thesis exploit kit traffic analysis

UNIVERSITYOFPIRAEUS

SchoolofInformation&CommunicationTechnologies

PostgraduateStudiesDIGITALSYSTEMSSECURITY

THESISExploitKitTrafficAnalysis

PostgraduateStudent:KAPIRISSTAMATISStudentIDnumber:MTE14040SupervisorProfessor:CHRISTOFOROSDADOYAN

DEPARTMENT OFD IGITAL SY S TE M S

Piraeus,June2017

Keywords:ExploitKit,PCAPNetworkTrafficAnalysis,MalwareAnalysis,Ransomware,CyberThreat,AnglerEK,RIGEK,SecurityOnion,Python

UniversityofPiraeus DigitalSystemsSecurity1

TABLE OF CONTENTSTableofContents.........................................................................................................................................................1Prologue..........................................................................................................................................................................3CHAPTER1:Introduction.......................................................................................................................................4

RelatedWork.......................................................................................................................................................5Motivation.............................................................................................................................................................6

CHAPTER2-CharacteristicsofExploitKits....................................................................................................7Whatisanexploitkit?.....................................................................................................................................7Incidentsofthepast.........................................................................................................................................7Howdoyougetcompromised.....................................................................................................................9EKInfrastructure............................................................................................................................................11Propagation.......................................................................................................................................................13

EKCampaigns.........................................................................................................................................13SpamCampaigns...................................................................................................................................14Malvertising.............................................................................................................................................14

EK&UndergroundEconomy.....................................................................................................................15BackgroundonExploitKits........................................................................................................................18

EK’sAdversarialActivity....................................................................................................................18AttackCharacteristics...................................................................................................................................18

NatureofEK............................................................................................................................................18Redirections............................................................................................................................................19302Cushioning......................................................................................................................................20DomainShadowing..............................................................................................................................20VictimProfiling......................................................................................................................................21FingerprintingTactics.........................................................................................................................21TrafficDistributionSystems.............................................................................................................24

Self-defenseCharacteristics.......................................................................................................................24IPBlocking...............................................................................................................................................25User-AgentEvasion..............................................................................................................................25BlacklistLookup....................................................................................................................................26SignatureEvasion.................................................................................................................................26Cloaking....................................................................................................................................................26DomainGenerationAlgorithm........................................................................................................27HidingReferrer......................................................................................................................................28Encryption/Encoding..........................................................................................................................28Obfuscation..............................................................................................................................................29FilelessInfection...................................................................................................................................31

FinalPhase........................................................................................................................................................32Post-InfectionPhase......................................................................................................................................33LandingPages..................................................................................................................................................33WebBrowsers..................................................................................................................................................35


Droppers.............................................................................................................................................................37Malwarefamilies.............................................................................................................................................38

Ransomware...........................................................................................................................................39Botnets......................................................................................................................................................44

TechnicalIntroductiontoknownExploitKits....................................................................................46ANGLEREK.......................................................................................................................................................46

GeneralCharacteristics......................................................................................................................46AnglerInAction.....................................................................................................................................49ObfuscationofAngler..........................................................................................................................53HostProbing...........................................................................................................................................54Malvertising.............................................................................................................................................56

RIGEK..................................................................................................................................................................56RigInfrastructure.................................................................................................................................57RigInAction............................................................................................................................................58Customer’sPerspective......................................................................................................................63

EKcomparison.................................................................................................................................................65CHAPTER3-MalwareTrafficAnalysisExample........................................................................................67CHAPTER4-AttackPathScript.........................................................................................................................77CHAPTER5-Recommendations,FutureWork&Conclusions............................................................80

Recommendations.........................................................................................................................................80FutureWork......................................................................................................................................................82Conclusions.......................................................................................................................................................83

Abbreviations/Acronyms......................................................................................................................................85TableOfFigures........................................................................................................................................................86References...................................................................................................................................................................88Appendix......................................................................................................................................................................89


PROLOGUE

ExploitkitshavebecomeoneofthemostwidespreadanddestructivethreatthatInternet users face on a daily basis. Since the first actor, which has beencategorizedasexploitkit,namelyMPack,appearedin2006,wehaveseenaneweraonexploitkitvariants compromisingpopularwebsites, infectinghostsanddeliveringdestructivemalware, followinganexponentiallyevolvement todate.Withthegrowingthreatlandscape,largeenterprisestodomesticnetworks,havestartedtoadoptmultiplesecuritysolutionstoguardtheirperimeteragainstthem.

Anexploitkit isactually a typeofmalicioustoolkit that isusedto identifyandexploitsecurityholesfoundinwebbrowserpluginsinstalledonvictim’scomputer,forthepurposeoffacilitatingtherealaimofspreadingandinfectingthecomputerwith a type of malware. Exploit kit authors have been proven quite skilledprogrammers of crimeware which embodies sophisticated code andcharacteristicsconsideredaschallenging intermsofanalysisanddetection, forbothsecuritycontrolsandanalysts.

In this thesis,wewill try toexamine theexploitkitphenomenonandcoverallperspectives.Firstof all,wewillexplain themotivating factorof studying thissubjectandrefertocybersecurityresearchers’previousworkregardingexploitkitanalysis.Wewillalsorefertocybersecurityincidentsofthepasthavingasmainactor an exploit kit anddescribe their infrastructure andbusinessmodel theyusually follow forprofiting from theirunderground activity.To familiarize thereaderwiththeexploitkits,wewilldiscussthewaysofpropagatingthemselvesanddescribeandanalyze theirmain characteristics that canbe categorizedasattackcharacteristicsandself-defensecharacteristics.Wehavealsocoveredtheprocedureofanalyzingnetworktrafficcapturesthatcontaintrafficproducedbyexploitkits,soastogiveawalkthroughtotheresearcherswhowillbeinterestedinperformingabasicmalwaretrafficanalysis.

Finally,wedesigned asimplecommand linescript that takesas input apacketcapturefilethatcontainsnetworktrafficcapturedduringliveinfectionbyexploitkit,parsesthepacketsaccordingtotheexploitkittheorythatisdescribedinthisthesis, to indicate in turn, the potential attack path the actor followed tocompromisethevictim.Ourcodeisbasedontheresultsofourresearchandourobservationsbyanalyzingmanymalwaresamples.Itwouldbepossiblyusefulforaresearcherwhowantstoaquicklyidentifyastartingpointtobeginhisanalysisofsamplescontainingexploitkittraffic.


CHAPTER1:INTRODUCTION

Forsure,exploitkits(a.k.a.exploitpacks)constitutethemostdestructivecyberthreatoftherecentyears.Theyaredesignedtocausearangeofdamagebetweenmakingtheinfectedcomputerpartofabotnet,installingatrojanhorseorspywareorevenblock theuser fromoperating theaffected computerordestroyusers’personalfilesbyencryptingthem.Establishingthevictimcomputeraspartofabotnetorinstallingaspyware,targetsdirectlyusers’privacy.Thebotnetcanlikelyhostresourcesthroughwhichpunishablecriminalactivitiescanbeservedinfavorofbotadministrators,harmingalsotheuserwhohasunintendedlybeeninfected.Anequallybadscenarioistogetinfectedbyransomwarethatblockstheaccesstocomputer,encryptspersonalandvaluablefilesandrequiresaransomtobepaidin order for the victim to restore its files.Most of the times the infection hasdevastatingresultsandvictimslosetheircomputerfiles.

Exploitkitsareaseriouscyberthreattoday,estimatedtoberesponsibleforthevast percentage ofmalware infectionsworldwide.They are distributedmostlythroughbothpublicandundergroundsourcessuchastheDarkWeb,wheretheycan eitherbepurchased or rentper severaldayswith a relatively low cost incomparisonwiththedamagetheycancause.Customersappeartobeawiderangeof potentially criminal audiences, from inexperienced hackers to seasonednotoriouscybercriminals.Althoughinthepastthefirstinfectionshadstartedasademonstrationorproofofpowerandhackingskillsofunconsciousattackersorsomethinglikeagamebetweenprogrammers,thephenomenonevolvedthroughtheseyearstotaketheshapeofamassivecyberthreat.Themoderncybercrimeiswellorganizedlikeawell-structuredretailenterprisewithdirectors,employeesandsalesnetworkofferingitsservicesallovertheworld,gettingthename“exploitkit-as-a-service”whichtotallydescribesitsmassiveprofitandproliferation.

Asfarasthisthesisisconcerned,wetriedtokeepacomprehensivestructuresoastofacilitatethereadertofollowthesubject,mainlyunwrappedinthesecondchapter. The level of technical detail in our descriptions escalates graduallychapterbychapterforbetterunderstanding.Toputthereaderintocontext,wewillmentionatfirstthepreviousresearchconductedinacademiclevelregardingthemainthemeofthisthesis.Alotofsecurityresearchersfromallovertheworldcooperatedinordertoworkonandexamineindetailtheexploitkitphenomenon.Multipledifferentapproacheshavebeenfollowedinaattempttounderstandhowthismassivethreatgainedsomuchspaceinglobalcyberthreatlandscape,howevolvesthroughtheyearsofactionandwhatnewcharacteristicshasadoptedtofollow thealsorapidtechnologicalevolvement,whatresourcescurrentlyneedsandhow itmanages them inorder topropagate itself and,of course,how theaverageuser is able toprotecthimself. A lotof efforthasbeenputby knownsecurityresearchlaboratories,securitypioneersandotherindividualsinupdating


therulesofthealreadypopularcommercialandfreesecurityproducts,toembodyexploitkitdetectionandpreventionmechanismsordesigningfrom-scratchnewproductsthatwouldperformindeepanalysisofthethreatbehavior,inanattempttobeasproactiveaspossible.Thisthesisisbasedonthepapersdiscussedinthenextsection,onsystematicreviewofmultiplereportsandotherresourcesthroughInternetsearches,aswellaslotsofhoursofmanualanalysisofmalicioussamplesacquiredfrompublicsecurityrepositories[5][6].Furthermore,wewilldiscussthemotivation of conducting this study on exploit kits and its characteristics thatexplainwhythisthesishasbeenwritten.

RelatedWork

EsheteandVenkatakrishnan[1]presentedacomprehensiveworkregardingdrive-by-download attacks and specifically they analyzedmalicious URLs of knownexploit kitswhich play the crucial role in triggering the infection chain.Afterdescribingindetailthecorecharacteristicsofexploitkits,theydesignedasystem,namelyWebWinnow, that is capable of parsingmaliciousURLs, supplied to ahoney-clientinfrastructurethroughwhichamachinelearningclassifieristrainedcontinuouslyleveragingthemosteffectivemachinelearningalgorithmstodecideinturnifthesampleissuspiciousandtowhichknownexploitkitresemblesto.TheWebWinnowsystemtakesasinputdatafromlocallyinstalledexploitkitsfromsourcecodethatresearcheshadinpossession,liveexploitkitsontheWeb,aswellaslegitimateURLstoincreasetheentropyofthesamplesandsimulaterealtraffic.The overall implementation scored good results according to their systemevaluationyieldinglowfalsepositives.Besidesthis,wewouldliketohighlightthevaluablecontributionoftheauthorsincollectingthemajorityofattackandself-defensecharacteristicsofexploitkits.

Cova,KruegelandVigna[2],alsoworkedondrive-by-downloadattacks,presentingadifferentapproachonparsingmalicious JavaScript codewithinweb content.Theydesignedasystem,theJSAND,thatdetectsanomalousbehaviorinJavaScriptsamples by training a machine learning classifier provided with predefinedmalicious(“known-good”),benign(“known-bad”)anduncategorizeddatasets.Thesystem analyzes the samples, extracts exploit features, identifies anomalousparameters,andperformsdynamicanalysisviahigh-interactionhoneypotclientsespecially set up for parsing the samples. The researchers focused much onevaluatingtheirsystemandcompareitwithtoolsofdifferentdetectionphilosophysuchassignature-basedtools,low-interactionhoneyclientsandhigh-interactionhoneyclients. Overall, the system achieved better results and identified moreanomaliesthantheothertools,havingafewfalsenegatives.


Taylor et al. [3], also used machine learning algorithms to classify exploit kitinstancesbasedonsubtreesimilaritymethod.Theirsystem indexessamplesofHTTPtrafficincludingclientbrowserinteractionandconvertthemintotree-likerepresentations.Then,theclassifierwastrainedwiththeserepresentationsthatwere craftedbasedonknown tobemalicious structuralpatternsofexploitkittraffic.Thesystemhasdeployedinalargeenterpriseenvironmentandachievedtoidentifyagoodamountofexploitkitswithoutanyfalsepositives.

Shindo, Satoh, Nakamura and Iida [4], proposed a lightweight approach ondetectingpotentialattacksofexploitkits,basedon theanalysisof the file typetransitionsofwebsessions.Theirsystemtakesasinputlegitimateandmaliciousdatasets which will be broken into sessions and subsequently analyzed andfiltered based on file type extensions that are known to often get involved inexploitkitactivities.Inthismanner,thesystemwascapabletojudgeifthesamplecommunicationwasmaliciousorbenign.TheresultsforJavaScriptandFlashfileswasasgoodastheyexpected.

Motivation

Themainmotivatingfactorforwritingthisthesisisthewilltostudyindetailthemostprevalentcyberthreatofrecentyears,discoverthemaincomponentsofitsecosystemandanalyzeitspatternsandattackcharacteristics.Itwasalsothewilltoscratchthesurfaceofthecybercrimesceneanditsundergroundeconomywhichisnowadaysgrowingbigger.Becoming familiarwithexploitkit’s techniques intermsofinfectionandlearningtheirtactics,offerstotheresearchertheadvantageof takingproactivemeasuresagainst compromiseandbeing ready in caseof asecurityincidentoccurs.Forsure,author’spersonalexperienceofinteractingwitharansomwareinthepast,wasanadditionalmotivationforstudyingthisthreatbetter.

-Knowyourenemy-

SunTzu,“TheArtofWar”


CHAPTER2-CHARACTERISTICSOFEXPLOITKITS

Whatisanexploitkit?

Anexploitkit(hereinafterEK)issoftwarethatautomatestheidentificationandexploitationofvictim’scomputer(typicallyviatheirwebbrowser),tothendeliveramalwarepayloadandinfectthetargetmachine1.

Inanutshell,theexploitkitisthevehicletoinfectaremotehostwithmalware.

Incidentsofthepast

Themassiveproliferationofmalwareinfectionaroundtheworldhasdrawntheattention of threat intelligent vendors and organizations, who have issuedcorrespondinginformationnotesandalertsinanattempttopreventfromthesethreats.From2006todate,numerousincidentsinvolvingexploitkitshavetakenplaceinthewild,targetingfromsimplehomecomputersandsmartphonestobankinstitutions and large enterprise networks. The severity of the incidents alsovaried from simple computer disruptions easily fixed with system restore topreviousbackup,tomoreseriousconsequencessuchastotalaccessblock fromcriticalsystemsandreputationallossduetosensitivedataleakage.Fortunately,securityexpertsininternationalinformationsecurityorganizations,companiesofthe private sector, as well as individuals - security researchers, continuouslyinvestigatethesetypesofattacks,performanalysis,designsecurityproductstofightagainstthem,providepreventioncontrols,warn,andtrainthepublicagainstthecybercrime.

Inthissection,wearegoingtomentionsomeofthemostknowncybersecurityincidentsregardingattacksbyEKsthatcameinthelimelightinthepastfewyears.The first incidentdescribed in following,alsomotivated theauthor tostudy indetailtheEKsandconstitutesthereasonofwritingthisthesis.

Perhaps,thereaderhasbeenvictiminthepastorhasheardaboutsomeoneinhisenvironment who has been attacked by any of the popular exploit kits,butdidn’treallyknowwhatitwas.Forinstance,in2012inGreece,thesocalled“GreekPoliceVirus”malwareinfectedthousandsofcomputers,raisingawindowafter infection,pretendingtobeoriginatedby theGreekPoliceAuthoritiesthat

1 https://www2.trustwave.com/rs/815-RFM-693/images/2015_TrustwaveGlobalSecurityReport.pdf, page 68


wasactually freezing thecomputer’sscreenandwas informing theuser that afictionalvirushadbeeninstalledinhiscomputer,requiringanamountofmoney(about100€)tobepaidinorderforthevictimtohavethecomputer’scontrolandpersonaldocuments and filesback.Of course, continuous incidents raised theattentionoftheGreekPoliceAuthoritiesthathadtoissuetechnicalguidelinesonhow the computer owner could remove the notorious malware. Theaforementionedmalwarewas avariantofRevetoncrypto-ransomware (or just,ransomware)equippedwiththecapabilitytolockthescreenoftheaffectedhosts,deliveredbyexploitkitsthroughbrowsercompromiseorspamemails.

Themessagedisplayedonthelockedscreenisillustratedbelow:

Figure 1 - Greek Police Virus screen message

Atthetimetheuserfacesthispop-upwindow,isnotabletocloseitornavigateelsewhereinhiscomputer;themalwarepersistsevenafterrebootofthecomputer.This type of ransomware enforces the display of a country-specific message,translatedtothelanguagetheuserhassetasdefault,showingrealbadgesfromthenationalPoliceAuthority,aswellasapictureofthePresidentofthecountry,therealIPaddressandunderlyingoperatingsystem,toconvincethevictimthatthe authorities have blocked the access to his computer and so proceedwith


payingtheransomas aresultofhis fault.There isalsoamessageaccusingthevictim for criminal offense and displaying the corresponding law excerptsregardingthisact,aswellas informingthatall fileshavebeenencryptedandaformtopaybyusingUKashorPaySafeCard.Although,fortechnicalpeoplethiswasobviouslyascam,theaveragecomputeruserbelievedthattheGreekPolicelockedtheirscreen,demandingtopayafineforafakelawinfringementtheysupposedtohavedone.

Commonly,thiskindof infectionswithroguescreen lockersandothermalwaredeliveredbyexploitkitsingeneral,areaconsequenceofpoorPCsecurity.Attheendofthedocument,wegivesomesimpleguidelinesonhowtoprotectagainstEKs.

InFebruary2016,theHollywoodPresbyterianMedicalCenterlostthecontrolofits computer systemsdue to cyber-attack.Theattackersmanaged to infect thesystemswithavariantofransomwarethatblockedtheaccesstohospitalstaffandwon’treleasetheattackuntiltheamountof$17,000inbitcoinswouldbepaid.Thereal attack path has not been identified yet, but it could probably have beenconductedbyEKadversarialactivitiesastheattackpathisprettymuchthesameastheEK’s.Sincethehospitalcouldnotafforddelayingitscrucialoperationsonwhichpeople’slivesrelyandcouldnotwaitthebackuprestoreprocess,thechiefexecutivedecidedtopaytheransom.Theresultoftheassaultisunclearafterthedecision topay off the cyber criminals.Typically, authorities thatperform theinvestigationsdonotencouragepeoplefrompayingthehackers,outoffearthatitencourages cybercrime to launchmore attacks andmakemoremoney againstvictims.

