Overview
This is the ninth edition of our Quarterly Exploit Kit activity roundup series, in which we share our analysis of recent exploit kit activity. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers and deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for a fee, distributing malware for other malicious actors. Though it's been declining, there is still plenty of EK activity, and EK operators continue to adopt new techniques for monetizing infected machines.
Due to the increase in popularity and value of cryptocurrency, we are seeing EK operators shifting their focus from ransomware to cryptominers, with the end payload generating revenue in multiple instances. All the exploit kits mentioned in this roundup were seen infecting users with cryptominer malware. We have also seen an increased use of malvertising campaigns to direct users to exploit kits. What follows are highlights from the EK activity we observed during the last quarter.
RIG Exploit Kit
RIG EK has been active for some time now. Though there are many other EKs that enter and exit the threat landscape, RIG has been persistently on the scene and adopting changes over time. Recent changes were the inclusion of CVE-2018-8174 and the use of cryptominer payloads to monetize infected resources. The hits that we saw were mainly from malvertising campaigns running on pirated movie streaming or adult websites.
The RIG EK activity hits are shown below.
Figure 1: RIG EK hits from May 1, 2018, to August 5, 2018
The geographical distribution of the hits can be seen below.
Figure 2: RIG EK hits geo distribution
RIG EK redirects were mainly seen from malvertising campaigns. The hits were not restricted to any specific geographical location. A recent RIG EK cycle can be seen below.
Figure 3: RIG EK Fiddler capture
The malvertising page redirect can be seen below.
Figure 4: Malvertising redirect
This loads an obfuscated JavaScript, shown below.
Figure 5: Malvertising redirect obfuscated (popunder)
The deobfuscated script is shown below.
Figure 6: Malvertising redirect deobfuscated (popunder)
This redirect loads a fingerprinting page that contains two parts: one part is JavaScript, which collects browser information, and the other part is obfuscated JavaScript, responsible for relaying the information to the RIG EK landing page server. A snippet of the fingerprinting script is shown below.
Figure 7: Browser fingerprinting
A snippet of the obfuscated JavaScript responsible for relaying information is shown below.
Figure 8: Obfuscated JavaScript redirect on the fingerprinting page
The deobfuscated code for this redirect is shown below.
Figure 9: Deobfuscated redirect on fingerprinting page
The landing page contains exploit code for VBScript memory corruption vulnerability CVE-2018-8174 and CVE-2016-0189. There are three scripts on the landing page. The first exploits the recent CVE-2018-8174 vulnerability, the second exploits CVE-2016-0189, and the third is a Flash-based exploit. We can see the CVE-2018-8174 below.
Figure 10: CVE-2018-8174 on the RIG EK landing page
By deobfuscating the code, we can see the VBScript exploit code, which is the same as the PoC for CVE-2018-8174 released on GitHub with minor modifications to weaponize the PoC.
Figure 11: CVE-2018-8174 code comparison
The snippet below shows the part of the landing page exploiting CVE-2016-0189.
Figure 12: CVE-2016-0189 exploit code on RIG EK landing page
The third script targeting the Flash exploit is shown below.
Figure 13: RIG EK landing page Flash exploit call
When we deobfuscate the script, we can observe calls to Flash file download, as shown below.
Figure 13: RIG EK landing page Flash exploit call
The payload seen for this cycle was a trojan. We also saw cryptominers and GandCrab ransomware payloads being downloaded by RIG EK this quarter.
GrandSoft Exploit Kit
GrandSoft is an exploit kit that resurfaced earlier this year, when it was found serving GandCrab ransomware. We have also seen instances of cryptomining payloads being served by the GrandSoft EK in the past quarter.
The GrandSoft EK activity hits are shown below.
Figure 15: GrandSoft EK hits from May 1, 2018, to August 5, 2018
The geographical distribution of the hits can be seen below.
Figure 16: GrandSoft EK heat map
GrandSoft EK redirects were mainly seen from malvertising campaigns. We often see threat actors utilizing the same resources to trigger different attack chains depending on the user session information. One such instance can be seen below, where “freedatingvideo[.]info” was redirecting users to RIG EK or GrandSoft EK gates or a web-based cryptomining site as part of the same malvertising campaign.
Figure 17: GrandSoft EK cycle
GrandSoft EK authors have also added CVE-2018-8174 VBScript memory corruption vulnerability exploit to the landing page. Below is a snippet from the landing page using the CVE-2018-8174 exploit.
Figure 18: CVE-2018-8174 exploit code on the GrandSoft EK landing page
The payload seen with this cycle was GandCrab ransomware.
KaiXin Exploit Kit
The KaiXin EK was active in the last quarter of 2017, and we have not observed many hits for KaiXin EK since then. But recently, we were able to capture an instance of KaiXin EK in the wild. A recent addition to this EK is the use of the CVE-2018-8174 exploit derived from a PoC published on GitHub. The Fiddler capture for the KaiXin exploit kit cycle is shown below.
Figure 19: KaiXin exploit kit Fiddler capture
The landing page consists of two JavaScripts: one loads the calls to the exploit webpage and the other is a redirect to a fingerprinting site, which relays the victim’s system information back to the server. We can see that the attacker is using car brands as variable names on the landing page, consistent with behavior seen in the past.
Figure 20: KaiXin exploit kit landing page
The landing page loads a plugin to detect JavaScript “jquery.js’.” A snippet of this code can be seen below.
Figure 21: KaiXin EK jquery
The LeNnDv.html file downloaded contains the CVE-2018-8174 exploit code derived from the PoC shared on GitHub. A snippet of this code is shown below.
Figure 22: CVE-2018-8174 in KaiXin exploit kit
The page is heavily obfuscated with the call to the payload download shown below.
Figure 23: Obfuscated JavaScript for payload download
Figure 24: First layer JavaScript deobfuscation
Figure 25: Second layer JavaScript deobfuscation
During deobfuscation, we see that the VBScript loaded is similar to the PoC available on GitHub, and KaiXin has adopted it, as did the GrandSoft EK and RIG EK.
Figure 26: CVE-2018-8174 in KaiXin exploit kit
The payload seen for this cycle was a Trojan (MD5:e28d993fd4ae1fb71d645159f726f570).
Other exploit Kits
Terror EK, which was active at the end of 2017, has shown reduced activity since the start of 2018 and we have not seen any activity for Terror EK this quarter. Magnitude EK, though active, is operating in a very restricted geographic region being served through malvertising campaigns. We have not seen direct hits for Magnitude EK landing pages or gates this quarter, but we continue seeing hits for the malvertisements that were directing users to the Magnitude EK gates.
Conclusion
Exploit kits are effective for infecting victim machines without users’ knowledge. While the trend has been to infect users with ransomware with the expectation that a few users would pay to get access to their data, the trend has shifted to the use of cryptominers and Trojans to steal users’ data and use their system resources to mine cryptocurrency for the attackers. Attackers frequently change their techniques by obfuscating the source code or injecting new exploit code into their EKs, and security researchers analyze and block the new threats by tracking changes in EK behavior.
To help avoid infections from exploit kits, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Keeping browser plugins and web browsers up to date with latest patches helps to protect against common vulnerabilities targeted by exploit kits. The Zscaler ThreatLabZ research team has confirmed coverage for these exploit kits and subsequent payloads, ensuring protection for organizations using the Zscaler Cloud Security Platform.