Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Rise In Red Kit Exploit Kit Activity

image
THREATLABZ
June 01, 2013 - 3 min read
This week, a malicious pattern of activity was observed in websites being compromised, which in turn redirected to a Red Kit exploit kit (EK) landing page. Some infected websites that were seen:
  • neptunebenson[dot]com
  • route66marathon[dot]com
  • whitesteeple[dot]com 
(Warning! these sites may still be infected). 

Two different mechanisms were used to infect the websites. The first one being a standard iframe injection, which leads to the Red Kit EK landing page through URL redirections. The other mechanism leverages SEO based techniques to carry out HTTP 302 redirections that lead to the RedKit EK landing page.

The snapshot below shows some of the sample URLs/SEO redirections that were seen. Please refer to this URLQuery search in order to identify other URLs exhibiting the redirection patterns.  
Image
Upon visiting the infected webpage, it sends the user to a malicious redirection (HTTP 302). The actual exploit code as shown below is then ultimately delivered.
 
 
Image
The first landing page uses a typical RedKit Exploit, which contains the obfuscated URL that is used to fetch the payload as shown in the highlighted box below. 
Image
The Java Sandbox bypass exploit is carried out leveraging an unsigned applet with the suspicious parameter "__applet_ssv_validated" passed, which exploits the following vulnerabilities:  CVE-2013-1493 / CVE-2013-2423 / CVE-2012-1723.
 
Image
The jar applet gets the obfuscated URL from the parameter "name", which is passed by the jnlp as shown above. It is then decoded into the final URL through the following code: 
Image
This URL contains the encrypted binary payload. The applet creates a URL Connection Steam to download the encrypted binary stream. The binary stream is then decrypted using the AES CBC 128 bit cipher block chaining scheme. The IV (Initial Vector) and the decryption key are stored inside the applet. After decryption, it stores the binary file onto the temporary folder with a random filename by making a call to java.io.tmpdir. The snapshot below summarizes some of the important routines involved in the decryption process.
Image
The binary file was packed using UPX and has anti-vm/anti-debugging detection routines. The binary is a Keylogger Tojan that steals credentials such as credit card numbers, passwords etc. and sends it over to a remote location. Currently, the binary is being detected only by three AV vendors as malicious. 
 
Binary Reports:
 
 
 
Jar File Report: 
 
 
It is always a good practice to keep vulnerable browser plugins such as Adobe/Java constantly updated. This protects the end user from malicious EKs leveraging known vulnerabilities. For more specfic information related to Java Plugins and how to disable them, please refer this great blog post from my colleague Julien Sobrier.
 
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.