Redkit Exploit Kit: upgrades in anti-forensics.

2012.09.25

Since major news of last weeks is fron-the-scratch update of BlackHole to version 2, I was waiting response from rivals.

And after week –  Former RedKit Exploit Kit change the mojo

But at that time I still had no full picture. Now post updated, as You may see.

And here – detailed analyses of recent anti-forensics features (for now):)

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

So, all begin, as usual, from hacked website 🙂

GET h00p://www.creativewriting-jobs.net

Heh, known javascript, no?  As a result – creating iframe that forward visitor to

Site: h00p://yankeeyiddos.com/media/index.php

IP: 50.28.53.157

Whois Data: Liquid Web, Inc. LIQUIDWEB-10

Ok, going there 🙂

GET h00p://yankeeyiddos.com/media/index.php

Ok, again – standard RedKit procedure, forward to unique xxxxxxxx.html file, placed on legit hacked website. Per-IP weaponized page +  standard file-names in it:

33256.jar

88770.jar

98765.pdf

Checking…

 GET h00p://didi-sklep.home.pl/83054247.html

And response preview:

Full response on Pastebin

Till now – all ok. Quite regular. And then – we try to download any of linked exploits?

HTTP/1.1 404 Not Found

I spent lot of time, proxies and always – 404.. Looks like dead end…And all online tools I use (big list, believe me) – return 404 as well.

But Test VM somehow get infected.. And I see 200 Response in request both to 33256.jar and 98765.pdf in logs (in different configs and OS ).

And here is first anti-forensics improvement of former RedKit EK: request to download files should have specific field in it.  After changing some small tool, with Custom header like this:

I finally able to download both present exploits.

According to my findings, both Referer: and Content type: field required.

Referer should point to MDS URL

Content type should be application/x-java-archive

So – finally got payloads:

GET h00p://didi-sklep.home.pl/33256.jar

File size: 16.2 Kb

SHA256: a029212e3a45911adae135288c07f2e3fee4df250977a4f5617566e2590c41fd

VirusTotal [0/43] https://www.virustotal.com/file/a029212e3a45911adae135288c07f2e3fee4df250977a4f5617566e2590c41fd/analysis/

GET h00p://didi-sklep.home.pl/98765.pdf

File Size: 6.2 Kb

SHA256: 342829041d34abc48af0825981970e093e1e4919c6756111fc4e8ff032a010d7

VirusTotal [3/43] https://www.virustotal.com/file/342829041d34abc48af0825981970e093e1e4919c6756111fc4e8ff032a010d7/analysis/

Ok 🙂 so, we got Jar malicious payload, that, when executed:

GET h00p://didi-sklep.home.pl/3.html

Ok, and here we have second anti-forensics improvement, that was announced in BHEK2 too – No direct link to file download. But here we can see, how it implemented:

If You come with to right webpage, with right-formed Header from right IP – You got Your payload. Otherwise – 404 response.

Now, with this exe I spend almost 2 hours trying to analyse it.

Here original data:

Size: 17.5 Kb

SHA256: c20c6db061ce4d33d22d866724cf631007c4c330cda8cee344cf23d284dbc138

VirusTotal [7/42] https://www.virustotal.com/file/c20c6db061ce4d33d22d866724cf631007c4c330cda8cee344cf23d284dbc138/analysis/

It packed with UPX

ok, unpacking…

Size: 72 Kb

SHA256: 9610e35c02756a0e14ac8ecf9c24f854320c8ed66cbc468cff6c2fcbc00c68a2

VirusTotal [8/42] https://www.virustotal.com/file/9610e35c02756a0e14ac8ecf9c24f854320c8ed66cbc468cff6c2fcbc00c68a2/analysis/

 but it also crypted!

Here results of PE-frame in case You want to help. It also have anti-debugging features, that beyond my knowledge in debugging (yet 🙂 )

And here is result of analysis of this Exe by anubis.iseclab.org < as You may see, it inject some code in Explorer.exe during execution.

So here is Behaviour analysis:

1. File downloaded and placed in user temporary folder.

2. Executed and perform some basic checks, (see Anubis report) For sure I can say, that in VirtualBoxes VM, that not prepared to malware analysis – it not proceed.

So – big credit to Mikael Keri for his blog and methods of preparing VirtualBoxes to malware analysis. Thx!

