Since major news of last weeks is fron-the-scratch update of BlackHole to version 2, I was waiting response from rivals.
And after week – Former RedKit Exploit Kit change the mojo
But at that time I still had no full picture. Now post updated, as You may see.
And here – detailed analyses of recent anti-forensics features (for now):)
Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.
So, all begin, as usual, from hacked website 🙂
Whois Data: Liquid Web, Inc. LIQUIDWEB-10
Ok, going there 🙂
Ok, again – standard RedKit procedure, forward to unique xxxxxxxx.html file, placed on legit hacked website. Per-IP weaponized page + standard file-names in it:
And response preview:
Full response on Pastebin
Till now – all ok. Quite regular. And then – we try to download any of linked exploits?
HTTP/1.1 404 Not Found
I spent lot of time, proxies and always – 404.. Looks like dead end…And all online tools I use (big list, believe me) – return 404 as well.
But Test VM somehow get infected.. And I see 200 Response in request both to 33256.jar and 98765.pdf in logs (in different configs and OS ).
And here is first anti-forensics improvement of former RedKit EK: request to download files should have specific field in it. After changing some small tool, with Custom header like this:
I finally able to download both present exploits.
According to my findings, both Referer: and Content type: field required.
Referer should point to MDS URL
Content type should be application/x-java-archive
So – finally got payloads:
File size: 16.2 Kb
VirusTotal [0/43] https://www.virustotal.com/file/a029212e3a45911adae135288c07f2e3fee4df250977a4f5617566e2590c41fd/analysis/
File Size: 6.2 Kb
VirusTotal [3/43] https://www.virustotal.com/file/342829041d34abc48af0825981970e093e1e4919c6756111fc4e8ff032a010d7/analysis/
Ok 🙂 so, we got Jar malicious payload, that, when executed:
Ok, and here we have second anti-forensics improvement, that was announced in BHEK2 too – No direct link to file download. But here we can see, how it implemented:
If You come with to right webpage, with right-formed Header from right IP – You got Your payload. Otherwise – 404 response.
Now, with this exe I spend almost 2 hours trying to analyse it.
Here original data:
Size: 17.5 Kb
VirusTotal [7/42] https://www.virustotal.com/file/c20c6db061ce4d33d22d866724cf631007c4c330cda8cee344cf23d284dbc138/analysis/
It packed with UPX
Size: 72 Kb
VirusTotal [8/42] https://www.virustotal.com/file/9610e35c02756a0e14ac8ecf9c24f854320c8ed66cbc468cff6c2fcbc00c68a2/analysis/
but it also crypted!
Here results of PE-frame in case You want to help. It also have anti-debugging features, that beyond my knowledge in debugging (yet 🙂 )
And here is result of analysis of this Exe by anubis.iseclab.org < as You may see, it inject some code in Explorer.exe during execution.
So here is Behaviour analysis:
1. File downloaded and placed in user temporary folder.
2. Executed and perform some basic checks, (see Anubis report) For sure I can say, that in VirtualBoxes VM, that not prepared to malware analysis – it not proceed.
3. Then – it connect to remote host:
And here is response:
and again – same request:
Ok, 2 new files! 🙂
File Num1: windows-update-sp4-kb62451-setup.exe
Size: 293.5 Kb
VirisTotal [0/43] https://www.virustotal.com/file/d8565bbbe3800516e5cc87d075b7d132e172def88b84a813ebde66564c395975/analysis/
File Num2: windows-update-sp2-kb59844-setup.exe
Size: 368.5 Kb
VirusTotal [0/43] https://www.virustotal.com/file/ad0de0bd6328b7199850359c312e9be6e01bc510eaaff01ec6780424f2356317/analysis/
Both files seem exe files,but somehow encrypted\crypted:
If You look careful, You;ll see that “This program cannot be run in DOS mode” message is partially presented, but no valin PE header can be read. Looks like, initial setup.exe have some decrypt mechanism, that modify initial code. Both files encrypted same way (as I may say from brief look on hex).
4. Files decrypted and placed in users Temp directory
File windows-update-sp4-kb62451-setup.exe > as ~!#2.tmp
Size: 293.5 Kb
VirusTotal [28/42] https://www.virustotal.com/file/161234e771d2f854cb96be505a72b3f58547e439ddfc854a1cf7793baa14080b/analysis/
File windows-update-sp2-kb59844-setup.exe > as ~!#3.tmp
Size: 368.5 Kb
VirusTotal [26/42] https://www.virustotal.com/file/9380eb8fe78023d14fb48d5a44889cd9479e5bb8de9c76f16aa0f21a3b3bc0bf/analysis/
5. Initial process setup.exe include itself as part of itself, run CMD.exe file in background and
Ok, looks like bot report that files received and decrypted. 🙂
C&C Server : thierry-lalet.fr (184.108.40.206)
6. Then bot send to same host/page HTTP requests and receive responses with very interesting Content-Length field
As You may see – Content-Length: 666 I monitor this server for few days days, and packet stay size 666. Data vary, but packet size – not.
7. After that – bot begin to install software to continue it’s work:
-Bot check all installed messaging systems, in this case Outlook, try to reach Address Book
– replicate file to user/AppData/Sowo/leela.exe
Size: 239.5 Kb
VirusTotal: [26/42] https://www.virustotal.com/file/acf52d54e3003a8dda2353e18ab9559303f0cf607c4a6538edead6f3f242fb04/analysis/1348604509/
and add it to ~CurrentVersion\Run\Cuuru in registry with value – path to file in Application data (You can see it with MSCONFIG)
Few additional changes to registry done, still checking:)
So, it been a long day, let’s finish it 🙂
1. New anti-forensics features implemented in RedKit Exploit Kit:
– Exploit delivery based on custom non-standart HTTP header, which prevent researcher from downloading it via direct accessing to the file.
– No links directly to exploits or malicious exe files – all done thru various HTTP requests.
– Exploit files not server anymore as file – it sort of request that server compute and provide victim with random-name jar file.
– Old anti-forensics features, that we familiar with from previous cases, stay 🙂
2. Malicious payload (not necessary related to RedKit EK itself, but to “customer” that use it) have additional anti-forensics 🙂
– Malicious bot have multiple parts, initial part (setup.exe) have limited functionality, it purpose is:
– to check system for possible traces of honeypots\researchers,
– prepare OS for second-step infecting (injection in Explorer.exe)
– download, decrypt and attach additional modules of malware
– Each part use separate, multi-layer encryprion (UPX + cryptor at setup,exe; external de-cryptor for both “fake windows-update” files)
– In network flow, malware hidden behind known filenames mask of Microsoft Updates. Since detection ratio both of them is 0 for now – it rarely detectably by IDS\IPS
upd1: Thx to @kafeine for recommendations and related links 🙂
That’s all for now!
In case You have suggestion or willing to help in this or future cases – welcome 🙂 Will be glad to hear positive critics, and suggestion as well.
Stay safe and good night1