By: ThreatLabz

Anatomy Of An Ongoing Drive-by-Download Campaign

Exploit Kit

While doing a weekly review of our logs, we stumbled upon thousands of transactions that seem to be a part of an ongoing malware campaign. We found compromised websites that redirect the browser to an exploit kit, further leading to a drive-by-download dropper. The source was traced to originate from blackhat SEO redirections (yandex[.]ru). 
 
The attack can be dissected into two stages, an injected malicious script which redirects to a domain and a second stage in which the domain sends the browser through an HTTP 302 redirect that finally leads to the landing page. The 302 redirection domains resolved to an IP range 192[.]133[.]137[.]0/24. The landing page domains were having a very low TTL and were hosted in sub-net 109[.]236[.]80[.]0/24 (AS49981). The server is hosted in NL. The campaign leveraged a DGA (Domain Generation Algorithm) along with Dynamic DNS to deliver the payload and the domains which delivered the exploit were ending with a [.info] TLD. The following snapshot shows some of the sample redirection and dynamically generated landing page domains. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


The mechanism of the attack is as follows. Firstly, a malicious redirection script is injected into the webpage: 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 





This is followed by a 302 redirect, which then leads to the exploit kit landing page. 
 
 
 
 
The exploit kit favors the g01pack, which delivers a multistage exploit. Initially, it detects the browser plugins and versions thereof and then serves the exploits accordingly. At the time of analysis, I was using Java v1.6 release 26. The landing page was as follows: 
 
 
As seen, the landing page also tries to deliver a Flash exploit. Unfortunately, at the time of analysis I was getting a 404 response for the SWF payload. 
 
The applet is loaded with the "applet_ssv_validated" passed as an undocumented parameter to the applet, which allows the attacker to carry out a JVM security bypass. The applet then makes the call to the malicious JAR file. 
 
 
The JAR file tries to exploit CVE-2012-0507 and drops the malicious executable. The snapshot summaries the code which carries this out.  Only two anti-virus vendors detected this JAR file as seen in this VirusTotal Report
 
 
 
The dropped EXE files are Ransomware/Fake AV/ZeroAccess Trojans, depending upon the payload delivered. Our Behavioral Analysis Engine flagged these files as malicious and the VirusTotal Report shows that 10/46 Anti-virus vendors detected this at the time of analysis. Also shown are some screen shots of the Ransomware/Fake AV after successful infection. 
 
 
Given it's rocky history with security, there has and will always be some buzz about new exploits against Java Plugins. Attackers will continue to own browsers as long as the Plugin is enabled and vulnerable. Refer to this post to learn how to stay protected from exploit kits. Wishing you happy & safe browsing ! 
 

Learn more about Zscaler.