EK, Nuclear EK and Magnitude EK.
Normally sold in the black market, an Exploit Kit (EK) is a toolset that automates the exploitation of vulnerabilities on the client, aimed at browsers and plugins that a website can invoke as Adobe Flash Player, Microsoft Silverlight, Adobe Reader, Java, etc., to infect computers while surfing the Internet in what is called drive-by download attacks.
These patterns can be detected by snort rules such as:
ET CURRENT_EVENTS Cushion Redirection ET CURRENT_EVENTS Possible Nuclear EK Landing URI Struct T1 ET CURRENT_EVENTS Malvertising Redirection to Exploit Kit Aug 07 2014 ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014
Later, analyzing the navigation logs to find out if the computer has been infected, we can find things like this:
(1) 1431XXXXXX.176 2212 X.X.X.X TCP_MISS/200 59981 GET http://oapsnschmelzsicherung.xxxxxxxx.com/xxxx_xxxxx_stubbornness_uprise/500125099916354311 - ROUNDROBIN_PARENT/ X.X.X.X text/html (2) 1431XXXXXX.284 351 X.X.X.X TCP_MISS/200 40950 GET http://oapsnschmelzsicherung.xxxxxxxx.com/gUumBTs1ZmB5LXoesyPvFlZqU014qtKBap7VY3eJbtxXK81S - ROUNDROBIN_PARENT/ X.X.X.X application/x-shockwave-flash (3) 1431XXXXXX.736 1569 X.X.X.X TCP_MISS/200 163950 GET http://oapsnschmelzsicherung.xxxxxxxx.com/Wb_gLKuEtf9-CCiAvIAtEVGnHsOrDIlvJjYBsAo-s2AJ8yv0 - ROUNDROBIN_PARENT/ X.X.X.X application/octet-stream
As we can see, the user’s browser contacts a web (1) that loads a flash object (2). This flash object attempts to exploit a vulnerability in Adobe Flash Player and if successful, downloads a binary file that appears to be a very-bad malware (3) which is executed, infecting the computer.
But is this always the pattern followed? Lately, we have encountered in our SOC the following pattern belonging to Nuclear EK:
(1) 1431XXXXXX.948 2932 X.X.X.X TCP_MISS/200 745 GET http://6kfhhj1sfip7aht5erua5xi.xxxxxxxx.org/index.php? - ROUNDROBIN_PARENT/X.X.X.X text/html (2) 1431XXXXXX.495 1495 X.X.X.X TCP_MISS/302 509 GET http://6kfhhj1sfip7aht5erua5xi.xxxxxxxx.org/watch.php? - ROUNDROBIN_PARENT/X.X.X.X text/html (3) 1431XXXXXX.228 730 X.X.X.X TCP_MISS/200 7005 GET http://6kfhhj1sfip7aht5erua5xi.xxxxxxxx.org/SE4AHwUeBFxWC1oIA0RWCkJVU19EVlcQR1YFG1tMVVZXBFcMU0IdEFcQRF5DChwNQFA.html - ROUNDROBIN_PARENT/X.X.X.X text/html (4) 1431XXXXXX.140 856 X.X.X.X TCP_MISS/200 19268 GET http://6kfhhj1sfip7aht5erua5xi.xxxxxxxx.org/V09AH0gbAksHHwYeBFxWC1oIA0RWCkJVU19EVlcQR1YFG1tMVVZXBFcMU0IdEFcQRF5DChwNQFBMUQNQHAMJTQNUBhkCU05TBgQBUwVUAgQDH1QOAQ - ROUNDROBIN_PARENT/X.X.X.X application/octet-stream (5) 1431XXXXXX.833 985 X.X.X.X TCP_MISS/200 25634 GET http://6kfhhj1sfip7aht5erua5xi.xxxxxxxx.org/V09BYHT6dy87JNDTYGE5KIdehJHS98bHUJ5wcrNQFBMU5aQNQH2Tase44FJUSGDJFGfhO45MAHdfRAIROAMJsTNUBhkCU05TBgSHY1Ahg3JFYE7HCT - ROUNDROBIN_PARENT/X.X.X.X application/octet-stream
We see some hits with html pages (1)(2)(3) and downloads two binary files (4)(5), but we don’t find the object used to exploit the vulnerability to infect the computer. How did they do that? Does the user have downloaded the executable consciously? Or … the problem is that the object is not identified correctly by the proxy?
To study it carefully, we have sought a similar example in this case: malware-traffic-analysis.net, from where you can download a PCAP file for analysis; Example # 1.
If we open the PCAP with Wireshark, we can filter by http and check that the pattern is similar to what we detected:
(1) -> GET http://on2wyqlx7ny7x9plbfu6vg7.filmizlemefullhd.org/index.php?p=enhwZmJhPWFpeWhvcGsmdGltZT0xNTAyMTExNjM4MzYyNzYyODQ1NCZzcmM9MTc3JnN1cmw9d3d3LnByaW1laGVhbHRoY2hhbm5lbC5jb20mc3BvcnQ9ODAma2V5PTU5QUU1QzE3JnN1cmk9Lw== <- HTTP/1.1 200 OK (2) -> GET http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/watch.php?kcppp=MTE3NzU5ODg2Nzk3NjRlY2M0MmJiNDk3M2NmZGVkM2Fl <- HTTP/1.1 302 Found, Location: http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/BQdXBkRUTQg.html (3) -> GET http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/BQdXBkRUTQg.html <- HTTP/1.1 200 OK (4) -> GET http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs <- HTTP/1.1 200 OK (5) -> GET http://zvqumcs1tsfct4sjvzot3p9.filmtane.com/BV4NBkQDAQ9SHwMfBh1SDFcCDwBRBVcHHVUOSwABAE0FUBlQUg0ZBkVnFHwARhgzRFc <- HTTP/1.1 200 OK
Now we can parse the HTML of each page to understand how it works by extracting them with Wireshark: File / Export Objects / HTTP.
In the next post, we will analyze these files.
Greetings!
Nice post Adrian!
Thanks :)