3. Then – it connect to remote host:

And here is response:

and again – same request:

and response:

Ok, 2 new files! 🙂

File Num1: windows-update-sp4-kb62451-setup.exe

Size: 293.5 Kb

SHA256: d8565bbbe3800516e5cc87d075b7d132e172def88b84a813ebde66564c395975

VirisTotal [0/43] https://www.virustotal.com/file/d8565bbbe3800516e5cc87d075b7d132e172def88b84a813ebde66564c395975/analysis/

File Num2: windows-update-sp2-kb59844-setup.exe

Size: 368.5 Kb

SHA256: ad0de0bd6328b7199850359c312e9be6e01bc510eaaff01ec6780424f2356317

VirusTotal [0/43] https://www.virustotal.com/file/ad0de0bd6328b7199850359c312e9be6e01bc510eaaff01ec6780424f2356317/analysis/

Both files seem exe files,but somehow encrypted\crypted:

If You look careful, You;ll see that “This program cannot be run in DOS mode” message is partially presented, but no valin PE header can be read. Looks like, initial setup.exe have some decrypt mechanism, that modify initial code. Both files encrypted same way (as I may say from brief look on hex).

4. Files decrypted and placed in users Temp directory

File windows-update-sp4-kb62451-setup.exe > as ~!#2.tmp

Size: 293.5 Kb

SHA256: 161234e771d2f854cb96be505a72b3f58547e439ddfc854a1cf7793baa14080b

VirusTotal [28/42] https://www.virustotal.com/file/161234e771d2f854cb96be505a72b3f58547e439ddfc854a1cf7793baa14080b/analysis/

File windows-update-sp2-kb59844-setup.exe > as ~!#3.tmp

Size: 368.5 Kb

SHA256: 9380eb8fe78023d14fb48d5a44889cd9479e5bb8de9c76f16aa0f21a3b3bc0bf

VirusTotal [26/42] https://www.virustotal.com/file/9380eb8fe78023d14fb48d5a44889cd9479e5bb8de9c76f16aa0f21a3b3bc0bf/analysis/

5. Initial process setup.exe include itself as part of itself, run CMD.exe file in background and

Ok, looks like bot report that files received and decrypted. 🙂

C&C Server : thierry-lalet.fr (188.165.37.138)

6. Then bot send to same host/page HTTP requests and receive  responses with very interesting Content-Length field

As You may see – Content-Length: 666 I monitor this server for few days days, and packet stay size 666. Data vary, but packet size – not.

7. After that – bot begin to install software to continue it’s work:

-Bot check all installed messaging systems, in this case Outlook, try to reach Address Book

– replicate file to user/AppData/Sowo/leela.exe

Size: 239.5 Kb

SHA256: acf52d54e3003a8dda2353e18ab9559303f0cf607c4a6538edead6f3f242fb04

VirusTotal: [26/42] https://www.virustotal.com/file/acf52d54e3003a8dda2353e18ab9559303f0cf607c4a6538edead6f3f242fb04/analysis/1348604509/

and add it to ~CurrentVersion\Run\Cuuru  in registry with value – path to file in Application data   (You can see it with MSCONFIG)

Few additional changes to registry done, still checking:)

 So, it been a long day, let’s finish it 🙂

Conclusion:

 1. New anti-forensics features implemented in RedKit Exploit Kit:

Exploit delivery based on custom non-standart HTTP header, which prevent researcher from downloading it via  direct accessing to the file.

No links directly to exploits or malicious exe files – all done thru various HTTP requests.

Exploit files not server anymore as file – it sort of request that server compute and provide victim with random-name jar file.

– Old anti-forensics features, that we familiar with from previous cases, stay 🙂

2. Malicious payload (not necessary related to RedKit EK itself, but to “customer” that use it) have additional anti-forensics 🙂

Malicious bot have multiple parts, initial part (setup.exe) have limited functionality, it purpose is:

– to check system for possible traces of honeypots\researchers,

– prepare OS for second-step infecting (injection in Explorer.exe)

– download, decrypt and attach additional modules of malware

– Each part use separate, multi-layer encryprion (UPX + cryptor at setup,exe; external de-cryptor for both “fake windows-update” files)

– In network flow, malware hidden behind known filenames mask of Microsoft Updates. Since detection ratio both of them is 0 for now – it rarely detectably by IDS\IPS

upd1: Thx to @kafeine for recommendations and related links 🙂

That’s all for now!

In case You have suggestion or willing to help in this or future cases – welcome 🙂 Will be glad to hear positive critics, and suggestion as well.

Stay safe and good night1

D.L.

5 comments

  1. A Great & Challenger Research!
    Thank you very much!
    Good work!

    MalwareMustDie, 26/09/2012
  2. thx, my Friend 🙂

    Denis, 26/09/2012
  3. For the encrypted setup.exe files, the BFA70000 pattern doesn’t tell you anything?

    meow, 26/09/2012
  4. meow
    No, should it?
    it UPX compressed, BTW.

    Denis, 26/09/2012
  5. […] the URL of the ‘infected’ website. A few hours later, I’ve saw a blog post “Redkit Exploit Kit: upgrades in anti-forensics.” popping up from my RSS reader. Mystery […]

Leave a comment