Howdoyougetcompromised

Exploitkitscompromisevictimsviaaprocesscalleddrive-by-downloadattack.ThecommonscenarioisthevictimthatbrowsestoacompromisedwebsiteandisredirectedtotheEKgatewithout interactingatallwiththewebsite’scontent–simplybynavigatingtothevulnerablewebsite.Theinfectioncanhappeninvisiblywith theuse of an IFRAME,unbeknownst to the victim.The victim’shost andespecially the browser is probed for vulnerabilities. If it is vulnerable, thecorrespondingexploitisdeliveredviamaliciouspayloadstothehostandexecutedtohelpdownloadtherealmalwarethatisstoredtodiskorinjecteddirectlyintothememory.Atthattime,thevictimisfullycompromised.Thelevelofdamageonthevictim’shostdependsontheinstalledmalware.


Figure 2 - Infection chain

Mostofthetimes,infectionoccurswithoutneedingvictim’sinteraction;thereisnopop-upwindowsorwindowstoclickthrough.Allittakesis justbrowsingtocompromisedwebsitetogetinfected.However,itispossiblefortheinfectiontodemandvictim’sinteraction,forinstance,byclickingonamaliciousadvertisementoralinkwithinaspamemailsoastotriggerthewholeprocess.

ThemalwaredeliveredbytheEKwillnotbeapparentfromtheuser,unlesstheEKhappenstobeavariantofransomwarewhentheuserwillbenoticedtopayanamountofbitcoinstodecrypthissensitivedocuments.

Finally,theEKmaintainsitshealthandthestatisticsofinfection,publishingthemtotheEKadministrator.

Forreader’sconvenience,wewillsummarizethechainofinfectionasfollows:


Step1Victim host navigates to a compromisedwebsitewithmaliciousinjectedscript

Step2The injectedscriptgeneratesanHTTP request foranEK landingpage

Step3TheEKlandingpagedeterminesifthecomputerhasanyvulnerablebrowser-basedapplications

Step4 TheEKsendsanexploitforanyvulnerableapplication

Step5Iftheexploitissuccessful,theEKsendsapayloadandexecutesitasabackgroundprocess

Step6 Thevictim’shostisinfectedbythemalwarepayload

EKInfrastructure

Exploitkitsaredesignedtosupportundergroundbusinessthatnetsmoneyfromunsuspectingvictims.Obviously,an infrastructurethatearnsmillionsofdollarsperyear,cannotbeasimplenetworkcountingoneortwosimplewebservers.Theinfrastructuremustbe solid, functional andmust ensure the availability of itsoperationsatanytime,since itshouldbeservingthousandsofconnectionsperhour, because potential loss of availability due to bottlenecks or other systemdelaysmeanslossinmoney.WearegoingtodepictbelowthecoreinfrastructurecomponentsofAnglerEK,becauseithasarepresentativearchitectureandappliesmore or less to other EKs too. Furthermore, we will describe the how corecomponents talkwitheachothersoas tohave abetternotionofEK’s internalprocesses.


Figure 3 - EK indicative infrastructure

According to thedepictedmodel,after thevictimnavigateson acompromisedwebsitedictatedbyanEK,heusuallystumblesuponarogueIFRAMEthatredirectshim to the Proxy Server. The Proxy Server is the only component of the EKarchitecturethatinteractsdirectlywiththevictimandisusedtoredirecttotheEKgate(landingpage)andgenerally,routethetrafficbetweenallinstancesthroughthemsafely,actuallyhidingtheirmaliciouscommunication.Typically,EKsutilizemorethanoneproxyserver.Then,theProxyServerretrievesthelandingpages,exploitstailoredtobrowser’svulnerabilitiesandpayloadsfromtheExploitServerwhichisresponsibleforstoringthemcentrallyanddeliveringittovictim,similarlythrough proxies. The vast majority of EKs utilize a Linux distribution as theoperatingsystemofExploitServerandaversionofNGINXserverastheunderlyingHTTPwebserver.Duringallinternalcommunications,aStatusServercorrelateslogs from all instances in order to maintain the health status of the system.Specifically, acting asmonitoring interface, submits in a timelymannerHTTPrequests to the proxy servers and receives special responses from whichdeterminesthehealthstatusoftheproxyandifsomeonehascompromiseditorhastamperedwithitscontents.Inadditiontothesechecks,theStatusServerisabletocollectallaccesslogsandinformation,e.g.victimIPaddresses,User-Agents,etc.inordertopushthemtotheMasterServer.TheMasterServeraggregatesandcorrelatesalldataretrievedfromeachStatusServer,handlesthetradewiththecustomerswhorentorbuytheserviceandprovidesstatisticalinformationsuch


ascompromiserate,transactions,etctoEKowners.

Theabovementioneddistributedmanagementfacilitatestheoveralloperationtoflow fast,without harming the availability of the service neither towards thevictimsnor thecustomers.AsingleExploitServercollaborateswith aseriesofProxyServersinordertoconfusethetraffic,hardenthetraceability,andinturnprotectitfromdetection.Thesegregationofexploitshelpsthebusinessmodeltoputtingintoproductionthenewerexploitswithoutinterruptingatalltheon-goingprocess,aswellaseffectivelyallowschargingseparately (regularly,higher) thenewestexploits,suchaszero-days.

Propagation

Inthissection,wewillmentionthewaysEKsleverageinordertospreadthroughtheInternetandpropagatethemselvestothepotentialvictims.Higheramountofcompromisedhostsistranslatedintohigherrevenuesforcybercrime,explainingwhyEKmastermindsinvestmanyresourcesandtimeindevelopingtheoptimaltechniquesfordeliveringmalware.

Security researchershave categorized the campaignsofEKsaccording to theircharacteristics,attackvectors,andthemalwaretheyusuallydrop.Wearegoingtodiscuss about several campaigns along with the main technical analysis insubsequentchapterforbetterunderstanding.

EKCAMPAIGNSThiskindofcampaignsaimtoredirectthevictimtotheEK’slandingpageeitherdirectlyorleadingtoagatebeforereachingtheactuallandingpage.ThemeansareinfactIFRAMEredirectorsandscriptsinjectedinpopularyetcompromisedwebsiteshavingasgoaltoredirectthevictimtotheEK’slandingpage.AnotherwayisthemaliciousmodulethatinserthiddenIFRAMEswithcertainresponsesinto Apache (Linux) web servers at the beginning and NGINX and some IISversions at the end. The malicious module injected the redirection via theLoadModulemoduleintotheconfigurationfileofserver,harmingitattherootlevel.This infectionwasdifficulttodetectbecausethemalwarewasonlyactivewhenboththeserverandsiteadminsarenotloggedinandtheIFRAMEwasonlyinjectedonceaday(oronceaweek)perIPaddress.Itiseasilyunderstood,thatsuch a kind of server-level infectionwas not able to reproduce andwas verydifficulttoreveal.

Popular campaigns are EITest, Darkleech, Pseudo-Darkleech, Afraidgate, 302


redirect, gonext, randphp, trk, vollumne, customredir, IPredir, IPredirvariant,Malshadowandmore.

SPAMCAMPAIGNSOneofthemosteffectivewaysEKsusetopropagatethemselves,istheelectronicmailserviceviaadversarialphishingcampaigns.Attackersusuallydesignaneye-catchingmessage to raise thevictim’sattention,withinwhichhasembodied afalsified link targeting to the compromised web pages they control or viaattachmentswithinthismessage.TheusercangetcompromisedbyfollowingthelinkswithinanAdobeAcrobatdocument(format.pdf)or justbyopeningtheattached document (most often a Microsoft Word Document, format .docx)containingembeddedmacrosthatwillbeexecutedtostarttheinfectionprocess.

MALVERTISINGFurthermore,anotherwayofdeliveringEKstomanyvictimsisthemalvertisingcampaigns.Weusethetermmalvertisingtodescribetheonlineadvertisementonawebsitethathasbeentamperedwithafalsifiedobjectorpieceofcode,soastoperformunintendedredirectionstoEK’sserversuponvisitor’s interaction.Theforegroundvisualizationisusuallyatextmessage,ananimation,avideo,aGIF,etcthat tend to raise the visitor’s attention to click on it,with the expectation toredirect them to the corresponding online store or offered service website.However, theunderlyingcode iscarefullydesigned tobypasscommonsecurityfiltersandredirectthevisitortoEK’sgateinordertoexploithishost.Usually,theadvertisementnetworkcompaniesandoperatorsthemselvesarethefirstvictimsofcybercriminalsbecauseEKslaunchtheirattacksviatheircompromisedservers.Thishappenswhen theEKmastermindshavealreadyhacked, forexample, theweb hosting service and then they have found theway to inject scripts in itswebsites.


EK&UndergroundEconomy

InthecontextofCyberSecurity,theEKphenomenonisnothingelsethanbusinessofitsowners.CybercriminalsbehindthemostprevalentEKs,taketheirbusinessseriouslytomaximizetheirprofit.That’swhytheyputsomucheffortinadoptingnewmethodsandtechnologicaltrends,alwaysactingfromthebadsidebymeansofbypassingthenewestsecuritypoliciesanddetectionmethods.ThetermsEK-as-a-Service (EKaaS)orMalware-as-a-Service (MaaS)arenotnew tosecuritycommunitywhocloselywatchestheundergroundeconomygrowingfast,mostlyroutedthroughthesocalledDarkWeba.k.a.DeepWeb.

InDarkWeb,whichamongotherlawbreakingterritories,itcountsasheeramountofmoneystemmedfromoutlawactivities,cybercriminalsfindhospitableareatooffertheirservicesandtradeanonymously.ThepriceofrentingoneoftheleadingEKsisoftenafewhundreddollarspermonth;approximately$500/month.SomeEKscanalsobesold in theirentirety forapproximately$20-30k.BuyercanbeanyonewhowantstohidehiscriminalactivitiesbehindtheanonymitythatTorandotherencryptednetworksoffer,suchasdesperateindividuals,enterprises,orgovernments.TheEKsaretypicallysoldviaunderground forumswhichusuallyoperateonaninvitation-onlybasistoavoidinfiltrationbylawenforcementandsecurityresearchers.TheauthorcannotdistinguishthosewhopurchaseEKs,fromcyber criminals that designed them. Additionally, the EK owners provide thebuyers with a management console to oversee the malicious activities of theemployedEKs,aswellashavingafullviewoftheireffectiveness,status,andcostofrentingtheservice.Thebuyerfromhispart,mustprovidehisequipmentandinfrastructureforthisservice.Oncetherentispaid,thebuyerhasfullaccesstothemonitoring interfaceandadditional featuresthattheEKmayhasbeenshippedwith, to attack at will. The cyber security community has defined the termcampaign as an attack or a series of attacks launched from a distinctinfrastructureleveraginganEK.

Ontheotherhand,buyersofcrimeware,theydonotdifferfromthenormalbuyershaving theirowndemandsandspending theirmoneytoproducts thatdeservethem.Asaconsequence,cybercriminalsthatwanttoincreasetheirrevenue,tendtofollowbuyers’preferences.WehavesummarizedbelowwhatcrimewarebuyersdemandfromEKdesignersandwhatEKdesignersactuallytrytofixsoastoofferamoreattractiveproduct:

§ Betterhit-rateoftheEK

because from buyers’ aspect, the most important thing is to have as manyinfections as possible, and from designers’ point of view,meansmoremoneyespeciallyiftheychargebysuccessfulhits

§ Attractivepricing


The“pay-per-install”EKsissignificantlymoreattractiveoffer,asthebuyerhavetopayonlyforthesuccessfulmalwareandnotfortheythatmiss

§ Bettermarketingname

Indeed,EK“superstars”,whichmeansfamousEKs,tendtobemoreattractivetobuyers.

§ Numberofzero-days

Complementarytomarketingname,salesalsodependontheamountofzero-dayexploitstheEKsareclaimingtohaveintopossession.

§ Flowoftraffic

EKdesignersthatmaintainahighrateandsteadyflowontheirlandingpages,earnhigherincomes.

§ Userfriendly

Besides technically confident buyers, EKs also refer to non-technicalcybercriminals.For this reason,designersdevelopedniceuser interfaces,webpanelsandfunctionsthatfacilitatetheadversarialactivities.

§ Extrafeatures

EKdesignerstendtoincludeadditionalfeaturessuchascombinationsofdifferentmalwaretypes,configurationoptionsandadd-onfunctionsforskilledbuyerswhowanttomakethemostoftheirpurchase.

§ Incorporateundetectabledroppers

In addition to extra features, buyers prefer the EKs that possess stealthierdroppers, likeTrojandroppersthatevolve inaregularbasissoastoeffectivelyevadeupdatedsecurityproducts,thantheonesnothavingthisoption.

§ Up-to-dateEKs

Last featurethatmatters intermsofsales, is iftheEKkeepsupwiththe latestdevelopments,integratesfreshvulnerabilitiesassoonastheydiscoveredandnewexploitsassoonastheypublished.

Thatsaid,itismorethanobviousnowthatEK-as-a-serviceislikeatruebusinessbased on real business models, with owners that worry about and strive forincreasing their sales, having also demanding customers. Cyber criminals aremovingfastinadoptingnewtechniques,becausemostofthetimes,theiraimistomakemoney.

EKssuccessreliesheavilyonthepopularityofthewebsitestheycompromise.Thehighertheprofileandnumberofvisitorsofthevulnerablewebsite,thegreaterthe


volumeoftraffictowardstheEKserversandgreatertheprobabilityfortheEKtoinfectvictimhosts.

Bytargetingadultsitesorgamblingsites,chancesareitprobablywillnotgoingtohit enterprise users because constantly enterprise networks filter this type ofwebsites.

Thefollowingfiguredisplaystheannualrevenueanditscorrespondingresourcesofthemostdominantexploitkitof2015ascitedonCisco’sAnnualSecurityReport(2016).

Figure 4 - Revenue and resource of Anger EK (2015)

Accordingtothesestatistics,itwasestimatedthatAngleraveragelytargeted90thousand hosts per day via approximately 147 active redirection servers permonth.Fromthosehosts,40%werefinallycompromisedandabout62%ofthemhadfinallyinfectedwithvariantsofransomware.Bytakingintoconsiderationthataveragely2.9%ofthevictimsfinallypaytheransomofabout$300perinfection,AnglerEKseemstoreachingthesurprisinglylargeamountof34milliondollarson2015.


BackgroundonExploitKits

EK’SADVERSARIALACTIVITYRecallthatanEK isbasicallyaweb-basedplatform forcompromisinghostsviasomekindofmalware.Thechainofinfectioninmostcasesisthefollowing:

Oneormoreredirectionsleadingtothegatewithoccasionalprobingofthesystem.Ifavulnerabilityisidentified,theydeliveralandingpagetoprobethebrowseranddeterminetheunderlying technologyofplugins. If theyfind amatchwith a suitable exploit from their arsenal, they deliver apayload to the host, containing the dropper which is responsible ofdownloadingandexecutingthemalware.

TheexploitationphaseduringtheEK’sactivityincludestheexecutionofexploitcodevia installerscripts,triggeringofthepubliclyavailableorzero-dayexploitcode,executingpayloadstoregistertheaffectedhostaspartofabotnet,storingTrojansandspyware,aswellasperformingseveraladministrationtasksreflectingtheirstatustotheEKadministrationpanel.

AttackCharacteristics

NATUREOFEKThemajorityofEKsaremostlyconstructedbyopen-sourcecomponentsbecausetheyare freeofcost.Theyareusuallywritten inHTMLandPHP languageandusually embody third-party code excerpts in JavaScript and CSS. EK authorsusuallyrelyonApacheandNginxwebserversforservingtheirlandingspages.ThesheermajorityofdroppersandlaunchersareFlashfileswhicharemostprobablysupportedbycommonwebbrowsers.IncasetheEKisdeliveredviaspamemailcontainingamaliciousattachment,usuallythatattachment,e.g.aMicrosoftWorddocument,containsaVBScriptscriptfordownloadingandlaunchingthemalware.Sometimes, the Powershell language is used for executing shellcode and thedownloadedspecimen.Also,theyareusuallyemployMySQLdatabasesforstoringtheirarsenalofexploitswithintheExploitServer.

Asfarasthemalwaredeliveredinthefinalphaseoftheinfectionisconcerned,isusuallywritteninC/C++languagetoensureinteroperabilitywitharangeoftargetsystems and because it is faster than the other languages. For instance, aransomwarewhichiswritteninClanguage,containingcodeexcerptsinassembly,executesmuchfastertheencryptionroutines.EKauthorstendtonotprefertheC#languageformalwarebecauseisslightlyslowerandbecausetherearemanyfree


toolsthathelpresearchersonperformingreverseengineeringonthespecimen.

Aswewill discuss in subsequent section, the used JavaScript and other codeexcerptsinEKs,tendtobeobfuscatedtosomeextendinordertoofferself-defenseservicesagainstanti-malwareinstallationsthatthevictim’shostmayhasinplace.In order to obfuscate their code, EK programmers are likely to purchasecommercialobfuscatorstodothejobeffectivelyandbypassdetectionproducts.

Inthefollowingtwosections,wearegoingtodescribethemaincharacteristicsofEKsseparatedintwocategories.Thefirstcategoryreferstothepatternsandtrickstheyleverageinordertoachievetheirmaliciousintentions.Thesecondcategoryrepresentsthemechanismstheyleverageinordertostaystealthagainstsecurityproducts.

REDIRECTIONSRecallthatthefirststepofinfectionisforausertoaccidentallyvisitthevulnerablewebpageleadingtothelandingpageofadversarialhoststhatserveEKs.Thechainofredirectionsisacrucialparttosucceed,otherwisethevictimwillneverreachtheEK’slandingpage.Theycanbeperformedserversideorclientsideaswewillseeinfollowing.

RedirectionsusuallyutilizedbythevastmajorityofEKsforthefollowingreasons:

§ Theyareactually thestartingpointofEK’smaliciousactivitybecause theyfacilitatetheopeningofacommunicationchannelbetweenthevictimandtheexploit servers.Without them itwould be harder for the EK to reach thevisitor’shost.

