We have talked about the recent ransomware resurgence and now Cyphort Labs wants to spend some timer on one of the most effective methods of delivering ransomware and that is exploit kits.
In this edition of MMW, Nick Bilogorskiy, Senior Director of Threat Operations at Cyphort, will cover:
The evolution of exploit kits such as Angler, Nuclear, Rig and Neutrino
Show real examples of drive-by exploits in popular websites discovered in our crawler
Examine the relationship between exploits, kits and payload
6. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data
7. What is an Exploit Kit
Exploit Kit is an easy-to-use toolkit for
infecting computers over the web.
It contains many exploits targeting
apps like Adobe Reader, Java or Flash
Player.
Exploit Kit can be fitted with any
malware payload.
8. Exploit Kit Business Model
o Exploits-as-a-service platform
o All browsers vulnerable
o Plug in your own malware
o Can defeat IDS and Antivirus
o Obfuscation constantly changing
o Try to drive up conversion rate to
increase prices
9. o Exploit Kits infect you without a “click”
o Angler, Sweet Orange, Nuclear, RIG
Fox-it.com
Exploit Kits Workflow
McAfee Labs
10. How do Users get to Exploit Kits?
Osterman research
Exploit Kits
Malvertising
12. Malvertising Distributes Exploit Kits
df
User
Visits a popular
website, gets infected
via exploit kit
Website
Serves a banner Ad,
sometimes malicious
Attacker
Creates and injects malware
ads into Advertising Network
Advertising Network
Selects an ad based on
auction, sends to the website
15. Nuclear Russia Locky, Cryptowall
Magnitude Russia Cerber, CryptXXX
RIG Russia CryptoWall, TeslaCrypt
Neutrino Russia CryptXXX, Necurs, Vawtrak
Angler Russia CryptXXX, Locky, Teslacrypt
Exploit Kit to Payload Mapping
16.
17. Nuclear Exploit Kit
o 10% conversion rate
o 2 million victims
o Installed Locky,
Teslacrypt
other ransomware
o Disappeared in May ‘16
18. df
1. Compromised site
2. Landing Page
o Multi-stage Javascript obfuscation
o Exploit Containers
o Browser Exploit (CVE-2014-6332 - IE VBScript OLE Vulnerability)
o Flash exploit is not embedded in the landing page, it is downloaded and
executed in a modular fashion: CVE-2016-1910, CVE-2015-7645, CVE-
2015-5122
3. Payload: ( Locky, CryptoWall )
Nuclear Flow
22. df
1. Compromised site
2. Landing Page
o Browser Exploit (CVE-2014-6332 - IE VBScript OLE Vulnerability)
o Flash exploit CVE-2015-5122 (Hacking Team exploit)
first stage flash exploit is very obfuscated to evade static AV engine
detection and confuse malware analyst. This first stage runs and loads
second stage flash exploit in memory and exploit the browser’s flash plugin
and infect the machine.
o Decrypt the Payload: Shellcode is XOR encrypted with key: 19.
3. Payload: ( Cerber , Tofsee )
Rig Flow
23.
24. Angler Exploit Kit
o Discovered in 2013, quickly rose to dominate all exploit kits
o 40% conversion rate (!)
o Installed Locky, Teslacrypt, Kovter
o $34 million annually
o Went dead in June ’16
Sophos
26. df
1. Compromised site
2. 3 Gates (Afraid Gate | EI Test |Pseudo Darkleech)
3. Landing Page
o Browser Check
o AV and VM detection
o Exploit Containers
o Browser Exploit (CVE-2014-6332 - IE VBScript OLE Vulnerability)
o Flash Exploit (CVE-2015-3090, CVE-2015-5122, CVE-2015-5119)
4. Payload: (Teslacrypt | Locky | CryptXXX)
Angler Flow
30. Timeline
o Apr 12, 2016 - Blackhole's author
Paunch Sentenced to 7 Years in Russian
Penal Colony
o June 1, 2016 – Kaspersky helps FSB
arrest 50 hackers in Russia - Lurk gang,
which stole 3 Billion rubles from
Russian banks. Lurk was distributed by
Angler!
o June 7, 2016 – Angler last seen in the
wild
Paunch
36. Tips to Defend from Exploit Kits
o Strong antispam and antiphishing procedures.
o Automatic Windows updates, keep operating
systems patched
o Upgrade to latest version of Windows
o Install patches from other software
manufacturers as soon as they are distributed.
o A fully patched computer behind a firewall is the
best defense against Exploit Kits
37. Tips to Defend from Exploit Kits
o Never open unsolicited emails, or unexpected
attachments—even from known people.
o Beware of spam-based phishing schemes.
