Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Anatomy Of An Ongoing Drive-by-Download Campaign

image
THREATLABZ
August 16, 2013 - 3 min read
While doing a weekly review of our logs, we stumbled upon thousands of transactions that seem to be a part of an ongoing malware campaign. We found compromised websites that redirect the browser to an exploit kit, further leading to a drive-by-download dropper. The source was traced to originate from blackhat SEO redirections (yandex[.]ru). 
 
The attack can be dissected into two stages, an injected malicious script which redirects to a domain and a second stage in which the domain sends the browser through an HTTP 302 redirect that finally leads to the landing page. The 302 redirection domains resolved to an IP range 192[.]133[.]137[.]0/24. The landing page domains were having a very low TTL and were hosted in sub-net 109[.]236[.]80[.]0/24 (AS49981). The server is hosted in NL. The campaign leveraged a DGA (Domain Generation Algorithm) along with Dynamic DNS to deliver the payload and the domains which delivered the exploit were ending with a [.info] TLD. The following snapshot shows some of the sample redirection and dynamically generated landing page domains. 
Image
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


The mechanism of the attack is as follows. Firstly, a malicious redirection script is injected into the webpage: 
 
 
Image
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 





This is followed by a 302 redirect, which then leads to the exploit kit landing page. 
 
Image
 
 
 
The exploit kit favors the g01pack, which delivers a multistage exploit. Initially, it detects the browser plugins and versions thereof and then serves the exploits accordingly. At the time of analysis, I was using Java v1.6 release 26. The landing page was as follows: 
 
Image
 
As seen, the landing page also tries to deliver a Flash exploit. Unfortunately, at the time of analysis I was getting a 404 response for the SWF payload. 
 
The applet is loaded with the "applet_ssv_validated" passed as an undocumented parameter to the applet, which allows the attacker to carry out a JVM security bypass. The applet then makes the call to the malicious JAR file. 
 
Image
 
The JAR file tries to exploit CVE-2012-0507 and drops the malicious executable. The snapshot summaries the code which carries this out.  Only two anti-virus vendors detected this JAR file as seen in this VirusTotal Report
 
Image
 
 
The dropped EXE files are Ransomware/Fake AV/ZeroAccess Trojans, depending upon the payload delivered. Our Behavioral Analysis Engine flagged these files as malicious and the VirusTotal Report shows that 10/46 Anti-virus vendors detected this at the time of analysis. Also shown are some screen shots of the Ransomware/Fake AV after successful infection. 
Image
 
Image
 
Given it's rocky history with security, there has and will always be some buzz about new exploits against Java Plugins. Attackers will continue to own browsers as long as the Plugin is enabled and vulnerable. Refer to this post to learn how to stay protected from exploit kits. Wishing you happy & safe browsing ! 
 
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.