§ They obscure the network traffic so as the sourcewebsite that has beencompromisedbytheEKwillbekeptunnoticedforlongtime.

§ Theyincommodetrackingprocessandautomatedanalysis§ Theypreventmalicious server frombeing floodedbymultiple connections

renderingitunabletoofferitsservice.TheytrytokeeptheExploitServersequallybusy.

§ They direct the EK to specific regions according to their operators’instructions.

Redirections towards the malicious gate can be achieved via injection tovulnerablewebpagesinseveralways:

§ By simplyusing JavaScriptwindow.open(url) function targeting the


maliciousdomain.Thisisaclientsidetypeofredirection.§ ByinjectinginvisibleIFRAMEs(practicallyhavingzeroheightandwidth)

or too large IFRAMEs (difficult for one to distinguish them from thelegitimatepage)embodyingtheredirectiontomaliciousdomain.Thisthemostpopularclientsidetypeofredirection.

§ By injecting specially crafted HTML code that leverages normal serverredirectionofHTTPcode3XXanduseittotargettothemaliciousdomain(302Cushioning)whichisusuallyassignedtothe“Location”header.

§ By invoking Java applets orAPIswhichperform remote connections orinvokinganalreadyinfectedJavaScriptlibrary

§ By falsifying the.htaccess file, in caseofApache server,by injectingredirectionrulestowardsthelandingpage

§ ByusingtheHTMLfunctionHREFtargetingtomaliciousdomain§ Bypresentingafakemessageorwarningcontainingascriptthatperforms

theredirectswhenthevisitorpressesanoptionorclosesit

Theoverallprocessistotallyinvisibletotheaverageuserandveryquicksoastonot raise suspicions.Evenwhen theEKdoesnot achieve to exploit the victimbrowser, itwillrespondwithanabstractorblankwebpage inorder tonotbenoticedbytheuser.ItisworthnotingthatitispossibletointeractwithdifferentEKeverytimeyounavigatetothesamewebpage.

302CUSHIONINGThisisaserversidemethodofredirectingthevictimtotheattacker’swebserverbydisplayingafake“302 Found”serverresponsestatuscodeandprovidetheURLpointingtotheEK’sgatethroughthe“Location”header.ThetermiscoinedbyCisco,alsoknownas“Rogue302Redirectors”.Normally,the302redirectionislegitimate and is constantlyusedbydevelopers tonavigate the visitors of thewebsitetoanotherwebpage.ManyEKstakeadvantageofthistypical featureofwebapplicationstoredirectvisitorstotheirmaliciouswebsites.

Of course, the prerequisite for the attackers is to have already identified andexploitavulnerabilitywithinthewebapplicationorthewebapplicationprovider,inordertoinjectthemaliciousredirection.

DOMAINSHADOWINGThistechniqueinvolvescompromisingtheparentdomainandcreatingmultiplesub-domainswithsimilarnamethatuponclickingonthemredirectthevisitortoEK’slandingpage.Victimscannotdistinguishtherealwebsiteoradvertisement(e.g. legitdomain.com) from the fake (e.g. ads.legitdomain.com) and


thereby is luredtocommunicatewiththemaliciousserver.EKmaintainerscangenerate fraudulent sub-domains, mostly by stealing legitimate domain’scredentials, anddelete themveryquickly soas tonotbe capturedby securitysystems andURL blocklists. For instance, if the attackersmanage to steal thecredentialsofthevictim’saccountonhisdomainregistrar,theywouldbeabletogeneratethemalicioussub-domains.

Thedomainshadowingcampaignsprovetobeaveryeffectivetechniquesinceit’sverydifficult tobe stoppedordetected.This ismostlybecausemalicious sub-domainsusuallyhaveaveryshortlifespan.Furthertobeingactiveonlyforafewhours,theyarealsoreachedafewtimes,decreasingthepossibilitytogetnoticed.Blacklisting falsified domains won’t help either because not only the victims’domainsarebeingrotatedbutalsotheirIPaddresses.Furthermore,blacklistingtherootdomainposesalossinregistrar’sprofit.

VICTIMPROFILINGTheEK’sprimaryconcernistogainasmuchknowledgeasitcanfromthevictimhostsoastoproceedinexploitationphase.Theweakestlinkinthischainisthewebbrowserwhichissuccessfullybeingprobedbytheattackersunbeknownsttouser.

In order to perform host fingerprinting, EKs at first, gain several informationregardingthevisitor’swebbrowserbyanalyzingtheUser-Agentheader,thusthewebbrowsertechnologythevictimusestocommunicateoverthe Internet.Thisinformationistransmittedincleartextoverthenetwork.Obviously,EKswillnotjustrelyonUser-AgentinspectionsinceonecaneasilyutilizetheUser-Agenthewantsandpretendtonavigating,forinstance,viaasmartphonedevice.Theyuse JavaScript code especially designed to perform this kind of checks uponrunningonvictim’sbrowser.

Theytrytodeterminetheversionoftheoperatingsystemandthebrowseraswellas the plugins installed in the browser and their versions. Themost commonchecks target Adobe Flash Player, Microsoft’s Silverlight and Java technologieswhichareusuallyinstalledasservicesonthebrowseroftheaverageuserinorderforthebrowsertodisplaybetterthemodernwebcontentofwebsites.

Infollowing,wearegoingtodescribethemostpopularfingerprintingtechniquesleveragedbyEKsinthewildwithoutdivingintodeeptechnicalanalysis.

FINGERPRINTINGTACTICSIn thisparagraph,wewillattempttodescribe themostknown techniquesand


tricksEKsusetoperformfingerprintchecksonvictim’shost.Itshouldbenoted,thatmostof the times thereasonof leveraging theabovementioned tactics inorder to gain asmuch knowledge as it is possible for the targeted system, istwofold:Firstly,theywillusethisinformationtoenumeratethevictim’ssystemtosubsequently launch a suitable attack for the specific host. Secondly, it isconsidered as an act of self-defense for preventing themselves from securitysystems.Possiblemisunderstandingofthevictim’ssystemcouldleadthemtoatrap,ahoneypotasitiscalled,whichwillprobablyrevealtheircriminalactivity,whichcanbeinterpretedasfinanciallossfortheirundergroundbusiness.

ThefingerprintingphasetakesplacewithinthelandingpageandbeforetheEKunleashesthesuitableexploitfortheunderattackhostandinfectsitwithmalware.

SomeofthepreliminarycheckstheEKsleveragetodeterminethenatureofthevictimhost,arerelativelysimple,andareperformedpriortoreachingthegate.InthiscategoryareincludedtheIPaddressverificationsotoknowitisregisteredtoa security company suchasKasperskyorMalwarebytes,or aknownhoneypotserver, as well as geolocation checks and of course checks of the browsertechnology.Asfarasthebrowserisconcerned,theUser-Agentheaderembodiedintherequestsubmittedtowardsthemaliciousserver,givesanindicationofthebrowser’sandhost’sunderlyingtechnologyandwilljudgetheresultoftheattack.Forinstance,ifabrowserisidentifiedtobeinthelatestversionwhichdoesnotholdatallvulnerabilitiesandthusexploits,ordoesnotholdanyvulnerabilitiesavailable in the EK’s database, then the infection may terminate during thefingerprintingphase.

Theabovementionedtacticsrefertothebeginningofinfectionchainwherethevictim triggers it via clicking on amalvertisement.Getting to the EK gate viavisitingacompromisedwebsite,includesthesetacticsbutalsotriggersadditionalchecksinfollowing.FingerprintingchecksarealsoperformedbythelandingpageitselfbecauseothervictimsmayreachtheEKgateviaothermeanssuchasclickingonthemaliciouslinkembeddedinaphishingemail.

AcommonandsimplecheckperformedbyseveralEKs suchasAnglerEKandMagnitudeEK, is collecting informationabout thedimensionandresolutionofuser’sscreen.Bydeterminingtheresolution,aswellasifvirtualizationsoftwareisinstalledonthehost,theycantellifitisanormalhostoravirtualmachineorahoneypotserver.Buthowexactlyareabletoscanthelocalsystemandverifyifalocalfileexists?

Formanyyears,EKsweretakingadvantageofavulnerabilityinInternetExplorer’sXMLDOMActiveXobject(CVE-2013-7331-CVSSBaseScore5.8Mediumseverity)whichpermittedhost fingerprintingwithaminimumneed foruser interaction.Specifically,


TheMicrosoft.XMLDOMActiveXcontrolinMicrosoftWindows8.1andearlierallowsremote attackers to determine the existence of local pathnames, UNC sharepathnames,intranethostnames,andintranetIPaddressesbyexaminingerrorcodes,asdemonstratedbyares://URL,andexploitedinthewildinFebruary2014.(NVD,CVE-2013-7331)2

Morevulnerabilitiescapableofdoingthesamething,thusenumeratingtheremotemachine’s filenames are registered as “Information Disclosure” vulnerabilitieswiththeidentifiersCVE-2015-2413,CVE-2016-3351andCVE-2016-3298.

The latter (CVE-2016-3298 3 CVSS Base Score 2.6 - Low severity) InternetExplorervulnerabilityallowstheattackertodetermine ifaspecificdirectory ispresent in the victim’s system by invoking the loadXML(string) methodthroughaMS XML DOMobject.Thefigurebelowdepictsasimpleexampleofhowthisistechniquecanbeeffective:

Figure 5 - Fingerprinting via loadXML function

Thismethod,aftersomeotherfunctioncalls,returnstheerrorcode0x800c0015ifthedirectorywearelookingforexistsor0x800c005ifthedirectorydoesnotexist.Via thiserrorcode, asimpleEKroutinecandetermine ifsecurity-relateddirectorieshavebeeninstalledontheunderattacksystem.TheaforementionedvulnerabilityhasbeenpatchedbyMicrosoftonTuesday11thofOctober(PatchDay)ofthatyear.

Typically,allfingerprintingtacticstrytogainknowledgeoftheunderlyingsystem,relatedtothefollowingconcerns:

§ ScansforpresenceofAVorIDS/IPSsoftware§ Checksiffirewallisinstalledinthesystem§ Determinesifthebrowserisrunninginsandbox § Determinesifvirtualizationsoftwareisinstalled§ Inspectsthesystemforpacketcapturesoftware

2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-73313 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3298


§ Proceedindeliveringthespecimenifconfirmsnonearepresentinthesystem

Lateronthenextchapter,wewilldivemoreintotechnicaldetailofchecksthatEKscommonlyperformwhenreachingthe finalphaseofthecompromisewhentheexploitisdownloadedandexecuted.

TRAFFICDISTRIBUTIONSYSTEMSAswehavealreadystated,EKsstrivetoincreasetheirprofitfromtheirmaliciousactivities,carefullypropagatingthemselvestotargetsthatthereisagoodchangetobecompromisedattheend.Forthisreason,theytakeadvantageofcommercialTraffic Distribution/Direction Systems (TDS) by purchasing the service or bycompromisingthevendor,orevendesigningtheirownTDS.

TDSsystems filterthe incomingtrafficandroute ittospecifictargets.Theyareactuallywebgatesthatredirectuserstospecificcontentdependingtowhotheyare.Theyusually includea filteringmechanismwherethescriptsrunbasedoncertain criteria, a database to store and retrieve data, as well as a panel forstatisticsandthecontrolpanelforadministrationpurposes.Theaimistofiltertheincomingconnectionsviascriptsemployingascriteriathe“Referer”headerofthe request, the language via “Accept-language” header and the browserversion and operating system via the “User-Agent” header, as well as ongeolocation,inordertounleashthesuitableexploitattack.Inthisway,thefine-grainedtrafficisdistributedeffectivelytothecorrectreceiver,withoutlettingtheirrelevant traffic consume the system resources, yetpreventingdetection fromredundantrequests.KnownTDSbrandsthathavebeenoccasionallyemployedbyfamousEKs,suchasAnglerEKandothers,areKeitaroTDS,SutraTDS,BalckhatTDS,BossTDS,etc.

Self-defenseCharacteristics

EKs authors have developed their kits through the years so as to avoidunnecessary interactionwith hosts that are known to be protected andmostprobablytheywillnotletthemexpresstheirmaliciousintentions.Inthisway,theymitigate the risk of being trapped and analyzed by researchers. UnnecessaryexposureorpersistentattempttoexploitposesariskfortheEKtobecaptured,analyzed and revealed to the public. Possible analysis of the detected EKwilldirectlyaffectitsfinancialprofitandreputationincybercrimeindustry.


WearegoingtodescribebelowthemaintechniquesEKsleverageinordertoevadetraditional signature-based IPS/IDS engines and to eliminate the chances ofinteractingwithhoneypotsandtherebyavoidcaptureandanalysis.

IPBLOCKINGEKsperformchecksontheIPaddressestheyinteractwithinordertonotattemptamalicious attack against hosts that serve some kind of honeypot. They alsoperform IP blocking techniques to IP addresses assigned to known securityvendors,hostingservices,securityresearchlaboratoriesandaddressesfromTornetworks. Additionally, they try to avoid known addresses from enterpriseenvironments as they most likely implement complex security systems thatpreventfromthesekindsofattacks.

USER-AGENTEVASIONAnothertypicalself-defensecontrolagainstdetectionEKsimplementischeckingtheUser-Agentof the inboundrequests.Since, theUser-Agentheadercontainsbasic information about the underlying systems that is trying to establishconnectionwiththeEKserver,theyparsetheseheadersand filterouttheonesthat are considered risky enough to interactwith.Researchers that constantlystudyEKs,haveidentifiedthatthetechnologieswhichareblacklistedbyEKsaretheuseragentsofknownsecurityproductsthat likelydonothaveanypubliclyknownvulnerability,aswellastheuseragentsofgameconsoles,webvulnerabilityscanners and known honeypots. Some of the blacklisted User-Agents are:MRSPUTNIK, LSSRocketCrawler, CPython, SeaMonkey, NetcraftSurveyAgent,McAfee, fMcAfee Acunetix, massscan, BadaCrawler, facebookexternalhit,BIDUBrowser,andothers.EKauthors,at the timeofwriting,exclude thegameconsolesfromtheirtargetbecauseofitslowpopularity,thusitisnotsopopularwaytonavigatetotheinternetviathewebbrowserthatisshippedwiththegameconsoleandbecausetheyaretechnology-specificdevices,havingnohighvaluetoinvest timeandresources tobreak its technology;recall thatEKsarebuilt in agenericwaysoastotargetwidelyusedwebtechnologies.However,intherecentyears,theexponentialgrowthandusageofsmartdeviceswiththecapabilitytoconnecttotheInternet,likesmartTVs,mediaplayers,smartdomesticdevicesandothers that almost everyone has in his home, raised the attention of cybercriminalswhichhavealreadystartedtocompromisethatkindofeveryday-useddevices.


BLACKLISTLOOKUPManyEKsperformchecksonaregularbasisinoneormorepublicblacklistingrepositoriestoidentifyiftheirURLsareincluded.ThisisacommontechniquetoidentifyiftheirURLsremainsecretandhavenotbeenanalyzedbysecuritytoolsandresearchers.Iftheyhaveindeedbeenblacklisted,theyneedtoknowthat,inordertoavoidspendingresourcestoexploithoststhatmaybehaveimplementedsomekindofprotectionagainst themor stumbleuponhoneypots that seek toanalyzethem further.Moreover, iftheyare included inpublicblacklists,theEKadministratorsimmediatelyrelocateandchangetheURLstoneweronessoastonotstop theiroperations that is translated inmoney loss.Thesameprocedurerepeatsuntiltheyarediscoveredandblacklistedagain.AlargeamountofsecuritywebsitesmaintaindatabasesthatupdatefrequentlywithblacklistedURLs;someof them are threatglass.com, virustotal.com, urlquery.net, andmanyothers.

SIGNATUREEVASIONComplementary to URL blacklist lookup, EKs also check if their exploits andmalware signatures are included in public databases. Checking their ownsignatures against virus-scanning engines allow them to knowwhich of theircomponentsisflaggedbyresearcherandwillprobablynotsucceedininfectingthevictim. In this case, theywillnotbe confident to launch this attackbutpreferanotherway tocompromise thevictim. In the listofmostpopularpublicvirusenginesareincludedthevirustotal.com,scan4you.netandothers.

CLOAKINGMany EKs try to deceive visitors of the compromised website when havesuccessfully exploited their hosts or when exploitation was not successful.Especiallywhentheexploitationisnotpossible,EKsdonotwanttoleavetracesoftheiractivities toavoidbeing further investigated.Therefore, they redirect theuserinalegitimatepagethatwillnotraiseanysuspicions.Inbothcases,itisalsopossiblefortheEKserverstorespondwithanon-foundpage,probablywithHTTPresponsestatuscode404,orevenwithablankpage.ThesameappliestothecasethatanalreadyinfectedhoststumblesuponanotherwebpagethatistrappedbyanotherEKredirector.Inthiscase,theEKdoesnotstartstheexploitationprocessbutjustrespondswithablankpagetosaveitsresources.EveryonewhousestheInternetonadailybasis,mostlikelyhasinteractedwithanEKthatdidnotfindanybrowservulnerabilitiesandinturndisplayedarandomorblankwebpage.

IthasbeenobservedforseveralEKssuchasSava,Fragus,Eleanore,0x88,etcthatplace their lasthope to compromise thevictimon launching a randomexploit


beforequittingtheinfectionprocess,incasetheyarenotabletofindanexploitablevulnerability.Theyjustwanttotaketheirchancesbeforeleavingthetargetedhost.Thereisalsoagoodprobabilitytodothesameiftheyhavealreadycompromisedthevictimandwanttoassessdifferentornewerexploitsformeasuringsuccessandbenchmarkingpurposes.Thus,theyservearelevantexploitjusttomeasureitseffectivenessandreportbacktotheirC2serverforfuturedevelopment.

DOMAINGENERATIONALGORITHMThe technique that leverages Domain Generation Algorithm (DGA), allows thegeneration of multiple domain names with randomly shuffled characters orhashednames.Besidesrandomalphanumericstrings,concatenationofrandomwords can alsoproduce randomdomainnames.The implementation can takeplace on-the-flyduring the victim-server communication,prior to fetching theexploitorduringpost-exploitationphase,whenthemalwarehasbeen installedand needs to communicate with the C&C server. Obviously, EK authors takeadvantageofthistrickinorderfortheircodetostandstrongagainstdetectionbysignature-based security programs that can easily block themselves, theirwebsite’sDNSrecords,aswellasmakethetaskofmanualreverseengineeringharder.Theadvantageofhaving short life span increases its resilienceagainstblacklisting. For instance, according to security community’s observations,BlackholeEKgeneratesuniquesecond-leveldomainsevery12hoursandAnglerEKevery6or12hours.Thetop-leveldomainscanvarybetweenseveralsuffixes,suchas.info,.biz,.ru,.top,.org,.com,etc.