Don’t click on links in emails or instant
messages.
o Use a browser plug-in to block the execution
of scripts and iframes
38. Summary
1. Exploit Kits are the most effective way today to infect user’s
computers automatically at large scale.
2. Angler dominated all exploit kits throughout 2015 and 2016
until suddenly disappearing in June.
3. Arrests in Russia may have contributed to the recent decline
in Angler and other russian Exploit Kits.
4. Use defense-in-depth powered by machine learning to
defend from Exploit Kit attacks.
Exploit kits are a main source of compromises today; they are one of the primary vehicles for both 0-day and widely effective, known vulnerabilities, offering a free pass to drop active malicious content (such as the banking trojan, Zeus) that embeds on the system giving cyberciminals a way into internal networks and ultimately leads to data exfiltration. Last year Websense has detected and blocked more than 66 million threats specifically with exploit kits, plus over 1 billion catches of later-stages, such as dropper file, C&C traffic (Call Home stage) that are commonly attributable to new exploit kit activity.As of January 2015, EKs delivered more than two-thirds of all malware observed by anti-malware software company Malwarebytes. Additionally, Malwarebytes reported that two billion mainstream website visitors were redirected to criminal servers in a one month period, and a single EK on a high-traffic site can infect 6,000 users within a half hour. The sustained success of these toolkits over the last several years, combined with user-friendly interfaces and low technical barriers, have made EKs an attractive option for profit-motivated cybercriminals. According to Microsoft, individual EKs can yield up to $50,000 in a single day for an attacker.
http://www.cyber.nj.gov/exploit-kits-threat-profile
But First, let me introduce our team – Cyphort Labs.
We are a group of malware researchers in several countries who monitor malware and security trends daily, reverse engineer interesting malware samples and contribute to the Cyphort threat research. In addition our team deals with customer escalations -analyzing malware escalated by the support team, advising Cyphort engineering team on improving detection, and sharing threat intelligence on Cyphort Labs blog.
For example, check out our post from April 6 on Locky Ransomware distributed via popular Indian website yourstory.com
. You can find our blog at www.cyphort.com/blog
Exploit Kit is an easy-to-use toolkit for infecting computers over the web. It contains many exploits targeting the browsers or apps like Adobe Reader, Java or Flash Player. Exploit Kit can be fitted with any malware payload.
Simply a framework that uses exploits to take advantage of vulnerabilities
in browser-based applications to infect a client without user's knowledgeNowadays, Eploit Kits are services that you buy to promote your malware, you give the malware to the group and they drive the installs. Think of it as a Sales Team for your software.
The first recorded exploit kit attack could be traced back in 2006, which used the WebAttacker kit.This was the first exploit kit found in the Russian underground market. It came with technical support and was sold for US$20.
Currently, there are 70 different exploit kits in the wild that take advantage of more than a hundred vulnerabilities!Cybercrime-as-a-service is not new, and we’ve been talking about it for a while. Exploit kits such as Angler are sold in cybercriminal circles, for a good price.Sophos speculates that there may even be a “pay-per-install” payment model, where attackers are charged by Angler creators only for the successful malware infections.
To make the exploit kit even more appealing, its creators even preload it with vulnerabilities, making the kit ready to be deployed.
The authors of most EKs use Software as a Service (SaaS) as their business model. This model is also sometimes called Platform as a Service (PaaS), Malware as a Service (MaaS), or EK as a Service (EKaaS).
