Sunday, December 30, 2018

gehho me now miner. js

  Do You Like Facebook? who told you you could eat my cookies? view source

Friday, December 28, 2018

oldies. view of image sources

  Do You Like Facebook? who told you you could eat my cookies? view source

Exploit Kits for Drive-by Download Attacks

MARCH 17, 2016 | PATRICK BEDWELL
Exploit Kits (EKs) are malicious code embedded in a website. They are commercially available and many are easy to use (even by those cybercriminals with little coding experience). They contain pre-packaged code that seeks to exploit out-of-date browsers, insecure applications, or vulnerable services.
They are used in ‘Drive-by Download’ attacks that target the visitors of a website. When a visitor browses to a site hosting an EK, the Kit uses all of its exploits to attempt to compromise the visitor’s system and install malware,including ransomware. Cybercriminals constantly update their malware to evade detection. Palo Alto Networks’ threat research team recently documented over 90,000 websites compromised by the continuously evolving Angler EK.
Unfortunately, the presence of these Kits is undetectable by most users. They can reside on a legitimate site that has been compromised, or on a malicious site masquerading as a legitimate website. EKs have been around for several years, yet continue to be a tool of choice for cybercriminals because end-users continue to run vulnerable software.
How AlienVault Helps
There are three absolutes in life: Death, Taxes, and End-Users’ Systems Being Owned. We can’t help with death and taxes, but we can help with detecting system compromise. You can’t rely on endpoint protection systems to prevent system compromise, because there will always be bad actors looking to exploit your users’ vulnerable systems.
You need the ability to detect indicators of compromise (IoCs) in your network quickly, to be able to minimize the damage that compromised systems can cause. To this end, theAlienVault Labs teamcontinues to research and update the ability of the USM platform to detect new EKs, or new variations on existing Kits.
The Labs team recently updated the USM platform’s ability to detect EK activity by adding IDS signatures to detect the malicious traffic on your network and correlation directives to link events from across your network that indicate systems compromised by this type of malware.
These updates are included in the latest AlienVault Threat Intelligence update available now:
  • Updated Detection Technique - Exploit Kits
Exploit kits are used in what are called "Drive-by Downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attacks to compromise the user and install malware on their machine. This approach is a common attack vector and a major source of infections for end users.
Cybercriminals constantly change the patterns they use within their code to evade detection.
We added IDS signatures and updated correlation rules to enhance exploit kit detection:
  • Exploitation & Installation, Malicious website - Exploit Kit, Angler EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
For more information on recent Angler EK activity, visit theAlienVault Open Threat Exchange (OTX) to see the research the OTX community has contributed:
Patrick Bedwell
About the Author: Patrick Bedwell
Patrick has been working in information security for over 17 years, creating and executing marketing strategies for both startups and public companies.
Read more posts from Patrick Bedwell ›
TAGS: exploit kits