The following figuredepicts aDGA code excerpt thatproducesdomainnamesbasedonthecurrentdate.

Figure 6 - DGA code sample

Theabovelistingcontainsafunctionthatgeneratesdomainsbasedonthecurrentdate, giving a sense of randomness in the final date-based string“ejfodfmfxlkgifuf” that could be used as amalicious domain namewithshortlifespan.


HIDINGREFERRERAnotherwaytheEKsleverageinordertoobfuscatetheirtracesisroutingtheirtrafficovertheencryptedHTTPSprotocol.TheyusuallyutilizevariousHTTPSURLshorteners,suchasbit.ly,goo.glandothers, tomasquerade themaliciouslink thatperforms the redirection. In thisway, theyachieve tokill the referrerchainsoastoperplexthedetectionprocess.

In late 2014, a security researcher discovered a vulnerability in Google’sDoubleClick.netthatwaspermittingtheredirectionstoroguewebsites.Thegoogleads.g.doubleclick.netdomainwas vulnerable to open redirect,meaning that one can be redirected to malicious domains via the vulnerabledomain.Asaconsequence,suchasecurityflawcouldnotbeoverlookedbycybercriminalswhoquickly adopted it for launchingmalvertising campaigns and ofcourseredirectvictimstoEK’s landingpages.Besidestheobviousadvantageofredirection,thisvulnerabilityalsoofferedtotheEKstheopportunitytohidetheirmalicious actions behind Google’s legitimate name and furthermore, hardendetectionduetotheencryptedcommunicationoverHTTPSprotocol.Fortheshakeofcompleteness,on2016thecm.g.double.netdomainalsoidentifiedtosufferingfromthesamevulnerability.

ENCRYPTION/ENCODINGAtypicalfactaboutEKs,isthattheyuseencodingontheirsourcecodeandexploitsbeingintheirinventoryinordertokeepthemprotectedagainstanalysis.Inthismanner, they obfuscate the source code and exploits so as to be difficult forresearchers to parse them, understand themalicious activities and of course,preventfrombeingdistributedbywhomhasmanagedtocapturedthem.

ThepowerfulcommercialencoderofPHPcodeIonCube,aswellastheZendGuardwereheavilyusedbyfamousEKslikeCrimePack,Blackhole,andlessfamouslikeNeon,LifeandFirepack.Forinstance,inthefollowingfigureisdepictedontheleftsidethemaliciouscodewithoutdecodingandontheothersidethecodeencodedwithIonCubeencoder.


Figure 7 - IonCube encoded PHP code

Inanattempttoavoidtheexpensesofcommercialencodersoravoidthefactthattheirmethodsareprobablystudiedbysecurityresearchers,EKauthorstendtodesigntheirownencodersandtoolsappliedontheirpreciouscode.

ResearchershavediscoveredthatseveralEKsuseencryptionincommunicationbetweentheircorenetworkcomponents.EKauthorsusuallypreferXTEA(TinyEncryptionAlgorithm)andRC4encryptionalgorithmsandDiffie-Hellman(DH)algorithm for exchanging keys, as well as simple URL and Base64 encoding.However, inseveralcases, ithasdetermined that theencryptionscheme isnotpreciselyimplementedandissignificantlypoorbydefault.Thishappensbecauseisnottheirfirstprioritytobecryptographicallycorrect.Theyonlycaretokeepsecretthecoreoperationslongenoughuntilnextdev-opscycleincludeschanges.

OBFUSCATIONTypically,EKsimplementvariousobfuscationtechniquesontheirpayloadsservedto the victim’s browser in order to avoid detection by the network securityproducts,aswellasmakeresearchers’livesharder.Theyimplementobfuscationon their landing pages, payloads, exploit and anything it should be copyrightprotected. The aforementioned EK components constitute the assets of theirbusiness and need to be protected in order for their business to increase itsrevenue.

Basically,theirprimarygoalistodelivertothevictimmasqueradedcodethatwillnotbeeasilyunderstandabletohumaneyesandwillgounnoticedbythemajorityof signature-based and emulation security products. They go even moreundetectableifthepagecontentisdynamicallycraftedinauniquewaywhichisalsoacommonweaponintheirarsenal.TheyusuallytrytohideIFRAMEs,SWFfiles and JavaScript code that consist core and sensitive components foraccomplishingtheirmaliciousactivities.


Usually,thefirststepoftheprocessandthefirstlayerofobfuscationisapplyingasimpleBase64encodingonthepayload.So,thelaststepfortheresearcherwhowantstoreversetheprocesswouldprobablybetheBase64decoding.Thepayloadis also possible to be a binary blob or a shellcode or combination of them.ObfuscationcanbealsoappliedtotheJavaScriptcodethatismeanttoperformthefingerprinting of the victim host and wherever malicious data needs to beundetectable.

Fromthispointforward,itisuptoEKauthor’sfantasytoobscureitscodeatwill.Thedeobfuscation isconstantlythemosttime-consumingprocesssince a largenumberofcombinationsofdifferent layersofobfuscationandtechniquesexist.Securityexpertshaveidentifiedandcategorizedseveralcommontechniquesusedin the wild, usually pertaining obfuscation that has been implemented as ofutilizingknowncommercialorfreeobfuscationtoolsandalreadystudiedpatterns,butstilldeobfuscationprocessisinunchartedwaterssinceitheavilyreliesonEKauthor’sprogrammingskills.

Acommonobfuscationtechniqueisthestringreplacementtechniqueinwhichtheencodedchunkofcodeisfragmentedintostringsthatareassignedtomultiplevariables.Then, shuffle routines areused to compile the true code listing.Forinstance,abunchofroutinesdecryptkeypiecesofembeddedvariablesanddatalike binary blobs, to compile the landing page of the EK. The following figureillustratesthatmultiplevariablesaredefinedwithpiecesofcodewhich inturnwillbeconcatenatedtoyieldapartoftheEK’slandingpage.Thefollowingcodeexcerptdemonstratesthismethod.

Figure 8 - String replacement method

After assigning a piece of the encoded code intomultiple variables, usually afunctionisusedtoconcatenateallthevariablestogethersoastocraftabigstring


thatincludesthecodethatwillbedecodedandexecuted.

In an awkward sense ofhumor, severalEK authorsused toutilize snippets offamous verses of literature, stories or fairytails as function, class and variablenamesthatcompiletheirmaliciouscode.

AnothertechniquethatEKsleverageinordertocraftSWFfilesisthearray-basedtechnique.Usually,aByteArray()isinitializedwithinasub-functionandfulfilledwithvariables that takeasparameters functionsorotherparameterswhich inturntheoneinvokestheothersoastooverallcompiletheSWFfile.Inthisshape,SWF’s content is not loaded as a normal code, rendering it undetectable bysecurityproductswhicharenotabletoreaditsmaliciousactivity.

The control flow obfuscation technique refers to the order in which theinstructionsandfunctioncallsofaprogramareexecuted.EKauthorsmanipulateatwillthecontrolflowofafunctionthatcontainspartsofmaliciouscode,soastocraft the fullmalicious codewhen one function or instruction call invokes itsfollowing.

Infact,themosteffectiveactionthatEKauthorsundertakeinordertokeeptheirEKs undetectable for weeks is amending their obfuscation. Once securityresearchers reveal theEK characteristicsvia reverse engineeringandmalwareanalysis, EK authors update their kits bymodifying their obfuscation. This isactuallythemajorupdatetheEKdemonstrateseverytimeitcomesintoplayagainafterdaysofabsenceincybercrimescene.

Nowadays,EKstendtoapplymultiplelayersofcodeobfuscationinaattempttostayprotectedagainstknowndeobfuscation techniques that canbeperformedmanually and known coding tools thatmanage to transform blobs to human-readablecode.

FILELESSINFECTIONEKauthorscannotrelyontraditionalexploitationtechniquesforlongtime,sincesecurityproductswere also evolving.Consequently, as a companywouldhavedoneinordertoincreaseitsrevenue,theyspenttimeonexploitdevelopmentandthedesignofanother,morenotoriousandsignificantlymorestealthsolution,thefilelessinfection.

Aswehavealreadydiscussed,traditionalexploits,followingthenormalprocedure,will be downloaded in victim’s hard drive raising the suspicions of anti-virusproductswhichimmediatelyperformsignature-basedanalysisandiftheyfindamatchtheyblocktheinfectionchain.Inthismanner,thechancesforthemalwaretogetcaughtarehigh.


Thenewtechniqueisabletoinjectmalwareonvictim’shostthatnevertouchestheharddisk,henceisneverbeinganalyzedbytraditionalanti-virusinstallations.Instead,themaliciouscodeisdirectlyinjectedintomemorysegmentssoastonotbe detected by signature-based security products. Technically speaking, theinfectionprocessassignsamemorysegmentforitself,usuallywithinthememorywhichhasbeendedicatedfortheprocessthattheEKsuccessfullyexploited,e.g.iexplorer.exe(processofInternetExplorerwebbrowser),fromwhereitcanperformthemaliciousoperationsthatintendedtodo.

This advanced technique is popular to current cybercrime scene. However,modernsecurityproductscancaptureandpreventthehostfromitbyemployingseveral cutting-edge techniques like pattern matching, behavioral analysis,sandboxingandothers.

FinalPhase

Thefinalstageoftheexploitationwheretheexploithasalreadybeendownloadedinthevictim’ssystem,isnotgoingtobediscussedinthisthesis.Thisisthephaseof static malware analysis that is widely covered by numerous books andresearchersonInternet.

Ourworkwillbrieflymentiontheadditionalchecks-complementarytotheonesmentionedinVictimProfilingparagraph-themalwareperformsuponexecutingonvictim’shost.Inthisphase,themalwareperformsextrafingerprintingcheckstodeterminethehost’sunderlyingtechnologybeforeexecutingthecoremaliciousactivity.Byperforming severalanti-virtualizationandanti-sandbox techniques,triestodetermineifthesystemisavirtualenvironmentordeploysasandbox.Thismeans that itwill check forMAC addresses, registry keys, running processes,servicesandfilesthatcouldindicatethepresenceofavirtualizationenvironmentor sandbox. Furthermore, it normally checks for running processes related tosecurityproducts,suchasAntivirusaswellasintegrityanddatalosspreventiontools.ItwillalsocheckifdebuggingtoolslikeIDA,ImmunityDebugger,OllyDBandothersarepresentonthesystem.

Incaseitidentifiesanyofthem,typicallyquitsbecauseitdoesnotwanttoriskgetting captured and analyzed by security-aware users. Thereby themalwareprocessterminatestheinfection,quitsorevendeletesitselftonotleavetracesandinturnreportsitsstatustotheStatusServer.


Post-InfectionPhase

Typically,afterinfectingthevictimwithmalware,EKsmovefurtheronbeaconingout theC2 server for reporting their statusand foradvancedEKs, forkeepingstatisticsandloadbalance.Priortocallback,itispossibletotrydroppinganothermalwareonvictim’shostforinfectinganotherprocessofmoreinterestorinfectthevictimwithapersistentmalwareinordertohavecontinuousaccesstoitandorderitatwill.Thereisalsothepossibilitytodropanothernewermalwarefortestingpurposes,inordertodeterminehowthevictimrespondsandifitwouldbesuccessfulappliedonnextvictim.

LandingPages

Thelandingpageisthestartingpointtowardsinfection;thewebpageinwhichthevisitor of the vulnerable website is redirected after one or more sequentialredirectionswithoutbeingvisibleonvictim’swebbrowser.

Typically, it is comprised ofHTMLorPHP and JavaScript content that gathersinformationandperformstheidentificationandvalidationofthevictim’sbrowserandhost.So,landingpageURLsusuallyendwith“.php”or“.html”suffixorevenwithout suffix at all, thus ending to a folder, e.g.“http://landingpage.org/pathto/folder/”.

Themainfunctionalityofthelandingpagesistwofold:toretrieveanddecodetheobfuscatedcodeuponloadingonvictim’sbrowserandtoperformfingerprintingof the browser technology. This is also called anti-emulation technique foridentifying if they interactwith a normal computer or an emulator setup fordetection and analysis purposes.One of its priorities is to probe the browserpluginsinstalledinordertoidentifytheirversionsandthenrequestfromExploitServertofindsuitableexploitstoinitiateadrive-by-downloadattack.ThelistoftargetedpluginsandwebtechnologiesconstantlyincludeAdobeFlashPlayer,JavaRuntimeEnvironmentandMicrosoftSilverlight.

Upon finding a security flaw on the targeted browser, the landing page isresponsibleforretrievingfromtheExploitServerthesuitableexploitandserveittothebrowser.IncasethevulnerabilityisonFlash,JavaorSilverlightcomponents,theserverselectsasuitableexploitandsendsitasfiletobeexecutedinbrowser.If there is an exploit on browser version, then it is embedded in the HTMLrenderedbythevulnerablebrowser.Thepayloaddeliveredbythosefilesisasortofmalwarespeciallydesignedtoinfectthehostandmostofthetimesissentasabinary encrypted with simple XOR or RC4 encryption key. Alternatively, the


payload canbe a filedownloader, capable tobe executed on victim’shost andretrievethe finalmalwarethat isgoingto infectthehost.Finally,theencryptedbinary isdecrypted and executed in the victim’shostwith results, in terms ofinfection severity, that vary depending of its nature and intentions. Moreinformationabouttheexploitationphase,namelythephasethatstartsfromthebrowserexploitationpointandafterthat,willbeofferedinfollowingsections.

AtthedawnofEKs,thelandingpagescouldrelativelyeasilybedistinguishedfromthelegitimatewebpagesbythetraditionalsecurityproductsandresearchers,astheir URLs carried a kind of eye-catching characteristics, such as unique andawkwardnames that sooneror later theywouldbe capturedandanalyzed. Inotherwords, a landingpageof thepast,embodied strange characteristics thatmade it lookingobviouslymalicious.Nowadays,thesametask isgettingharderbecause current landing pages with URLs such asmaliciousdomain.com/index.phplooktotallybenigninthechaosofwebpagesas theuseof Internet isgrowing.No securityproduct can tellwithhighprobabilityifsuchaURLpatternismaliciousornotandyieldsmanyfalsepositivesbecausetheaforementionedpatternisfairlycommon.

At the same time, they drastically decreased the URL life span so as to stayundetected. They generate them on-the-fly so as to not get blacklisted andterminatetheirlifeusuallyafteracoupleofinfectionssoasnottobetraced.

Furthermore,thelandingpagesarealsoconsideredthestateofartasfarastheirdesignisconcerned.Theyusuallyincludelargechunksofjunkcodewithinwhichtheyhidetherealmaliciouscode,mostofthetimeswritteninJavaScriptlanguage.Fromanalysisperspective,thegoalhereistounderstandwhichtherealaimofthecode is.Researcher’s communityhasdeveloped several JavaScript interpretersthathelp inthistask;amongothers,thereallyeffective JSDetoxtoolcreatedbySven Taute for statically analyze and deobfuscate JavaScript code, theSpiderMonkey standalone command line JavaScript interpreter by MozillaFoundation, the Google’s Chrome v8 JavaScript engine andMicrosoft InternetExplorerDeveloperTools.

Overall,itshouldbenotedthatEKauthorsputmucheffortindesigningthelandingpageswhichistheoneofthecorecomponentsofEKsanditispubliclyadmittedthattheyhavegottenmoreandmoredifficulttobeanalyzedthroughtheseyears.Theydonothaveobviouscommonalitiesandtheyreleasedindrasticallydifferentversions.


WebBrowsers

RecallthatbrowsersisthegatewaytoaccesstheonlineworldandmilestoneinEKinfectionprocess. Ingeneral,webbrowser is apieceofsoftwarepeopleuse toconductallimportantaffairs,fromenteringtheirsocialnetworkstoperformingonlinebankingtransactions.Assumingthatapproximatelyone-thirdoftheglobalpopulationisusingtheInternet,itisfairlysafetoestimatethataboutthreebillionsofpeopleuseawebbrowsertonavigatetoitonadailybasis,withoutestimatingthewebbrowsersofsmartphonesorotherdevicesthatarebecomingmoreandmoreeachdaypartofourlife.

Figure 9 - Web browser brands

Nowadays, many web browser firms exist with the most popular ones beingMicrosoft’sInternetExplorer,GoogleChrome,MozillaFirefox,Operaandothers,having developed their own technology, characteristics and security features.Someofthemconsiderwebsecurityasofahighimportancetheme,developandadoptsecuritycontrols,mitigatesecurity flaws fasterandhenceenjoypeople’spreferenceandbiggermarketsharethanothersthatevolvewithslowerrhythms.Mostofthem,havefollowedthetrendofdevelopingandadoptingusefulpluginsthatmakethepeople’sdailybrowsingandworkeasier.However,theusabilityandconvenienceofoureverydaytasksviaapluginoradd-onweinstalledinordertoperformasimpletaskonbrowser,maycomewithasecurityvulnerabilityofthatplugin-asofbeingapieceofpoorlytestedsoftware-thatcanbeexploitedbyEKs.Browserpluginsandadd-onscomewithaplethoraofsecurityissuesandshould


beregularlybeupdatedaswewilldiscussattheendofthisdocumentwherewegivesomerecommendationsonhowtopreventfromEKs.

WewillconsultNetMarketShareCompany’sonlinereportregardingthedesktopbrowsermarketsharefromJanuary2016untilFebruary2017,basedonsurveys,ISPdataandothermethods4.

Figure 10 - Web browser statistics

AccordingtothisreportthedominantwebbrowserisGoogleChromewith49.05%of the market share, Microsoft’s Internet Explorer follows with 29.71% andtogetherwithitssuccessorMicrosoftEdge4.86%,Microsoftreachesthetotalof34.57%ofmarketshareandMozillaFirefoxcomesinthirdplacewith10.30%.Theaforementionedstatisticsdonotcomefromareportwithsecurity-drivencriteriabut is based on people’s preference. However, without being stemmed fromsecuritycriteria,itsurprisinglymatchesmoreorlesswiththemostsecurewebbrowserorderandindicatesthatpeopletendtobecomemoresecuritysavvyandtheirbrowserpreferencemayreflectandincludetheirsecurityconcernstoo.