EKs are sold in the criminal underground, where the price for leading EKs is often a few thousand dollars per month. The EK owner provides the buyer a management console to oversee the rented EK servers, but the buyer must provide an attack infrastructure. As noted earlier, a distinct attack infrastructure combined with the EK is considered a campaign.
https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-technical-people/
Exploit Kits scan yours system for vulnerable browser plugins and if found – run the exploit for it and silently install malware.A common misconception is that you must click on ads to get infected, which is sometimes true, but often not. Online ads appear to be an image hosted on the website, but they’re neither hosted on that website nor just an image. Ad networks, which are not under the control of the host website, decide which ad to send you, but often don’t actually deliver the ads. Instead, the ad networks instruct your browser to call a server designated by the advertiser. Also, ads often deliver files and entire programs to your browser. To infect you, HTML-based Javascript or Flash-based ActionScript covertly routes your browser to a different server that hosts an exploit kit. Flash is scary because it embeds sophisticated logic into the ad, which manipulates your browser as the ad is displayed. Ads can be instructed to only attack you and others at particular times and geographies. Some examples are delaying the attack until after the ad network examines and approves the ad; or until holidays, when it’s peak time for people to surf and off time for advertisers’ personnel to promptly remove offending ads.
http://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/
drive-bye's
and
email (ms office documents, and JS in ZIP)
- Phishing emails may contain malicious attachments. These attachments are not always delivered in executable form; as security vendors and security best practices dictate that receiving executables via email is, in general, something we want to prevent, threat actors have to adapt to the changing landscape. This can be done by indirect delivery mechanisms. In Windows, for example, a malicious actor may opt for a less direct method of delivery: embed an obfuscated Javascript file into an archive, and rely on the end user for the rest. Opening a .JS file on a Windows host will launch the default browser, and the Javascript can then reach out to an external URL to grab an executable, deliver it to the victim, and execute it. At this point, preventing users from receiving executables via email is no longer effective, as the executable is delivered via HTTP.
- Exploit kits (such as Angler, or Neutrino) have been known to deliver ransomware to users by exploiting vulnerable web servers and hosting malicious web scripts on them which exploit visitors when certain criteria are met, and then delivering a malicious payload (Reference)
Websites or web publishers unknowingly incorporate a corrupted or malicious advertisement into their page. Once the advertisement is in place, and visitors begin clicking on it, their computer can become infected: "the user clicks on the ad to visit the advertised site, and instead is directly infected or redirected to a malicious site. These sites trick users into copying viruses or spyware usually disguised as Flash files, which are very popular on the web." [8] Redirection is often built into online advertising, and this spread of malware is often successful because users expect a redirection to happen when clicking on an advertisement. A redirection that is taking place only needs to be co-opted in order to infect a user's computer.[1]
Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place "clean" advertisements on trustworthy sites first in order to gain a good reputation, then they later "insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus", thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace, making it hard to prevent the attacks or stop them altogether, because the "ad network infrastructure is very complex with many linked connections between ads and click-through destinations." [8]Malvertising is popular because compromising websites that have high traffic is very effective for malware distrubtion. And because attacking these sites ad networks is easier and requires less efforts thatn finding a vulnerability in the site software.
Infected site is the beginning of the chain – it’s the popular website that has the malvertising on it.
Payload site is the end of the chain – the site that the malware payload is hosted on. This site is usually compromised.
I now present some stats about the geographic distribution of both infected sites and payload sites that we discovered.
We see groups behind Exploit kits like Angler constantly update and mutate their kits adding new techniques to avoid detection. For instance in February of this year - they tweaked the way Angler detects the presence of antivirus software on the machine. If it detects Antivirus - it does not trigger.
In addition, on July 5 italian company Hacking team was hacked, with more than 400 GB of confidential company data released. In that archive there were multiple zero day exploits, which were very quickly integrated into Angler and Nuclear exploit packs (CVE-2015-5123, CVE-2015-5122, CVE-2015-5119).
It has been used in such high-impact campaigns as the AskMen compromise, and used by the APT group behind Operation Windigo. Nuclear Pack has a wide range of attacks in its repertoire, including Flash, Silverlight, PDF, and Internet Explorer exploits, and it is capable of dropping any malware
During the period in which researchers had access to the Nuclear exploit kit infrastructure, they say that over 1,846,678 users accessed the landing pages.