Exploit kits go cryptomining – Summer 2018 edition

Exploit Kit Summer 2018 roundup



By: Rohit Hegde


Exploit kits go cryptomining – Summer 2018 edition

Overview

This is the ninth edition of our Quarterly Exploit Kit activity roundup series, in which we share our analysis of recent exploit kit activity. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers and deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for a fee, distributing malware for other malicious actors. Though it's been declining, there is still plenty of EK activity, and EK operators continue to adopt new techniques for monetizing infected machines.
Due to the increase in popularity and value of cryptocurrency, we are seeing EK operators shifting their focus from ransomware to cryptominers, with the end payload generating revenue in multiple instances. All the exploit kits mentioned in this roundup were seen infecting users with cryptominer malware. We have also seen an increased use of malvertising campaigns to direct users to exploit kits. What follows are highlights from the EK activity we observed during the last quarter.
RIG Exploit Kit
RIG EK has been active for some time now. Though there are many other EKs that enter and exit the threat landscape, RIG has been persistently on the scene and adopting changes over time. Recent changes were the inclusion of CVE-2018-8174 and the use of cryptominer payloads to monetize infected resources. The hits that we saw were mainly from malvertising campaigns running on pirated movie streaming or adult websites.
The RIG EK activity hits are shown below.
Figure 1: RIG EK hits from May 1, 2018, to August 5, 2018
The geographical distribution of the hits can be seen below.
Figure 2: RIG EK hits geo distribution
RIG EK redirects were mainly seen from malvertising campaigns. The hits were not restricted to any specific geographical location. A recent RIG EK cycle can be seen below.
Figure 3: RIG EK Fiddler capture
The malvertising page redirect can be seen below.
Figure 4: Malvertising redirect
This loads an obfuscated JavaScript, shown below.
Figure 5: Malvertising redirect obfuscated (popunder)
The deobfuscated script is shown below.
Figure 6: Malvertising redirect deobfuscated (popunder)
This redirect loads a fingerprinting page that contains two parts: one part is JavaScript, which collects browser information, and the other part is obfuscated JavaScript, responsible for relaying the information to the RIG EK landing page server. A snippet of the fingerprinting script is shown below.
Figure 7: Browser fingerprinting
A snippet of the obfuscated JavaScript responsible for relaying information is shown below.
Figure 8: Obfuscated JavaScript redirect on the fingerprinting page
The deobfuscated code for this redirect is shown below.
Figure 9: Deobfuscated redirect on fingerprinting page
The landing page contains exploit code for VBScript memory corruption vulnerability CVE-2018-8174 and CVE-2016-0189. There are three scripts on the landing page. The first exploits the recent CVE-2018-8174 vulnerability, the second exploits CVE-2016-0189, and the third is a Flash-based exploit. We can see the CVE-2018-8174 below.
Figure 10: CVE-2018-8174 on the RIG EK landing page
By deobfuscating the code, we can see the VBScript exploit code, which is the same as the PoC for CVE-2018-8174 released on GitHub with minor modifications to weaponize the PoC.
Figure 11: CVE-2018-8174 code comparison
The snippet below shows the part of the landing page exploiting CVE-2016-0189.
Figure 12: CVE-2016-0189 exploit code on RIG EK landing page
The third script targeting the Flash exploit is shown below.
Figure 13: RIG EK landing page Flash exploit call
When we deobfuscate the script, we can observe calls to Flash file download, as shown below.
Figure 13: RIG EK landing page Flash exploit call
The payload seen for this cycle was a trojan. We also saw cryptominers and GandCrab ransomware payloads being downloaded by RIG EK this quarter.
GrandSoft Exploit Kit
GrandSoft is an exploit kit that resurfaced earlier this year, when it was found serving GandCrab ransomware. We have also seen instances of cryptomining payloads being served by the GrandSoft EK in the past quarter.
The GrandSoft EK activity hits are shown below.
Figure 15: GrandSoft EK hits from May 1, 2018, to August 5, 2018
The geographical distribution of the hits can be seen below.
Figure 16: GrandSoft EK heat map
GrandSoft EK redirects were mainly seen from malvertising campaigns. We often see threat actors utilizing the same resources to trigger different attack chains depending on the user session information. One such instance can be seen below, where “freedatingvideo[.]info” was redirecting users to RIG EK or GrandSoft EK gates or a web-based cryptomining site as part of the same malvertising campaign.
Figure 17: GrandSoft EK cycle
GrandSoft EK authors have also added CVE-2018-8174 VBScript memory corruption vulnerability exploit to the landing page. Below is a snippet from the landing page using the CVE-2018-8174 exploit.
Figure 18: CVE-2018-8174 exploit code on the GrandSoft EK landing page
The payload seen with this cycle was GandCrab ransomware.

KaiXin Exploit Kit

The KaiXin EK was active in the last quarter of 2017, and we have not observed many hits for KaiXin EK since then. But recently, we were able to capture an instance of KaiXin EK in the wild. A recent addition to this EK is the use of the CVE-2018-8174 exploit derived from a PoC published on GitHub. The Fiddler capture for the KaiXin exploit kit cycle is shown below.
Figure 19: KaiXin exploit kit Fiddler capture
The landing page consists of two JavaScripts: one loads the calls to the exploit webpage and the other is a redirect to a fingerprinting site, which relays the victim’s system information back to the server. We can see that the attacker is using car brands as variable names on the landing page, consistent with behavior seen in the past.
Figure 20: KaiXin exploit kit landing page
The landing page loads a plugin to detect JavaScript “jquery.js’.” A snippet of this code can be seen below.
Figure 21: KaiXin EK jquery
The LeNnDv.html file downloaded contains the CVE-2018-8174 exploit code derived from the PoC shared on GitHub. A snippet of this code is shown below.
Figure 22: CVE-2018-8174 in KaiXin exploit kit
The page is heavily obfuscated with the call to the payload download shown below.
Figure 23: Obfuscated JavaScript for payload download
Figure 24: First layer JavaScript deobfuscation
Figure 25: Second layer JavaScript deobfuscation
During deobfuscation, we see that the VBScript loaded is similar to the PoC available on GitHub, and KaiXin has adopted it, as did the GrandSoft EK and RIG EK.
Figure 26: CVE-2018-8174 in KaiXin exploit kit
The payload seen for this cycle was a Trojan  (MD5:e28d993fd4ae1fb71d645159f726f570).

Other exploit Kits

Terror EK, which was active at the end of 2017, has shown reduced activity since the start of 2018 and we have not seen any activity for Terror EK this quarter. Magnitude EK, though active, is operating in a very restricted geographic region being served through malvertising campaigns. We have not seen direct hits for Magnitude EK landing pages or gates this quarter, but we continue seeing hits for the malvertisements that were directing users to the Magnitude EK gates.

Conclusion

Exploit kits are effective for infecting victim machines without users’ knowledge. While the trend has been to infect users with ransomware with the expectation that a few users would pay to get access to their data, the trend has shifted to the use of cryptominers and Trojans to steal users’ data and use their system resources to mine cryptocurrency for the attackers. Attackers frequently change their techniques by obfuscating the source code or injecting new exploit code into their EKs, and security researchers analyze and block the new threats by tracking changes in EK behavior.
To help avoid infections from exploit kits, users should always block untrusted third-party scripts and resources, and avoid clicking on suspicious advertisements. Keeping browser plugins and web browsers up to date with latest patches helps to protect against common vulnerabilities targeted by exploit kits. The Zscaler ThreatLabZ research team has confirmed coverage for these exploit kits and subsequent payloads, ensuring protection for organizations using the Zscaler Cloud Security Platform.




Suggested Blogs


  Do You Like Facebook?