Specifically,accordingtoothersurveysonsecurity-orientedtechnologyforums5,themajorityofuserstrustGoogleChromebecauseitgetssecurityupdatesevery15days-fasterthanallotherbrowsers,becausethediscoveredvulnerabilitiesarequicklyfixedandbecausesupportsthirdpartyadvertisementblockersthatdefendagainstmostoftheadvertisementswhichmaybehidingEKredirectors.Itseemsthat users rely upon add-blockerswhich indeed prevent from themajority of

4 https://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0&qpsp=2016&qpnp=2&qptimeframe=Y&qpct=25 http://sensorstechforum.com/which-is-the-most-secure-browser-for-2016-firefox-chrome-internet-explorer-safari-2/


benignandseveralmaliciousadvertisementsthatcanleadtocompromiseofthebrowserbyanEK.

Forthesecondplace,peoplehavechosenMozillaFirefoxthatupdatesevery28days, has several interesting software versions and supports third party add-blockersandalargevarietyofplugins.Thereleaseofdifferentbrowserversionsdedicatedtodevelopmentoperations,attractsecurity-concernedusersthatwanttohavetheopportunitytotestnewest featuresontheirown.Chancesaretheyprobably identify vulnerabilities andprevent aversion frombeing released topublicandincludeasecurityflaw.

Microsoft’sInternetExplorerisinthethirdplacefollowedbyOperaandSafariwebbrowsers.Thelasttwobrowsersdonotsufferfromasmanyvulnerabilitiesastheothers,theygetupdatesapproximatelyevery54daysandhaveimplementedsomeinterestingsecurityfeatureslikeproprietarysandboxingandblockingtechniquesofharmfulcontent.

Microsoft Edge browser holds the last place of people’s interest which getsupdatesmorefrequentlythatInternetExplorerandalsosupportsadd-blockers.Itwilldrawsecuritycommunity’sattentioninthefuture,astheMicrosoftWindowsversion in which is shipped with, will grow its presence in market. FromMicrosoft’swebbrowsers,InternetExploreristheonethatinterestusmoreduetoitsprevalenceandcharacteristics.

Ofcourse,weintentionallylefttheInternetExplorerfortheend,onwhichwewillfocusmorelateronbecausetypicallyconcentratesEKs’attentionmorethantheothers.Fromonesidethismaybecausedbyitslargepresenceinmarketbecauseisbeingshippedpre-installed inthemostpopularoperatingsystem (MiscosoftWindows OS). For sure, is the favorite browser of EKs due to suffering fromrelativelymorevulnerabilitiesthanotherbrowsertrademarks,whichconstantlyinvest on security research and release updates on more regular basis; itselfadoptsupdatesevery54days.

Fortheabovementionedreasons,thusthewidepopularityandtechnologyvariety,it iseasilydeterminedwhywebbrowser is the targetofEKs,which try to findsecuritybreachesandopportunitiesofexploitation.

Droppers

DroppersareprogramsspeciallydesignedtohelpEKstorun,downloadandinstallthemalwaretovictim’shost.Theyaresmallerprogramscomparedtomalwareexecutables,whichare transferred from themaliciousserver tovictimandare


delivered tohost after thebrowser exploitation.We can considerdroppers assome kind of Trojans because they often evade detection by disguising aslegitimatesoftware.

Modern droppers evolve rapidly in order to evade anti-virus detectionwhichnowadays perform behavioral analysis, pattern matching and other advancedtechniquestoidentifyandcaptureitsfunctionality.Sincetheyarethefirstpieceofmalicious code that is being stored in the victim’s hard drive, are likely to becapturedanddeactivatedbysecurityproductsdeployedonthehost.

Therearetwokindofdroppersregardingtothewaytheypassthemalware:the“twostage”droppersthatarestoredinhostanduponactivated,requestfromthemalicious server to send the malware, and the “single-staged” droppers thatembodythemalware itself.The latterkind isbigger intermsofcapacityand isformed in thatway inorder tobypassvirus scanners.However, thedifferencebetweenthetwokindsarenotdrasticallybigintermsofdetectionbymodernanti-virus.

They are also separated in two categories depending if they require userinteraction.Therearedroppersthatdonotrequireuserinteractioninordertobeactivatedanddroppers thatprompt theuserwith amessage that seems tobebenignandtrytoconvincehimtointeract.Uponuserinteractionthedropperisactivatedandproceedsindownloadingtherealmalware.

Other typesofdroppersare the injectors that infect the computermemory inwhich they inject themalicious code.Thismethod isadoptedprogressivelybymoderndroppersbecauseisreallyeffectiveagainstanti-virusdetectionsincethemaliciousfilenevertouchestheharddiskwheretheanti-virusseeksforknownmalicioussignatures.

Bleeding-edgedroppersaremulti-staged,leveragingzero-dayexploitstoexecuteonthevictimwithoutanynoticeoruserinteractionandbypasstheaverageanti-virusinstallationswhichfacedifficultiesonblockingthem.Sophisticatedattacksarriveinpiecessoastostayundetected,eachofthembeingseeminglybenign.

Malwarefamilies

In the finalphaseof infection chainbyEK, themalware isdownloadedon thevictim’shostasdescribedintheprevioussectionandistriggeredtoexpressitsmaliciousintentions.

Wewillnotdivedeeperineachmalwarefamilyinthisthesisasmalwareanalysis


constitutesahugesubjecton itsown.WearegoingtodiscussthemostknownmalwaretypesthatEKsareusedtodelivertotheunderattackhostsanditsgeneralcharacteristics.AllofthemarewidelydistributedviaEKs,spamcampaignsandmalvertisingtechniquesasdescribedinprevioussections.

RANSOMWARE Nowadays, infection by ransomware (a.k.a. crypto-ransomware) is the mostprevalentattackanEKcandelivertovictimsasofbeingverylucrativesourceintermsofmoney.Forsure,thisfamilyisthemostdamagingkindofmalwareandthemostnotoriouspayloadanEKcandeliveronvictim’shostforthereasonswewilldescribeinfollowing.

Firstofall,let’sdescribewhatransomwareis:

Ransomwareisatypeofmalwarethatpreventsorlimitsusersfromaccessingtheirsystem,eitherbylockingthesystem'sscreenorbylockingtheusers'filesunlessaransomispaid.Moremodernransomwarefamilies,collectivelycategorizedascrypto-ransomware,encryptcertainfiletypesoninfectedsystemsandforcesuserstopaytheransomthroughcertainonlinepaymentmethodstogetadecryptkey6.

In other words, is the type of malware that once executed on victim’s host,preventsusersfromaccessingtheirsystembyencryptingtheirsensitivefilesandlockingthehost’sscreenpresentingamessagethatdemandsaransomtobepaidinorderforthehostownertodecrypthisfiles.Modernransomwarefamilieshavebecomemore sophisticated encrypting only selected files worth paying somemoney toget themback,presenting elegantmessages and offering alternativepaymentoptionstothevictim.Cybercriminalsarefreetochoosethepriceoftheirransomwareatwillandmostofthetimestheydemandtobepaidinbitcoinorsentthroughuntraceableprepaidcards.

Thevictimhasaspecifiedtimewindowtopaytheransom,usuallywithinafewhourssincethe infection,otherwisetheransomware leavesthe filesencrypted,terminatesitsexecutionandthevictimlosesthechancetodecrypttheirfiles.

Typically,ransomwareispropagatedviasocialengineeringattackslikemaliciousspamcampaigns,thusviaelectronicmailsinwhichmaliciouslinksordocumentsare attached.Anotherpopularway to lureusers is conducted viabrowsing toseeminglybenignwebpages that in facthavebeen trappedbyEKs.Forseveralyears, cyber criminals employ ransomware to directly seize money from nonsecurity-savvy people. It is really easy for the average computer user who

6 https://github.com/mauri870/ransomware


navigatestotheInternetorusestheelectronicmailonadailybasistobedeceivedbyransomware.

ThelistofthemostfamousransomwarespeciesservedbyEKs,include:

§ WannaCry§ TeslaCrypt§ CryptoWall(andvariants)§ CryptoLocker§ Spora§ Cerber7§ Locky§ TorrentLocker§ PadCrypt§ CryptMIC§ CTB-Locker§ PayCrypt§ FAKBEN§ Havoc§ VxLock§ Crypto1CoinBlocker§ VirLock§ andmanyothers

Policehighly recommends for thevictims,and it isalsoauthor’sadvice, tonotpayingtheransombecausethisencouragescybercriminalstolaunchmoreattacks.Also, in this way the victim directly contributes to the wellbeing of cybercriminality.However,itistotallyunderstoodthattheaveragecomputeruserthatdoes not keep any backups of his personal documents, pictures, and otherpersonalmedia,mostprobablywilltakehischancestopayhopingtorestorehisdata.Themajority of victims consider thepaymentmethod as adifficult task.Specifically,mostof theransomware incidentsrequire topay inbitcoin;so thevictimshouldopen abitcoinwallet inordertodeposit therequiredamountofbitcoinstoaspecificbitcoinaddress.ThefollowingfiguredepictstheblockscreenthevictimfacesasaresultofCerberransomwareinfection.

7 This type of ransomware welcomes victims with a voice saying “Hi, I’m infected! Please, pay bitcoin”


However,nowadayscybercriminalsofferdetailedinstructionsonhowtoperformthepaymentorevenworsetheyhavealreadystartedtofacilitatingtransactionsbyacceptingdepositsthroughknownanonymouse-paymentmethodswithouttheneedtoregisteradigitalcurrencywallet.ThefollowingscreenshotdisplaystheextraordinaryransomblockscreenofSporaransomware,toputitincomparisonwiththepreviousoneofCerber.


Figure 11 - Spora ransomware block screen

Inasenseofirony,cybercriminalshavedesignedasurprisinglyhelpfulportalforanyonewhoiswillingtopay,featuringacomprehensivedashboardwithtooltipsandlivestatusfrompayments,andmultipleotheroptionslikeofferingdecryptiontestbydecryptingtwofilesforfree,buyingimmunityfromfutureSporainfectionsandothers.

Statistically,thepercentageofapproximately3%ofthevictimsfinallygiveinandpaytheransom.Thepercentageislowbecauseofthepreviousreasonregardingthepayments,becausemaythinkthatisfutileaswillneverbeabletorestoreitsfilesandtheywilljustspendtheirmoneyfornothing,andlessbecausetheyhavenothing precious among the encrypted by ransomware files. This observationapplies to simple home computer users. On the other hand, in a corporateenvironmentitismuchmoredifficulttoletthisjusthappen.Enterprisesthathavebeencompromisedbyransomware,tendtopaytheransominthefearoflosingtheir corporatedocumentswith clientdata or other sensitive information andbecausethislossmayresultinregulatoryconsequencesandreputationaldamage.Inthiscase,theyhavetheundeniableargumenttopaytheransomhopingthattheir fileswillbe restored and theywill regain the control of their computersavoidingfurtherdisruptionoftheiroperations.

Inmoretechnicaldetail,ransomwareusuallytargetsWindowsusersandseeksout


forvaluablefiles,suchasfinancialspreadsheets,Officedocuments,photos,videos,configurationfiles,etctoencrypt.Butlet’sdescribetheprocessfromthebeginning,thusafterthevictim’shostisinfectedandpriortoperformingthisscan.Incasethedistributionmethodisanmaliciousattachmentwithinaspamemail,methodconstantly employed by CryptoWall, there is a RAR (archive) attachmentcontaininganCHMfile(orHTAorPDFfile),whichisactuallyaninteractiveHTMLfile, capable ofdownloading theCryptoWallbinary and copy itself in %temp%folderwhereeveryuserhasthepermissiontowriteinit.Thebinaryitselfcontainsa lot of abstract instructions that obfuscate the code todeludeAnti-virus andevadedetection,aswellasanti-virtualization/anti-emulationandanti-debuggerchecksinordertoavoidexecutingone.g.avirtualmachinebuiltbyresearcherformalware analysis or being executed in debugger tools. Then, it forks theexplorer.exeprocesswhereinjectsitsunpackedbinaryandhasitsownspacetobeexecuted,whiletheoriginalprocessterminates.Italsoinjectsitselfinnewlycreatedsvchost.exeprocess,installsitselfinseveralsystemlocationsandsetsitskeyintheWindowsRegistryinordertostartautomaticallyonboot,therebymakingitselfpersistentprocessinthesystem.Uponexecuting,bypassestheUserAccess Control (UAC) and deletes volume shadow copies via vssadmin.exeprocess,soastonotallowapotentialsystemrestore.ItthentriestoreachaliveC&CserverthroughconnectingtoanonymousproxysuchasTor,inordertoreportthat it has been already installed in a new system, to send system relatedinformation about the victim’s host and request the public key by the server.Newer ransomware variants, by employing asymmetric key cryptography, canensurethattheserverisprotectingitsprivatekeyfrombeingtransmittedoverthenetworktraffic.Onceitreceivesthehost-specificgeneratedpublickey fromtheserver, it starts encrypting the files of interest. For instance, one of themostnotorious kinds of ransomware,TeslaCrypt,besides valuable files, also targetssome well-known games such as Call of Duty, World of Warcraft and others,includingthefollowingfileextensions.

Figure 12 - File extensions encrypted by TeslaCrypt

Atthistime,theknownransomscreenisbeingdisplayedtothevictim,translatedtothelanguagerelatedtotheIPaddress’sgeolocation,leavingnoothercontrolto


thevictimuponitssystemexceptfromreadingthenotes.

Dependingontheransomwarevariant,thepublickey isnotuseddirectlybutasymmetricAES256keyisgeneratedandisfurtherbeingencryptedwiththepublickeysoastonotberedundantlyexposed.Usually,multipleanddifferentkingofencryption methods and algorithms combined to obfuscate the reverseengineeringprocess.Thenamesoftheencryptedfilespriorofbeingdeletedandtheencryptionprocessthatisapplied,alsodependsontheransomwarevariant.Most probably the encryption applied on files is unbreakable so to lead inpermanent loss in case the ransom is not paid up. Chances are that even theperpetratorsdonothave inpossession theprivatekeywhich iscrucial for thedecryptionprocess,becauseallthisprocessisautomaticallyexecutedandthereisnoneedtooccupyresources forstoringsomanykeysorbecause they justnotinterested in restoring payers files. The latter is another reason onwhy it isrecommendednottopaytheransomandinsteadbeproactivefollowingthebestpracticesofsecurity.

Typically,ransomwarewon’tencryptanythinguseful for itsoperation. ItneedscoreWindowscomponentstobefunctionalinorderforittofunctioncorrectly,soitavoidencryptingcoreWindows folders like “Windows”,“Program Files”,“Program File (x86)”,“ProgramData”andothers.Asmallbitofgoodnewsisthatitscanstheharddrivesandnetworkdrivesexceptthestorageaccessedviabrowserorsometypesofcloudstorageandonlinebackup.Sothiswayofstoringfilesmaybeapossiblemitigation,atleastofourveryimportantfiles.

There is a number of free and commercial tools designed by known securityvendors, which are capable of removing the malware or partially decryptingseveralfiletypesdependingonthetypeofransomware.Securitycommunitytriesto design decryptors almost after everymajor security incident involving thisspecimen.However, this isnot a full solutionandmost likely theywillnotbeeffectivedependingonthecase.

Itisworthmentioningthewebsitenomoreransom.orgmaintainedbyEuropolthat informspeopleaboutthismalwareandhelpsvictimstorecovertheirdatawithouthavingtopayransomtothecybercriminals.

BOTNETS Thisparagraph is entitledwith the termbotnet todescribe anothermaliciousactivity which EKs can perform to a targeted machine. They can deliver botmalwarewhichuponexecutingengagesthatmachinetoabotnet.

Abotnet(a.k.a.zombiearmy)isanetworkofinterconnectedcomputerswhichhasbeenremotelyexploitedandnowmanipulatedbythebotmasterwhooperatesthe


command and control activities. The bot (abbreviated name of robot) is themaliciouspieceofsoftware thatconnectonecomputer tobotnetandhasbeendesigned toexecuteautomated tasksdictatedby thebotmaster.Botnetscanbeusedforgoodreasonssuchassocialorcommercialorothernon-harmfulactivities,butwewill focusof courseon themaliciousbotnets.Cyber criminalsorganizecompromised endpoints in botnets to combine resources for launchingDistributedDenial of Service attacks, spreading viruses andworms andmoreimportantlylaunchinglargespamcampaigns,unbeknownsttothevictimwhosecomputeriscompromised.

TheprocessofinfectionisthesameasforanyotherEK,butthistimethevictimhasnoideathatamaliciouscodehasbeeninstalledtohiscomputerduetoanEK.Thewholeprocessdoesnotdemandanyuserinteractionanddoesnotraisesanywarningsornotificationstothevictim.Sosimply,hiscomputerjustconnectedtoabotnetwithoutnoticinganythingweird.

§ Bedep§ AndromedaBot§ SmokeBot§ SoakSoak§ andothers

ThefollowingscreenshotillustratesthepanelofAndromedaBotinitsliveaction:

Figure 13 – Andromeda Bot administration panel

Wecanobservethelistofbotmachinesthatarepartsofthebotnet.Oneofthemitappearstobeonline,whiletwoofthemarenotconnectedattime.TheAndromedapanel offers all the information one needs to know about his botnet and theadministrationtoolsheneedstooperateitatwill.


TechnicalIntroductiontoknownExploitKits

In thissection,wearegoing todescribe themostknownEKsandgive a shortreferenceoftheircharacteristics,theirhistoryandthetimelineoftheiractivity.Wewillnotfocusoneachandeverydetailoftheiractionsorcharacteristicsaswehavealreadymentionedthattheirversatility isthekey fortheirsuccess.Thismeansthat they tend to change their idiosyncrasy approximately every two days,renderingfullexaminationofthephenomenonunfeasibleinonethesis.

Fortunately,thereadersthatwanttoemphasizetospecificEKafterthisanalysis,willhavethechancetofindusefulresourcesbysearchingontheInternetwherepioneer researchers and labs have published great documentations on almosteveryEKandalmosteveryexpressionof itsmaliciousactivity.Mostofthebestsitesthathavealsohelpedus inwritingthisthesis,canbe found inthesection“References”attheendofthedocument.

ANGLEREK

GENERALCHARACTERISTICSResearchers have characterized this EK as the “most sophisticated” exploit kitidentified so far in cybercrime industry.Besides its elegantdesign thatwillbedescribedinfollowing,itisconsideredtobethemostnotoriousEKofthepastfewyearsduetoitsinvolvementinmalvertisingandhactivismcampaignsandmostlybecauseofitsuniqueeffectivenessinspreadingransomwaretovictims.