Taking into account that on average 9.95 percent of all users who visit an exploit kit landing page get infected, researchers estimate that Nuclear managed to infect 184,568 computers.
Crooks delivered 144,478 ransomware payloads, 54,403 banking trojans, 193 click fraud bots, and 172 rootkits. Over 110,000 of the ransomware infections were with Locky. Taking into account Locky's standard ransom price of 0.5 BitCoin, or $230, the crooks who rented the Nuclear EK made $12,650,000 (€11,182,000).
Read more: http://news.softpedia.com/news/nuclear-ek-authors-are-based-in-russia-make-100-000-per-month-504179.shtml#ixzz4CzpQp7DV
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2014.pdf
Angler exploit kit, which very quickly succeeded the Blacole exploit kit after the latter’s creator was arrested in late 2013. Angler is even more powerful and prevalent than
Blacole. And because Angler is simple to use and widely
available through online dark markets, it has become a
preferred method to transport malware.n 2014, it was the second most used exploit kit according to the 2015 Trustwave Global Security Report. It accounted for 17% of infections, while Nuclear, the top used exploit kit, generated 23% of infections.
What’s more, according to Cisco’s Midyear Security Report, in 2015, Angler accounted for 40% of user penetration in the cyber attacks observed so far.
Angler is one of the most sophisticated EKs used by cybercriminals today and was first observed in 2013. Angler uses malvertising to direct users to its servers, and is known to exploit Adobe Flash Player, Internet Explorer, Microsoft Silverlight, Java, and ActiveX. Angler infects users with ransomware and point-of-sale (PoS) malware. It uses various techniques to defeat traditional detection methods including unique obfuscation, antivirus and virtualization software detection, encrypted payload, and fileless infections. Angler is also very quick at integrating new zero-day exploits in its kit, specifically targeting vulnerabilities in Adobe Flash Player.
According to Palo Alto Networks, as of January 2016, Angler EK has infected more than 90,000 websites, 30 of these are among the 100,000 most visited sites, estimating monthly visits to infected sites may be as high as 11 million. Angler has added many new servers as part of its distribution network, delivering drive-by attacks through infected websites. On 28 July 2015, security researchers warned that a malvertising campaign potentially exposed over 10 million users to the Angler EK.
Angler is the one of the top exploit kits infecting victims with various ransomware variants. In December 2015, Heimdel Security noted Angler was distributing CryptoWall 4.0 ransomware. In March 2016, Angler was dropping the new ransomware variant HydraCrypt. And in April 2016, Angler was discovered pushing Bedep and Dridex malware, and CryptXXX ransomware. CryptXXX was added to Angler functionality within week of the first reporting on the ransomware this year.
To evade reputation filtering it switches hostnames and IP numbers rapidly, as well as using domain shadowing to piggyback on legitimate domains. To evade content detection, the components involved in Angler are dynamically generated for each potential victim, using a variety of encoding and encryption techniques. Finally, Angler uses obfuscation and anti-sandbox tricks to frustrate the collection and analysis of samples.
What’s more, Angler can deliver “fileless” infections, which means that, throughout the process, not a single file will be downloaded by the attackers into your PC. Traditional antivirus products scan your files to detect malware infections. But if there’s no file to scan, then it just concludes that there’s no infection either.
Another factor that contributes to Angler’s success is that the encrypted payload it uses. The payload represents the attacker’s commands. In order for antivirus to block the infection, it has to first decrypt the payload. Then it has to analyze it, quarantine it and then delete it.
A typical Angler exploit kit landing page is highly obfuscated to make reverse engineering difficult and challenging for threat researchers. It also includes junk contents in the code to evade detection. The following image shows a landing page that contains the exploit code.
The encrypted content is stored in the html tag, which defines a paragraph and also supports global attributes. The encrypted content is stored inside multiple
tags on the landing page. The landing page script used to decrypt the content inside the
tag is scrambled and compressed with no proper format. Random variables, split strings, and garbage functions make detection difficult.
Lurk had dedicated virus writers, QA team,
payment specialists and withdrawing to cash specialists.
