Introduction
Every now and then I like to poke around on the internet and find malware samples, packet captures, challenges, etc to mess around and have fun with. The following packet capture was obtained from http://www.malware-traffic-analysis.net. My objective on these posts is to try and solve them myself in my own style and post my analysis in hopes to help and entertain other security professionals.
Exploit Kit Overview
There are many different types of exploits kits out there. At the time of this blog post perhaps four of the more famous ones are named Angler, Rig, Nuclear, and Neutrino. Although they have different names, they fundamentally operate in the same way. This section will give a brief overview of how exploit kits work. Shown below are five components of an exploit kit to think about during an investigation.
- Initial delivery
- Legitimate compromised site, malicious email link, malvertising, etc.
- Gateway (optional)
- A gateway is essentially a initial screening mechanism.
- Ex: Only try to exploit Windows machines.
- Landing Page
- The landing page is where the magic happens. Here, the landing page will gather information about about the victim and choose an exploit based on its results.
- Exploit
- Exploit kits generally target applications like, but not limited to, Adobe Flash Player, Silverlight, Java, web browsers, etc. If the landing page finds a vulnerable application it will deliver the corresponding exploit for that vulnerability.
- Payload
- Exploit kits can drop whatever they wish as a their payload. In this example, I will be investigating a case where the payload is Spora ransomware.
Investigation
This particular investigation is composed of the following:
- Initial delivery = compromised website
- Gateway (optional) = There is no gateway in this example
- Landing Page = Rig Exploit Kit
- Exploit = Shockwave Flash
- Payload = Spora Ransomware
While investigating the compromised website I ran across an interesting snippet of JavaScript that had been injected at the bottom of the webpage. In short, this section of the JavaScript is creating an inline frame (iframe) to load the Rig-V exploit kit landing page. From here the exploit kit will try to determine if the victim is vulnerable to any of its exploits. If so, it will attempt to compromise the victim's machine with its chosen exploit. All of this is happening in the background without the end user knowing. All the end user did was browse to a completely legitimate website.
In this case, the exploit kit determined that the victim was running a vulnerable version of Adobe Shockwave Flash. You can determine this by looking at the packet capture and seeing the "CWS" file header in the server response. When looking at this type of material it's a good idea to look at the file headers and footers and not rely on the content-type HTTP header. The only HTTP header that is required in the server response is the response code. Everything else is optional and arbitrary.
After carving out the Shockwave Flash file from the packet capture, I submitted the SHA1 hash of the file to VirusTotal and got the results shown below. The objective of this Shockwave Flash file is to act as a downloader and install other malware (in this case it installed the Spora Ransomware.) I was going to include a host based analysis on this ransomware but I figured this post was already getting lengthy and I thought it might be good for another day.