AnglerEKfirstappearedinlate2013andseemsthatithasbeendisappearedfromthecybercrimesceneonJune7thof2016,whenitslastversionhadbeenrecordedforlasttime8;that’swhywearegoingtousethepasttenseforourdescription.Before reaching its end of life, it went through serious propagation so as toincrease itsactivityanddominatethecyber-attacks fromMarch2015onwards.ThedemiseoftheBlackholeEKbecauseofitsauthors’arrestinOctober2013,wascertainlyanotherreason forAngler’sproliferation.TohaveanotionofAngler’sincreasing activity, we mention the following chart demonstrating its weeklygrowthrelatedtotheamountofdetectionsfrommid-2014untilmid-2015.

8 http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html


Figure 14 - Angler EK weekly growth

Moreover,thefollowingfigureshowsasnapshotoftheactivityofthemostpopularEKsforthreedifferentperiods,September2014,January2015andMay2015.

Figure 15 - Distribution of prevalent EK's activity


Wecanclearlynotice,thatAnglerincreasedstep-by-stepeachmonthitsmaliciousactivitiesuntilMayof2015whenitbecamedominantEKwiththehugepercentageof82.2%intermsofpresenceintheglobalcybercrimescene.TohaveanotionoftheAngler’sprevalence,wewillmentionareportofPaloAltoNetworksconductedin2015forthisexploitkit9.Byscanningvulnerablewebsites,theydiscoveredthat90,558 unique domains (29,531 IP addresses) had been compromised anddictatedbyAnglerEKinattackingthevictimsthatwerevisitingthem.OnlyoneoftheIPaddresses,the184.168.47.225,hostedatotalof422websitescompromisedbythekitwhichdescribesitswideattacksurface.UntilDecember2015,only2,850of the compromised websites had been registered as malicious by securityvendors,thusonlythe3%ofthedetectedsites.

AnglerEKinheritedthemosttraditionalcharacteristicsofEKsandsignificantlydevelopedthemthroughyearsofaction.OnecandistinguishAngerEKfromotherEKsfromthehighlyobfuscatedJavaScriptandthepopupmessagewhenthiscodeisexecutedinthebackground,aswellasthemultiplelayersofencryptionwithinitsHTMLcodeandabunchofcharacteristicfunctionnames(e.g.getKolaio()).Additionally,theuseofSWFfilesservingasdroppersusuallyforransomwareandseveralpost-exploitationactivities,formtheshapeofthemostprevalentEK.

BeforedivingintotechnicaldetailabouttheAnglerEK,weshouldoutlinethemainfactorsthatrenderedtheAnglerEKprevalentincybercrimemarket:

§ Adoptsrapidlythenewestexploits

TheteambehindAnglerEKisknownforadoptingthelatestexploitsassoonastheirpatchesarereleased.Forinstance,almosteverytimeAdobeannouncedtherelease of a new patch of Flash Player, the EK researcherswere noticing thecorrespondingexploittobeusedbyAnglerwithinthenextfewdays.Additionally,alotofeffortwasgivenonexploitdevelopmentandzero-dayproduction.Anglermaintainersregularlykeepupwiththelatestexploitsreleasedonhackerforumsandthelatestvulnerabilitiesdiscoveredbyresearchersorpublishedbyvendorssoas todevelop theirexistentexploitsanddesign theirownzero-dayexploitswhich,ofcourse,donotpublish.

§ Widelyspreadtoattackerswithlimitedtechnicalbackground

Itcanbeeasilyusedbynon-technicalattackerswhodonothavetheknowledgeof

9 http://researchcenter.paloaltonetworks.com/2016/01/angler-exploit-kit-continues-to-evade-detection-over-90000-websites-compromised/


its functionality. Attackers, not having low level knowledge of the kit, uponpurchasingitasaservice,canoperateaneasy-to-usewebinterfacetolaunchtheirattacksthatalsoallowsthemtoadjustadditionalfeatures.

§ Widelyavailableforrentorbuy

Thesocalledcybercrime-as-a-service,metremarkablegrowthonthedaysthisEKwaspresent.Eachpricewasaffordable for theaverage cybercriminalwhich incombinationwithitsfeatures,yieldedanall-in-oneexploitpacket.

§ Offersprogrammablefeaturesatwill

Asofitsversatility,weshouldmentionthatadversarieswereallowedtolaunchthefollowingtypesofattacks:

§ Installmalwaretocompromisedhost,targetingonfinancialprofitordirectransomwareofsensitivedocuments

§ Dumpconfidentialdata from thecompromisedhostsuchasusernames,passwords,creditcardnumbers,certificates,etcandstorethemlocallytotheirhost.

§ Tiethecompromisedhosttobotnettopopulatean“armyofbots”thatwillbeusedformoremassiveattacks.

Aswehavealreadystated,AnglerEKhasdisappearedsinceearlyJune2016andsomeofEITestgatesthathadbeenprimarilyredirectingtoitslandingpages,havesincebegunredirectingtoNeutrinoEKandRIGEKlandingpages.

ANGLERINACTIONAnglerEK,especiallyonitsstartoflife,followedthecommonprocedureinorderto infect its victims, starting from the classic redirections via IFRAME (HTMLinjection)orJavaScriptinjectionsinvulnerablewebpages,standardidentificationandenumerationofthevictimbrowseruntildroppingthemaliciouspayloads.

However,Anglerhasbeengone farbeyond themainstreamprocedure throughtheseyearsinordertosurvivewithinthecompetitivecybercrimeenvironment.

Asfarastheredirectiontoitslandingpagesisconcerned,avariantofAnglerEKwas found toutilizeDIVandFORM JavaScriptelements,whichuponexecution,prompt theuserwithanabstractmessageand acoupleofoptions toselect inresponse.For instance, thevisitormaybeprompted foranswering to the fakemessagedisplayedinthefollowingfigure.


Figure 16 - Angler EK's pop-up message

ItisuptoEKauthor’simaginationtodesignamessagethatwillbebelievableandwilldeceivethevisitortointeract.Nomatterwhereheclickson,eithertheoption“Yes”ortheoption“Cancel”(ortheexitoption“X”),hewillberedirectedtotheEK’slandingpage.Sometimes,theuserinteractionismandatoryfortriggeringtheredirectiontolandingpage,whileseveralEKsareabletoachievethatwithoutanyuserinteraction.

Upon loadingthe landingpage,theembeddedscriptwithin itperformsvariousfingerprintingchecksinordertodesigntheprofileofthevictim.Atthispoint,aform is crafted including the necessary initial information the Exploit Servershouldknowforselectingthecorrectexploit.Specifically,thesender’sIPaddress,browser’sUser-Agentand the targetURLareencodedandsubmittedviaPOSTmethodtothemaliciousserver.AfterseveralprocessesinEK’sback-endservers,a response will be sent containing the malicious JavaScript code with theredirectionplacedwithinanIFRAME.

Alternatively, vulnerableweb pagesmay be injectedwithmalicious Flash filespecially designed to collect viaActionScript and submit in the sameway thesender’sinformationviaPOSTmethod.

Anothertrick,withshortlifetime,Angleremployedin2014forachievingbetterredirectionsyetdecreasing the listofhostnames ithad tokeepupdated,was asimplealgorithmforhostnamegenerationthatdependedtothecurrentdate,theDGAalgorithmmentionedinpreviouschapter.Thenamesthatweregiventothemaliciousdomainswereactuallythehashedvalueofthecurrentdate,alongwiththesuffixes.PW, .DE or.EUandfollowedbythetypicalURLsuffixes.Thesenameswerechangingeverydaywithnoneedfortheattackerstomaintainalargedictionaryof thehostnames theyemployed.However,once the trickofdomaingenerationalgorithmwasdiscovered,thepredictionofthemalicioushostnameswasalow-hangingfruitforresearchersandbyincludingthemtoblockinglists,theAngler’sauthorsweresoonenforcedtoquitthisideaandsearchforalternatives.


Angler EK also used the so called 302 Cushioning for redirecting users to itslandingpages.Thiscanoccurwhen theserverhasbeencompromisedsoas torespondtobrowserwith falsifiedHTTP302(orsometimes301)responses.BysubmittingasimpleGETrequesttowardsthecompromisedwebsite,thebrowsergetsanHTTP 302 “Found”serverresponsewiththe“Location”responseheader assigned to a specially crafted URL. The aforementioned URL actuallyperformstheredirectiontothenextstepoftheexploitationchain.Inthismanner,the legitimate server responses, suchas theHTTP302 response, can turn intoredirectionstotheEKs’serversasdisplayedinthefollowingfigure.

Figure 17 - Angler EK leverages 302 cushioning

WecanseethattheGETrequestreceivesa“302 Moved Temporarily”serverresponseinordertoredirecttheusertoanotherwebpage.Normally,thisactionistotallybenignunlesstheredirectionthroughthe“Location”headeristargetingamaliciouswebsite,whichisthecaseinthisexample.

Additionally,AnglerEKusedthemosteffectivemethodsforachievingredirections,the injectionof IFRAMEsand JavaScript scriptswithin thewebsite’s code.Themaliciouscodecanbeembeddedtothemainpageofthecompromisedwebsiteorcanberetrievedfromotherresourceswithinthewebsite’sfilesystem.Forexample,itcanbeembeddedwithinalibraryalreadystoredinwebsite’sdirectorythatisusually called during runtime for functionality reasons. The following figure


displaysanembeddedJSscriptredirectingtoamaliciousURL,beingpartofthemainwebsite.

Figure 18 - JavaScript redirect embedded in legitimate website

Theinitialmaliciousscriptofthecompromisedhost,redirectsthevisitorintoanintermediateserver.Theredirectionrequestgoesthroughaninitialscanbytheintermediateserverandifitmeetsthecriteria,thebrowserreceivesanHTTP200status code and another redirect pointing to Angler’s landing page. Else, theintermediateserverrespondswithaHTTP404“Not found”response.

Ithavealsoheavilyusedthesocalled“EITest”redirection(campaign),coinedbyMalwarebytesresearchersduetothevalueassignedtothevariable“id”whichisincludedinitsmaliciousHTMLcode.ThemaliciousredirectionhasbeeninjectedthroughamassivecampaigntothousandsofwebsitessinceOctober2014untilthefall of Angler in 2016, but effectively continued to redirect to other EKs. ThefollowingfigureillustratestheinjectedscriptofEITestcampaign:

Figure 19 - Injected script of EITest redirection

ThefeatureofEITestgateistoperformanHTTPGETrequesttoreceiveaFlashfilethatwillperformtheredirectionofthevisitor,alsoviaanotherHTTPGETrequest,toAngler’slandingpage.Theaforementionedrequestsareillustratedbelow:


Figure 20 - EITest request that downloads Flash file

Figure 21 - Flash request redirects to Angler EK’s landing page

Then, the landing page probes the victim browser for vulnerabilities and bysendingthisinformationtotheExploitServer,retrievesthecorrespondingexploittocompromisethevictim.

OBFUSCATIONOFANGLERAstrongpointofAnglerEKwasthesophisticatedobfuscationusedsinceitsstartoflife,whichhelpedinevadingdetectionbythemajorityofsecurityproductsforyears.Theobfuscationofitsmainscriptimplementedonmultiplelayers,actedas


ashieldagainstdetectionsincetheverybeginning.

As farasAngler’s landingpagesare concerned, theyutilized a largevarietyofobfuscationtechniquestoevadedetectionasdescribed intheprevioussection.Themainscriptofthepageiscomprisedbyaseriesofstringsassignedtovariablesand stored to the parentHTML altogether.When the visitor navigates to thelandingpage,thescriptisloadedbythebrowser,therebyinitiatingthedecodingprocessofthetruecontentofthelandingpage.

HOSTPROBINGAnglerleveragesvarioustechniquesinordertofingerprintthevictimhost.Wearegoingtopresenthere themost indicative fingerprintingphasessoas tohave agoodoverviewofitsmaliciousactivity.

Severalcodesnippetsthatarecitedbelow,havebeenpublishedbywell-knownsecurityresearcherswhoachievedtotransformtheheavyobfuscationappliedonthem into human-readable code. It is commonly admitted by stakeholders insecuritycommunitythatAngler’sauthorsfairlydeservetheattentionduetotheirprogrammingskillsandsmarttechniquestheydiscovertoobfuscatetheircodeinordertoevadesecurityproducts.Itisalwaysabigchallengeforthecommunitytofightback.

Putting the reader into context, after series of redirections the visitor of thecompromisedwebsitewillstumbleuponanunintendedrequestor intended, incase of clicking on an malicious advertisement, that will perform thefingerprintingofitsbrowserandlocalhostingeneral.Inanycase,uponreachingtheAngler’sgate,somesortoffingerprintingwilltakeplace.

Thefollowingcodesnippetdisplaysafunctionembeddedintherequestreceivedfrom themalicious server that served a variant ofAngler EK, that probes thebrowsertodetermineifitistheInternetExplorerbrowser.

Infollowing,itchecksiftheunderattackbrowserisMozillaFirefox(usingGeckoengine),Chrome,SafariorOpera.


Figure22-AnglerfingerprintingnoIEbrowsers

In the followingAngler’sunobfuscated landingpage code,we can observe theroutine that performs the fingerprinting of the victim’s underlying host, bysearchingforkernelmodedevicedriversofKasperskyandTrendMicrodeployedonthesystem.

Figure23-AnglerfingerprintingAVs

TheroutineconsistsofanIFstatementwhichperformseightcheckswithinthemainWindows filesystem (System32) and specifically thedirectorywhere thesystem’s drivers are installed, to identify if core drivers related to securityproductsarepresent.Ifthereisamatch,itisdeterminedthatsomesortofsecuritycontrolshavebeendeployedonthevictimhost,henceitquitsinfectingthehost.

Once thechecks fordetermining theunderlyingsecuritydetectionsystemsarefalse, itwillproceedwithcrafting the script thatwillcommunicate theExploitServer.

Anglerisalsoaknownexploitkitforitsabilitytoperformthesocalled filelessinfection.This is a technique thatbypasses the traditionalanti-virusproducts,sincenofileisstoredintheharddriveduringtheinfection.Instead,themalwareisdirectlyinjectedintoamemoryspaceofalegitimateprocessoftheoperatingsystem,most likely the processwhose plugin has been already exploited, e.g.iexplorer.exe the Internet Explorer process. In thisway conceals itsmaliciousactivitywithin another process, having also the capability to run persistentlywhenever thespecificprocessstartsagainafterrebooting thesystem.ButwhoexactlythistechniqueworksinAnglerEK?

Asperusual,thevictimvisitsacompromisedsiteorclicksonafalsifiedlinkwithinaspamemail,togetredirectedtotheEK’slandingpage.Thebigdifferenceisthatthepayloadisdirectlyinjectedintothememorysegmentsinsteadofstoredondisk,whichwouldraisealertsonanti-virus.


Thedescribedtechnique is farmoreeffectiveandpowerfulthanthetraditionalinfection chainsnot onlybecausemanages to evade themajority of anti-virusproducts,butalsobecausegrabbingthedropperisconsideredasadifficulttask.The researcherneeds todump the correspondingmemory segments and thendecodeitsoastounderstandwhathashappened.Furthermore,italsoallowsthemalware to perform more detailed fingerprinting of the host without raisingattentionbutonlywhenithastowritesomethingtoharddisk,ifitnecessarytodothat.

The finalphase ofAngler’s infection chain, varied through the years of actionbetweenthekindsofmalwarewhichAnglerEK isknown for,thusbankingandbackdoorTrojans,ransomwareandrootkits.

ThelastvariantofAnglerusedaverydangerousandeffectiveransomware,theCryptoWallthatreachedtheversion4.0inOctober2015.

Thisthreatisanadvancedransomwarewhichbesidesthetypicalcharacteristics,pretendstobeananti-virustoolthatduringscanning,itisactuallyencryptingthefiles.Moreover,itencryptsthefilenamesitidentifiesonthevictim’shost,soastopreventusersfromrecognizingtheirfiles.

MALVERTISING OneofthefactorsofAngler’sfastproliferation,wastheabilitytogettinginvolvedinmalvertisingcampaignsservingmaliciousadvertisementsthateventuallyledtoitslandingpage.

Themaliciousadvertisements,besidesofbeingembeddedtobenignwebsitesandthusincreasingtheattacksurface,havealsoanotheradvantage.Theyareabletoconductapreliminaryhostprobingsoastopassfine-graineddatatothelandingpage.

RIGEK

In this section,wewill attempt to analyze another prevalent EK that evolvedthroughthelastyears.RIGEKhasfilledthevoidofleftbythedemiseofAnglerEKandhasbecomethedominantactorinthecrimewareundergroundmarketplaceoverallotherEKs.ItisthemostprolificEKintermsofinfectionincidentduringthelastseveralmonths.


RIGisamongtheolderEKsinthecrimescene,firstdetectedinlate2012,formerlyknownasGoonand Infinity. Ithaddisappeared foraperiodbecausepartof itssource code had been disclosed in 2015, apparently as a result of a disputebetweenamaindeveloperandareseller.ThenewRIG3.0cameupafterawhiletoclaimapieceofthecybercrimemarket.Inthischapter,wearegoingtodescribethemostimportantcomponentsandfeaturesofallRIGvariants,focusingmoreonthelatestones.

RIG activities are heavily relying onmalvertising and ransomware. It is beingdistributedmostly via large campaigns likeAfraidgate and EITest and usuallydrops CryptoWall, TeslaCrypt, Cerber, CryptoMix (a.k.a. CryptFile2) and Tofseeransomware.

RIGINFRASTRUCTUREThefollowingfiguredepictsatypicalRIGinfrastructureattachedhereinordertohave a notion of the operations that take place in the back-end, how allcomponents are connected and communicate with each other. The additionalbenefitofthisflowgraphisthatdescribesthesequenceofconnectionsthataremadefromvictim’sandcustomer’sperspective.


Figure 24 - RIG EK infrastructure

Accordingtothisflowgraph,followingtheAngler’sinfrastructure,therearealsotheAdminServer,theExploitServerwheretheexploitsarestoredanddeliveredtoothercomponents,andaProxyServer(mayexistmorethanone).

Onedirectobservationisthegoodsegregationofserversinwhichthevictimnevercommunicatesdirectlywiththevictim.Theybothconnectedtodifferentpartsofthe system; the victim only communicates with the Proxy Server and thecustomersorresellersworkonlywiththeAdminServer.RIGadministrators,ofcourse,areabletoconnecttoanycomponent.