Kaspersky Lab experts and Sberbank, one of Russia’s largest banks, worked closely with Russian Law Enforcement Agencies in an investigation into the Lurk gang that has now resulted in the arrest of 50 people. Those detained are suspected of involvement in the creation of infected computers networks that resulted in the theft of more than 45 million dollars (3 billion rubles1) from banks, other financial institutions and businesses since 2011. This is the largest ever arrest of hackers to have taken place in Russia.
Dmitry “Paunch” Fedotov was sentenced on April 12 to seven years in a Russian penal colony. In October 2013, the then 27-year-old Fedotov was arrested along with an entire team of other cybercriminals who worked to sell, develop and profit from Blackhole.
According to Russian security firm Group-IB, Paunch had more than 1,000 customers and was earning $50,000 per month from his illegal activity. The image at right shows Paunch standing in front of his personal car, a Porsche Cayenne.
First spotted in 2010, BlackHole is commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities for the purposes of installing malware of the customer’s choosing.
The price of renting the kit ran from $500 to $700 each month. For an extra $50 a month, Paunch also rented customers “crypting” services; cryptors are designed to obfuscate malicious software so that it remains undetectable by antivirus software.
Paunch worked with several other cybercriminals to purchase new exploits and security vulnerabilities that could be rolled into Blackhole and help increase the success of the software. He eventually sought to buy the exploits from other cybercrooks directly to fund a pricier ($10,000/month) and more exclusive exploit pack called “Cool Exploit Kit.”
http://www.securityweek.com/did-angler-exploit-kit-die-russian-lurk-arrests?platform=hootsuite
After Nuclear and Angler shut down, the exploit kit market has been dominated by the Neutrino EK, followed by Magnitude, RIG, and Sundown.As for Angler's rivals, Kaffeine says that Neutrino just doubled its price on the underground market, going from $3,500 per month to $7,000, while also dropping the weekly rental option.
It appears that Angler's rivals are trying to capitalize on the void created on the market after Angler's apparent disappearance. This is somewhat reminiscent of the way Neutrino's authors reacted after the author of the Blackhole exploit kit was arrested in 2013.
At the start of June, Russian authorities announced their largest cybercrime bust in history, during which they arrested 50 people and detained 18.
Russian authorities revealed that the crooks they arrested were involved in the creation of the Lurk trojan. Kaffeine says that, between 2012 and the start of 2016, the Lurk trojan was distributed via the Angler EK.
Malwarebytes, Kaffeine, and Brad Duncan report that the last instance of the Angler EK used in a live malvertising campaign was recorded on June 7. Previously, the Nuclear EK also disappeared without a trace around April 30.
Angler is a very versatile exploit kit. Cyber criminals can instruct the kit to:
install malware (financial – Tinba, Vawtrak, ransomware – CryptoWall, Teslacrypt, Torrentlocker)
collect confidential data (usernames, passwords, card details, etc.) and upload it to the servers they control
or tie the infected system into a botnet (a “zombie army” of computers used to deliver additional attacks).
What’s more, Angler can deliver “fileless” infections, which means that, throughout the process, not a single file will be downloaded by the attackers into your PC. Traditional antivirus products scan your files to detect malware infections. But if there’s no file to scan, then it just concludes that there’s no infection either.
Another factor that contributes to Angler’s success is that the encrypted payload it uses. The payload represents the attacker’s commands. In order for antivirus to block the infection, it has to first decrypt the payload. Then it has to analyze it, quarantine it and then delete it.
To evade reputation filtering it switches hostnames and IP numbers rapidly, as well as using domain shadowing to piggyback on legitimate domains. To evade content detection, the components involved in Angler are dynamically generated for each potential victim, using a variety of encoding and encryption techniques. Finally, Angler uses obfuscation and anti-sandbox tricks to frustrate the collection and analysis of samples.
https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-technical-people/#development
Block Macros, Disable Windows Script Host
https://docs.google.com/spreadsheets/u/2/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#
Block Macros, Disable Windows Script Host
https://docs.google.com/spreadsheets/u/2/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#
The business of backing up data will thrive because of recent high-profile ransomware attacks