AllentitieshavebeendescribedonpreviouschapterexceptfromtheVDSServer.ItstandsforVirtualDedicatedServerthatisactuallytheserverwhichcontainstheexploitsthataregoingtobedeliveredtothevictimsandactslikeatunnelbetweentheAdminServerandtheProxyServer.

RIGINACTIONRIGmastermindshavedesignedanexploitkitthatcombinesthetraditionalattack


patternswhichallEKsemploymoreorless,buttheyhaveputextraeffortinthefinalphaseofinfection.

As usual, an IFRAME redirect may be injected within a vulnerable website,maliciousadvertisement,orspamemailtoserveasaredirector:

Figure 25 - Injected IFRAME redirecting to RIG gate

Actually,IFRAMEredirectionisoneofthemanywaysthatRIGleveragetomeetitsvictim. Before continuing with campaigns, we should give an example of RIGleveraging domain shadowing on the legitimate retradio.org against therogueads.retradio.org.

Figure 26 - RIG EK domain shadowing

Even today, large campaigns are alive that redirect unsuspected users to RIG.Anotherpopular campaign is “gonext” campaign that took itsname from themalicious URLs’ parameter usually involved in these attacks(http://biomasspelletplant7.top/lobo.phtml?gonext=<>).Ituses


specificTLDssuchas“.top”,withheavilyobfuscatedHTMLfilesusuallyendingwith“.phtml”andafteraseriesofredirectionsdropsa302responsestatuscodein order to redirect to RIG landing page. The following figure illustrates theobfuscatedcodeof“gonext”campaignandthefinal302redirectorthroughthecompromiseddomain“artisticplaces.net”:

Figure 27 - RIG's gonext campaign

Another redirector has the name “IPredir” because it uses a hardcoded IPaddress 131.72.136.46 through which the victim is redirected to an IFRAMEtargetingRIG’slandingpage.


Figure 28 - RIG's IPredir campaign

UponloadingtheaforementionedIFRAMEs,thevisitorgetsredirectedwithoneormoreredirectionstothegatethroughtheproxy.InfactthevictiminteractsonlywithEK’sproxy.Throughtheproxy,thevictimisredirectedtotheRIGlandingpage.Foreachnewvictimrequest,thereisadifferentlandingURLandslightlydifferentpayload.The figurebelowshows thecore functionof a landingpageofRIG,ofcourseimplementingallthesecharacteristicsthatmostoftheEKstakeadvantageof,inordertonotbedetected.


--------------------- snipped --------------------

Figure 29 - RIG's landing page HTML

Asusual,thepayloadishashedintoseveralpiecesofcodeassignedtovariablesthatinturnwillbeconcatenatedtocraftthefullpayload.Ifwelookmorecarefullythelatestlinesofcode,wecanfindwithintheobfuscatedcodetheinstructionscreateElementandString.fromCharCodeinseveralpieces.

Thefigurebelowdepictsacodeexcerptfromalandingpage,whichincludestheshellcodethatwillexploittheidentifiedvulnerability,theURLthatwillfetchthepayloadincasetheexploitissuccessful,andtheRC4keytodecryptthepayload.


Figure 30 - RIG’s shellcode and payload

RIG’sfavoritemalwaretypeisransomware.ThefollowingfiguredepictsthescreenblockofSpora ransomwaredeliveredbyone of the latest and currentlyactivevariant,theRIG-V.

Figure 31 - RIG-V delivering Spora ransomware

CUSTOMER’SPERSPECTIVEAt thispoint,wewill trytodescribe theoperationsofRIGEK fromcustomer’sperspective.The sameoperationsexist,perhapswithminorvariations,alsoonotherEKs.

Firstofall,wemaketheassumptionsthattheEKhasalreadyestablishedaremoteconnection(backdoor)withthevulnerablewebsite,aswellascustomerhasrenttheEKandhasalreadyaccess to theadminpanel.CurrentEKsoffer a friendlygraphical interface provided to the customer to orchestrate his attacks. ThefollowingfiguredepictstheloginpagetoaRIGEKrecentversion:


Figure 32 - RIG EK 4.0 login screen

Then,thecustomershouldselectthepayloadhewantstopassontothevictims,whichuponbeinguploaded,wouldredirectvictimstotheEK’slandingpages.Atthispoint,auniqueURL iscreatedcombininguser’s IDaswellasotheruniquevaluesforauthorizationandsessionmanagementreasons.ModernEKsalsoofferAPIservices,throughwhichonecangeneratethemaliciousURLsondemandandusethemjustlikeeveryotherAPIservice.Forinstance,theAPIURLcanhavethefollowingshape:

http://[EK-server]/index.php?apitoken=[API-TOKEN]

Theapitokenvalueiscalculatedbythefollowingcodeexcerpt:

Figure 33 - API token generation code excerpt

TheFlowIDisauniquevaluethatrepresentsasingleattackflow.TheapitokenvalueisconstructedbytheUseIDandFlowIDvalues,goesthroughserializationandencryptionwithaprivatekeygeneratedbytheEKadministratorandusing


RC4algorithm,soaseveryattackbeuniqueandabletoevadeURLblacklisting.

Thelinkvaluewhichisproducedbytheabovecode,istheproxyURLthatformstheinfectionpage,havingthefollowingshape:

http://[proxy-server]/proxy.php?PHPSSESEID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-

4|OTMxOGYwMjdkZTMxOGFmN2M5OWZkMDNjODE0MmMyODM

SincetheconstantparameterPHPSSESEIDwaseasytobedetectedbysecurityproductswithasimplerulecontainingthatstringandflagtheURL,RIGauthorsdecidedtogeneraterandomlyinthenewerversionofRIG.AllcustomersthatsharethesameEKserveruseaproxyURLsimilartoit,distinguishedfromeachotherbytheirpersonaltokenthatispartoftherandom-lookingURI.ThecontentoftheURIuntilcharacter“|”whendecrypted,revealsalinktotheVDSserver.Thevalueafterthecharacter“|”,ensuresthefreshnessandthedemiseoftheURLafteraspecifictimeperiod.

Inthismanner,thecustomercommunicateswiththeEK.Themost famousEKsoffera largevarietyofpayloadstoselect,easilyemployedandconfigurableviaextrapluginsthatfacilitatetheadministration.Latestvariants,areuser-friendly,arewidelyavailable inmarketandhave low cost, rendering themattractive toadversaries.

EKcomparison

Inthissection,wearegoingtocomparetheaforementionedEKs,AnglerEKandRIGEK,according toourobservationsandanalysisof theircharacteristicsandecosystems.

OnedifferencebetweenthemostsophisticatedEKs,istheRIGhasbeenprovenreallysuccessful in infectingthetargetedhosts,because itusedmultiplestagesandmethodstodeliverthefinalmalware.Itoftenwritesthesamemalwarefileandexecuteitmultipletimesonvictim’shost,therebyincreasingthechancestocompromiseit.Anotherdifferenceisthatcombinesrelativelymoreanddifferentwebtechnologiestosucceedbetterattackobfuscation.

AnglerEK,duringitslife,achievedtoincorporatenewlyreleasedzero-dayexploitsmuchfasterthatallotherEKs.Especially,whenanewAdobeFlashvulnerabilitywaspublished,thesecuritycommunitywasexpectingfromAnglertocomewithazero-dayexploit in thenext fewdays.Thiswasalsoan important factor for itssuccess.RIGisnotthatgoodinadoptingnewexploits.Besidesthis,itwasthatkit


whichemployedthefilelessinfectionmorethanRIGandotherkits,soastoevadesecuritysolutionsmoreeasily.

In the listof common characteristicsbetween themostprevalentEKs,we canincludetheiruniquecapabilitytoeffectivelyinfectvictims,meaningthatfromtheexploitation phase and afterwards,most chances are that the exploit and themalwareexecutionwillsucceed, thus thevictimwillbe infectedeventually.Weshould also notice their favorite method to propagate themselves, which ismalvertising campaigns.Another commonality is that theyareboth tailored toransomware malware, meaning that both like dropping ransomware tocompromisedhost,whichbesidesallowsdirectfinancialprofit.


CHAPTER3-MALWARETRAFFICANALYSISEXAMPLE

Inthischapter,wewilldivemoreintotechnicaldetailofthetechniquestheEKsleverage to compromise a host. We are going to focus on network levelcommunicationsandthenmakeashortintroductiontomalwareanalysis,because,aswehavealreadystated,thebasicintentionoftheEKistodeliversomekindofmalwaretothevictim.Additionally,wewilldemonstratethebasictoolsweusuallyuseforperformingtheanalysis.

Typically, security researchers identifyEKs onnetwork levelby capturing andanalyzingmaliciousnetwork traffic viaPCAP (PacketCapture) files.There aremultiple network tools capable of capturing, intercepting network traffic andanalyzing network protocols like tcpdump, netsniff-ng, Network Monitor,Intercepting-NG,etc,butthemostpowerfulandcomprehensivenetworksnifferisWireshark,developedforbothWindowsand*nixoperatingsystems.Aresearchercaneitheranalyzemalicioustrafficmanuallyviathewaywearegoingtodescribebelow,orparseacapturewithseveralrule-basedtools,suchasYara,BroandSnort.Theseareopen-sourceandcommercialtoolsoftheNetworkIntrusionDetection&Prevention Systems (NIDS, IPS), actually parsing network traffic to identifymalicious characteristics within it and intrusion signs and, especially thecommercialversions,updatefrequentlysoastonotmissinganynewsignature.Acomprehensive Linux-based distribution that comeswith all network analysistools pre-installed, is the SecurityOnion distribution. It is easy todeploy thedistributioninavirtualmachineandperformalltestsinsideit,whichhasalsotheadvantageofbeinganisolatedenvironment,servingalsothenecessityofhandlingmalware with caution. It contains all the necessary tools needed to performeffectiveandnearly-professionalanalysis.SecurityOnionfeatures:

§ Full-packetcapturevianetsniff-ng,forlivetrafficsniffing

§ Tcpreplay,forreplayingmalicioustraffictosocketfortestingpurposes

§ Squil,forgraphicalinterfaceofnetworksecuritymonitoring

§ Squert,isthewebapplicationinterfacetoSquil’sdatabase

§ ELSA(EnterpriseLogSearch&Archive),isacentralizedsyslogframeworkbuiltonSyslog-NG,MySQLandSphinxfull-textsearch.

§ SnortandSnortBy,defactostandardopen-sourceIDS

§ BroandSucirata,arepowerfullIDSsystems

§ A large amount of rule-sets and signatures such as Snort EmergingThreats10,ETPRO,Talos rule-sets, community rule-setand theability to

10 https://rules.emergingthreats.net/


buildcustom.

We are going to analyze a sample PCAP file 11 so as to better understand theprocessofdiscoveringEKsinnetworktraffic.

At first, we open the sample with Wireshark to see the packets in its nicevisualizationenvironment.ItisalwaysconvenienttochoosethemostrelevanttoouranalysiscolumnstobedisplayedinWiresharkpanel.Besidesthesourceanddestination IP addresses, we also prefer displaying the host header of HTTPrequests so as to easily spot the transitions between hosts, as well as the“Content-Type”headerthathelpusidentifythepotentiallydangeroustypesofcontentsdeliveredfromthemaliciousservertovictim’shost.Itisalsoimportanttoapplythefilter“http”or“http.request”toWireshark,inordertoseparatethe HTTP requests that contain the interesting data. That said, we can startreviewingthesample.

Uponreviewingpacketcaptures,mostprobablysecurityresearcherswillhavetodealwithalotofnoiseintermsofjunkpacketsthatobfuscatethepacketanalysis.Experiencecomeswiththetimeandthemoreexercisesonesolves.

Byreadingcarefullythepackets,weusuallytrytoidentifyanawkwardhostnamewhichmaydeliverEK.The randomness inhostname, as alreadymentioned inpreviouschapter,isonegoodreasontoassumethepresenceofanEKandstarttheanalysis from thathostname. In the following figure,we spotted themaliciousdomainnotbythehostnamewhichitlooksnormal,butbecauseoftherandomnessoftheURIfollowingtheGETHTTPmethodandaclassicURIpattern.Beforethat,weappliedafilterwiththecorrespondingIPaddressinWiresharktoreducethenoise.

Figure 34 - Sample PCAP analysis: Spot malicious hostnames

Specifically,thepattern/<filepath>/search.php?keywords=<number>,isprettycommon,iscontainedinIDSrule-setsandtheexperiencedresearchercansaywithgoodprobabilitywhichEKmaybeisinvolvedinthisinfectionevenwearejustinthebeginningofthereview.Byviewingthesesigns,itisfairlysafetoassumethat this is a variant of Angler EK. The pattern /term.xbel?out=<random_string>constitutesanadditionalsign.

11 http://www.malware-traffic-analysis.net/2015/07/24/index.html


WecanclearlyseethatthevictimhastheIPaddress192.168.137.85andsubmitsa GET request towards the malicious server kiralyi.arcadiumentertainment.comwhichhasIPaddress185.43.223.164.

Anotherway thathelpuspinpoint thebeginningof infection, is toobserve the“Content-Type” header.Aswehave alreadydescribed inprevious chapters,usuallythereisabinaryblobreceivedbythevictim,soasafirststepwemaytryto identify the Content-Type “application/octet-stream” or somethingsimilar.Oncewespotthebinary,wecanexaminethepreviousconversationstoidentifythelandingpageandtheredirectionifitisnotdetectableatfirstsight.

Figure 35 - Sample PCAP analysis: Spot malicious Content-Type

Somewhere near the binary will probably exist an “application/x-shockwave-flash”SWFfilethatfacilitatesthemalwaretobedownloaded.Wewillthengobackwardstofindtherootcause,thustheredirection.RightbeforetheEKdomain,thevictimwasservedwitha“text/html”webpagebythe IPaddress185.43.223.164withdomainwww.twentyone-development.com.ItisworthexaminingthisHTMLfile.ByfollowingtheHTTPstream,wecansee,outofsurprise,themaliciousIFRAMEredirectionbeinginjectedatthefirstlineoftheHTMLdocument.


Figure 36 - Sample PCAP analysis: Spot redirection

We can be sure now that the www.twentyone-development.com is thecompromised website that redirects visitors to EK landing pagekiralyi.arcadium entertainment.com.Thefollowingfiguredepictstherequestof theEK landingpagedue to theredirectionand thebeginningof therenderedlandingpage.


Figure 37 - Sample PCAP analysis: Rendering the landing page

Apreliminaryfingerprintingofthebrowserandhost,hasalreadybedoneuponsubmittingtheabovementionedrequest,viatheUser-Agentholdingthevalues“Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) likeGecko”whichrepresentthehostandwebunderlyingtechnologiesinstalledonthe targeted host. This means that the browser that is trying to establish aconnection with the landing page, is Internet Explorer 11, installed within aMicrosoftWindows732-bitdesktop(WindowsNT6.1value).

Moreover,thelandingpageishostedbyaNGinXwebserverwhichisthepreferredwebserverofEKs.Byextracting the fullHTML landingpage from thenetworktrafficsample,weobservethatitiscomprisedbylargeblocksofobfuscatedcodewhich upon rendered on victim’s browser, performs the fingerprinting of thebrowser seeking for vulnerabilities. Among obfuscated code which is visuallylimitedwithinacoupleofpixelssoastonotbeseen,thelandingpagealsocontainspartsofJaneAusten’snovelwithtitle“SenseandSensibility”.Aswecanseetheimportantpartsofthelandingpageareheavilyencoded.Iftheresearchermanagestodecodetheseparts,hewillbeabletoseethechecksperformed.


Moving on the next request towards the EK server, we will notice whatvulnerability was found and exploited. By looking to the request and serverresponseonceagain,wecanobservethattheSWFfileisrequestedforthedetectedversion18.0.0.203ofFlashplayerplugin.

Figure 38 - Sample PCAP analysis: Vulnerable Flash plugin version

TheCWSrepresentsthefilesignature(magic)oftheSWFfile.

The aforementioned version suffers from the “AdobeFlash opaqueBackgroundUseAfterFree”vulnerability,registeredasCVE-2015-512212 (CVSSBaseScore10.0-Criticalseverity)andhasapubliclyknownexploit13 inJuly2015closetothedatetheEKusedit.Perhaps,theattackershadalreadydesignedtheexploitanduseditinseveralinfectionslikeinthiscase,beforethesecuritycommunitydiscovers it; this is a common phenomenon that contributes in EK’s success.Specifically, the crafted SWF file leverages the improper handling ofopaqueBackground property of the Display Object class in the Adobe’sActionScript implementation, to achieve execution of arbitrary code or causememorycorruption.ThedownloadedSWFfilesareheavilyobfuscatedusingthe

12 https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-512213 https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb


commercialFlashobfuscatorDoSWFasrevealedbytheDoABC2()tag.

Figure 39 - Sample PCAP analysis: SWF obfuscated with DoSWF tool

AnalyzingthisSWFfilecanbequiteeasyifitissentincleartext,butmostprobablyitwillbedifficulttoovercometheobfuscation.Finally,wereviewtherealmalwaretheEKdropsintothehost,fromwhichouranalysisstarted.Inoursample,thisistherequestfordownloadingthemalware:


Figure 40 - Sample PCAP analysis: Dropped malware

Atthistime,themalwarehasalreadydroppedinvictim’scomputer,ithasbeenexecuted,andthehost is fullycompromised. It ispossibletoextractthebinaryobjectfromthetrafficandsubmititinpublicmalwarerepositoriesforanalysisortrytoreverseengineerit.Themalwaremaycometomorethanonephasesandmost probablywill use the system’s resources to communicatewith the EK’sAdminServer,othermaliciousserversorevenseveral legitimatesites thatwillhelpitunderstandthenetworkthathasinfected.Forinstance,inourcasetheEKperformsaseriesofpost-infectioncommunications:

§ ip-addr.es-188.165.164.184§ biganddigital.com-198.211.120.49§ bibubracelets.ro-85.204.50.99§ ehsansurgical.com-50.87.150.75§ 100pour100unity.com-91.216.107.226§ hotfrance.ru-95.85.4.87§ hajuebo.de-212.90.148.43§ beybladeoyunlari.org-213.238.166.230§ 6i3cb6owitcouepv.ministryordas.com-46.30.43.66

Thefirstofthesecommunicationsistowardsthelegitimatewebsiteip-addr.es,that helps it identifying the external IP address of the host. But how canwedetermineorbesureaboutthekindofEKandthetypeofmalware?WecancheckthePCAPfileagainstSnortrulesorotherrule-setstofindthisinformation.Wewill


usetheSecurityOniondistributiontofinditout.WereplayedthePCAPtrafficwithtcpreplaytoolontheIDSengineloadedwithEmergingThreatcommonandprorule-setsandgottheresultsonSquilinterface.

Figure 41 - Sample PCAP analysis: IDS analytic events

TheIDSconfirmswhatwesawinfirstplacebymanualexamination:Theactorinthis sample is theAngler EK. The IDS detected theURI that leads toAngler’slandingpage,thelandingpageitself,aswellastheFlashexploitagainstvictim’swebbrowser.Inturn,itdroppedtheCryptoWall3.0ransomwarewithinabinaryblobencryptedwithTinyEncryptionAlgorithm(XTEA).

Itisworthnotingforreader’spractice,somepublicPCAPrepositoriescontainingcapturedfilesofmaliciousandnonmalicioustraffic:

http://www.malware-traffic-analysis.net/,


http://www.netresec.com/?page=PcapFiles,https://wiki.wireshark.org/SampleCaptures,http://www.tcpdump.org/


CHAPTER4-ATTACKPATHSCRIPT

Thelastpartofthisthesisistodesignasimplecommand-linescriptthatparsescapture files that containmaliciousnetwork traffic and indicates thepotentialattackpath.The script iswritten inPython languagewhich is reallypowerfulscriptinglanguagewithasheeramountofusefullibrariesforallneeds.

ThescripttakesadvantageoftheScapylibrarywhichisconsideredastoplibraryforpacketanalysisandapowerfulandinteractivepacketmanipulationprogramingeneral.Itiscapableofparsingalargenumberofprotocols,decodingpackets,capturingthem,craftingone layerontopofother,transmittingthem,matchingrequestsandresponsesandmanyotherfeatures.

Thelogicbehindthescript(ekchain.py)wastodesignasimplescriptthatwouldbeabletoanalyzethegivenPCAPcaptureandrespondwithapotentialattackpathaccordingtotheIOCs(IndicatorsofCompromise)itidentifiesinpacketheaders.Aswealreadydescribed inthepreviouschapter,webasedthe identificationofIOCsinalogicalsequenceofevents.Thus,theanalysiscanstartwithidentifyingthebinaryexecutablewhich is in turndelivered to thevictim.This iswhat thescriptsearchesforasafirststepandthisconstitutesourfirstIOC.Then,itsearchesthepacketcapturefilebackwardstoidentifytheexploitationphaseandhencetheFlash file. Inthismanner, itcontinues inreverseorderto identifythepotentiallandingpageandsubsequentlytheredirectorifexist.So,thescriptwillsearchforthebinaryfileatfirst,theFlashfile,thelandingpageandinturntheredirectorwhichisprobablyanIFRAME.

Asforthescriptitself,ithasthefollowingfeatures:

§ TakesasinputaPCAPfile§ ParseseachpacketofthePCAPfile§ Separatestherequestsandresponses§ Collectstherequestheadersthatareinterestingtoouranalysis§ Collectstheresponseheadersthatareinterestingtoouranalysis§ Identifiestheredirectionsinresponseheadersandresponsebody§ Decodestheresponsebodythatisencoded § Decompresses the responsebody in case its “Content-Type” is “gzip”or

“deflate”§ Analyses the packets to identify potential IOCs according to the above

mentionedrationale§ Printpacketinfo§ Printsthepotentialinfectionchain

Thescriptisverysimpleinusage:


Figure 42 - Ekchain script usage

Upon executing the ekchain.py, supplied with a sample PCAP filesample1.pcap,wegetthefollowingoutput:

Snipped Output


Snipped Output


Figure 43 - Ekchain script output

WecanobservethatthescriptidentifiedapotentialinfectionattackpathinthePCAPfile,indicatingapossibleredirector,landingpage,SWFfile,andBinaryfile.

ThescriptpreformssimpleandpreliminaryanalysisandisdemonstratedhereasastartingpointforEKtrafficanalysis.Forsure,itneedsalotofdevelopmenttoincludeallaspectsandcriteriaofcommonIOCs.

CHAPTER5-RECOMMENDATIONS,FUTUREWORK&CONCLUSIONS

Inthischapter,wewilltrytogivesomerecommendationstothereaderonhowtopreventfromEKattacks.Ouradvicesarebasedoncommonbestpracticesandourprofessional experience. Furthermore, we are going to propose future workpertainingtoEKsandsharesomethoughtsonsubjectsrelatedtothemthatcanbestudiedinthefuture.Finally,wewilldemonstratetheresultsandfinalthoughtsofouranalysis.

Recommendations

The task of safeguarding an enterprise or a home network from EKs is notconsideredasaneasytaskduetotheversatilityandresiliencetheEKmanagetodemonstrate through the years of their act.Most of our recommendations aresimple tobeadoptedby theaverage Internetuserandsometimesarecostless,whileothers involve implementingcommercialproductsonwhichtheusercanrelyon.ThefollowingrecommendationswillreducetheriskofgettinginfectedbyEKsandtheirmalware,suchasransomwareorbots.

Asaruleofthumb,usersarerecommendedupdatingtheirbrowsersandbrowser


pluginsandrelatedwebservicesonaregularbasissincethebrowserisconsideredtobetheweakestlinktowardsinfectionbyEK.Thismeansthattheuserwhoispromptedbyhisbrowserforinstallingthenextsecurityupdateandjustskipsit,doesnotmitigateatalltheriskofbeinginfectedby,forinstance,anewversionofRIGEKservingaransomwarewhichisabletoencryptallhisvaluablecomputerdocuments.Additionally,youcanallowanddenycertainexecutionsofbrowserbyselectingtherightoptionsinbrowser’sconfiguration.Forinstance,youcanblockthe execution of scripts in browserby installing the correspondingplugins orprevent from themajorityofadvertisementsby installing trustedadd-blockers.YoucanalsodenytheexecutionofIFRAMEsorinstallapluginthatpromptstheuserwithamessageeverytimeanIFRAMEisabouttobeexecutedandgiveshimtheopportunitytodecideforitsexecution.Ofcourse,allthesepluginsmaynotbeinnocentsoyoushouldcheck the trustedones,keep themalwaysupdatedandfollowthecommunitydirectionsandnewsreferredtotheirsecurityissues.

Except fromeverydaymaintenanceofourcomputer, it isalsorecommendedtodeploythebestsecurityproductspreventingfrommalware.Withoutdowngradingthevalueofopen-sourceproducts,weshouldadvisethereadertodeploypopularcommercialanti-virusandanti-malwareproductsinhiscomputerwhichincluderobustdetectionandprevention capabilities,have invested a lotofmoneyandotherresourcesindevelopingtheirfeaturesinanoptimallevelandupdatetheirrule-setsandsignaturesfrequentlysoastonotmissanythreat.Therearedecentsolutions, that even in zero-day exploits and even in most sophisticated andpolymorphicmalware,theymanagetothejobandpreventuserfromcompromise.

The ISP (InternetServiceProvider)plays crucial role in termsof security. It isimportant for our network to reside within a well-established and security-consciousISPnetworkthatimplementsstrongsecurityproceduresandpoliciesregarding anti-spam and anti-phishing filtering, as well as having deployedeffectivesecurityproducts for thesamereason.Ensure thatyourpreferred ISPfulfills as many as possible security prerequisites and follow security bestpractices.

Finally, theadvice that is constantlyofferedbecause is themost importantyetusefulratheranythingelse,isthesystematictrainingofstakeholderswithineitherlimiteddomesticorlargeenterprisenetwork,onthedangersinherentinInternetbrowsing.ThesecurityawarenessofthepeoplethatusetheInternetonadailybasis,mostofthetimesplaysthecrucialroleinpreventingagainstexposuretoEK,sinceahighpercentageofEKactivitiesarepropagatedviamalvertisingandspamcampaigns. People should be ready to distinguish the benign from the fakeadvertisementorspamemailsoastonotclickingonthemaliciouslinkthatwilltransferthemtoEKpagesandharmtheircomputer.Especially,withinacorporatenetwork,employeesshouldbeawareofhowtohandleaphishingemailorarogue


webpage and report the security incident as soon aspossible to the IncidentResponse Team. Possible delay to identify such attacks,may have devastatingresults on home network computers and personal files, aswell asmay causesignificantdamageincorporateimage,reputationloss,orregulatoryissues.

To summarize the controls against computer infection,we recommend alwaysusing trustedanti-virusandanti-spywaresoftwareandkeepingyouroperatingsystemandinstalledsoftware-especiallythewebbrowseranditsplugins-up-to-date.Note that these are theminimum prerequisites in order to protect yourcomputer fromknown threats tosomeextent,sincenodevicepluggedat leastonceintheInternetistotallysecure.

FutureWork

Asexploitkitresearch isconcerned,weencouragethereadertotrytokeepupwiththelatestdevelopmentsofthisfieldsinceitdepictsafastmovingarea.

Nowadays,thegrowingofsmartphonedeviceshasbecomeanewfieldincybersecurityresearch.Theincreasedusageofmobiledevicescomesalsowithalotofsecuritythreatsfortheusers.AsthesedevicesconnecttoInternet,theyinheritthesecurityissuesoftheInternet.Inthefollowingchart,wecanseethegrowingusageof Internet via smartphone devices compared with the usage in desktopcomputersinagloballevel.TheresearchhasconductedbetweenOctober2009andOctober2016byStatCounterGlobalStats.

Figure 44 - Global statistics of Internet usage


Wecanseethatthe51.3%ofusersgloballyprefertousetheirmobileandtabletdevice tonavigate to the Internet in comparisonwith the48.7%ofusers thatprefertheirdesktop.Itisareasonableresultifweconsiderthelargeamountofsmartphonedeviceshavepurchased globally,howmanyhours ofourdayswespend using our device and howmany everyday taskswe can dowith it; thecapabilitiesof smartphonedevicesanddesktoparenowadaysalmostequal. Insmartphone capability,we can countweb banking and everyday transactions,onlinepurchases,chatting,andmanyothersthatinvolveInternetandtherebyapotentialattackcancostusintermsoffinancialcost,privacy-concernedorothersecurityissues.

We strongly encourage the reader, as a future researcher to study the attackcharacteristics and patterns of EK against smartphone devices and perform aresearchonthisgrowingfield.

Followingtoourscript,wesuggesttotheresearcherswhoareinterestedinPCAPanalysistocontributeinthisoneorinmanyotherexistentscriptsandprograms,inmaking thepacketanalysis live. Itwouldbe agreat idea ifwewere able toperformon-the-flyanalysis,bydelayingthenormalpackettransmissionasmuchasitgetssoastoperformpacketinspection,aimingtospotmaliciousactivitybyexploitkitsandinturn,resumethetrafficflow.

Conclusions

Inthisthesis,weattemptedtocovertheexploitkitphenomenonthatisconsideredthe most notorious cyber threat of recent years. This study is based on ourmethodicalresearchon the Internet,onscientificpapersandbooks,onannualsecuritypublicationsandreportspublishedbythemostpopularsecurityvendorsand research laboratories, on practical analysis of a large amount of networkcapturefilescontainingexploitkittrafficandotherresources.

We tried to present the core components of exploit kits’ ecosystem, themostimportantaspectsof theirmaliciousactivitiesandattempted topinpoint theirposition inthegrowingcyberthreat landscape.Wecoveredtheirattack-centricand self-defense characteristics in general and specifically for the two mostprevalentexploitkits,theAnglerEKandtheRIGEK.

Moreover,weanalyzedasamplePCAP,todescribetheoverallprocedureandstepsofPCAPanalysiswhichcontainsmalicioustrafficproducedbyexploitkitactivities.


Finally,weconstructedabasicscriptwhichcanidentifythepotentialattackpathofanexploitkitbyanalyzingthenetworktrafficcapturedduringitsactivities.Thescriptsperforms several checksaccording to criteria stemmed fromexploitkitresearchandmanualanalysisofmanymalicioustrafficsamples.

Ourintentionwastolearnmoreaboutthetopcyberthreatthatevolvesinourdaysandgainthenecessaryknowledgesoastobemoreproactiveagainstexploit-kitdrivensecurityincidents.


ABBREVIATIONS/ACRONYMS

AV Anti-Virus

C2-or-C&C Command&Control(server)

CHM MicrosoftCompiledHTML

DDoS DistributedDenialofService(attack)

EK(s) ExploitKit(s)

ELSA EnterpriseLogSearch&Archive

ETPRO EmergingThreatsPRO(rule-sets)

HTA HTMLApplication

IOC IndicatorofCompromise

IPS IntrusionPreventionSystems

NIDS NetworkIntrusionDetectionSystems

PCAP PacketCapture(files)

PHP HypertextPreprocessor(language)

RAR Archive,nativeformatofWinRARarchiver

RC4 RivestCipher4(algorithm)

SWF ShockwaveFlash(file)

TDS TrafficDetectionSystems

TLD Top-LevelDomain

VDS VirtualDedicatedServer

XTEA TinyEncryptionAlgorithm


TABLEOFFIGURES

Figure 1 - Greek Police Virus screen message ................................................................................... 8

Figure 2 - Infection chain ................................................................................................................. 10

Figure 3 - EK indicative infrastructure ............................................................................................. 12

Figure 4 - Revenue and resource of Anger EK (2015) ...................................................................... 17

Figure 5 - Fingerprinting via loadXML function ............................................................................... 23

Figure 6 - DGA code sample ............................................................................................................ 27

Figure 7 - IonCube encoded PHP code ............................................................................................ 29

Figure 8 - String replacement method ............................................................................................ 30

Figure 9 - Web browser brands ....................................................................................................... 35

Figure 10 - Web browser statistics .................................................................................................. 36

Figure 11 - Spora ransomware block screen ................................................................................... 42

Figure 12 - File extensions encrypted by TeslaCrypt ....................................................................... 43

Figure 13 – Andromeda Bot administration panel .......................................................................... 45

Figure 14 - Angler EK weekly growth .............................................................................................. 47

Figure 15 - Distribution of prevalent EK's activity ........................................................................... 47

Figure 16 - Angler EK's pop-up message ......................................................................................... 50

Figure 17 - Angler EK leverages 302 cushioning .............................................................................. 51

Figure 18 - JavaScript redirect embedded in legitimate website .................................................... 52

Figure 19 - Injected script of EITest redirection............................................................................... 52

Figure 20 - EITest request that downloads Flash file ....................................................................... 53

Figure 21 - Flash request redirects to Angler EK’s landing page ..................................................... 53

Figure22-AnglerfingerprintingnoIEbrowsers ....................................................................... 55

Figure23-AnglerfingerprintingAVs .......................................................................................... 55

Figure 24 - RIG EK infrastructure ..................................................................................................... 58

Figure 25 - Injected IFRAME redirecting to RIG gate ....................................................................... 59

Figure 26 - RIG EK domain shadowing ............................................................................................ 59

Figure 27 - RIG's gonext campaign .................................................................................................. 60

Figure 28 - RIG's IPredir campaign .................................................................................................. 61

Figure 29 - RIG's landing page HTML............................................................................................... 62

Figure 30 - RIG’s shellcode and payload .......................................................................................... 63

Figure 31 - RIG-V delivering Spora ransomware ............................................................................. 63

Figure 32 - RIG EK 4.0 login screen .................................................................................................. 64

Figure 33 - API token generation code excerpt ............................................................................... 64

Figure 34 - Sample PCAP analysis: Spot malicious hostnames........................................................ 68

Figure 35 - Sample PCAP analysis: Spot malicious Content-Type.................................................... 69

Figure 36 - Sample PCAP analysis: Spot redirection ........................................................................ 70

Figure 37 - Sample PCAP analysis: Rendering the landing page ..................................................... 71

Figure 38 - Sample PCAP analysis: Vulnerable Flash plugin version ................................................ 72


Figure 39 - Sample PCAP analysis: SWF obfuscated with DoSWF tool ............................................ 73

Figure 40 - Sample PCAP analysis: Dropped malware ..................................................................... 74

Figure 41 - Sample PCAP analysis: IDS analytic events ................................................................... 75

Figure 42 - Ekchain script usage ...................................................................................................... 78

Figure 43 - Ekchain script output .................................................................................................... 80

Figure 44 - Global statistics of Internet usage ................................................................................. 82


REFERENCES

[1]. B.EsheteandV.N.Venkatakrishnan,WebWinnow:LeveragingExploitKitWorkflowstoDetectMaliciousURLs,2014

[2]. M.Cova,C.KruegelandG.Vigna,DetectionandAnalysisofDrive-By-DownloadAttacksandMaliciousJavaScriptCode,2010

[3]. T.Taylor,X.Hu,T.Wang,J.Jang,M.Ph.Stoecklin,F.MonroseandR.Sailer,DetectingMaliciousExploitKitsusingTree-basedSimilaritySearches,2016

[4]. Y.Shindo,A.Satoh,Y.NakamuraandK.Iida,LightweightApproachtoDetectDrive-byDownloadAttacksBasedonFileTypeTransition,2014

[5]. Website,URLhttp://malware.dontneedcoffee.com/,[lastvisited:27/02/2017]

[6]. Website,URLhttp://malware-traffic-analysis.net/,[lastvisited:27/02/2017]

[7]. CiscoSecurityTalosGroup,BiasiniN.,CiscoTalosonExploitKits:HuntingtheHunters,June30,2016,10amPDT

[8]. CiscoSecurityTalosGroup,BiasiniN.,ExploitKits-isthistheendorjustthebeginning?,Jan12,2017,10amPST

[9]. Cisco2016AnnualSecurityReport,URLhttp://www.cisco.com/c/dam/assets/offers/pdfs/cisco-asr-2016.pdf,2016

[10]. Contextis,WhitePaper,Demystifyingtheexploitkit,https://www.contextis.com/documents/171/Demystifying_the_Exploit_Kit_-_Context_White_Paper.pdf,Cert-UK,2015

[11]. J.Wyke,A.Ajjan,TheCurrentStateofRansomware,https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf,SophosLabstechnicalpaper,2015

http://malware.dontneedcoffee.com/,

http://malware-traffic-analysis.net/,

http://www.cisco.com/c/dam/assets/offers/pdfs/cisco-asr-2016.pdf,

https://www.contextis.com/documents/171/Demystifying_the_Exploit_Kit_-_Context_White_Paper.pdf,

https://www.contextis.com/documents/171/Demystifying_the_Exploit_Kit_-_Context_White_Paper.pdf,

https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf,




APPENDIX

thesis exploit kit traffic analysis

Documents