Counter InfiltrationFuture-Proof Counter Attacks Against Exploit Kit Infrastructure

About Us

Hiroshi KumagaiSenior ResearcherCyber Security Laboratory PwC, Japan

Masaki KamizonoHead of LaboratoryCyber Security Laboratory PwC, Japan

Yin Minn Pa Pa , Ph.D. Researcher Cyber Security LaboratoryPwC, Japan

Takahiro Kasama , Ph.D. Senior Researcher Cyber Security LaboratoryNICT, Japan

Introduction

Exploit Kit Operator

Traffic Direction System

Proxies

Panel Server

API Server

Database Server

Landing Server

Update Server

Exploits

Fingerprint Server

Take-away

Inner Workings

ChokePoints

WeaknessesHow to Counter Attack

What Exploit Kits?

RIG 2.0

RIG 3.0

RIG 4.0

Nebula

DisdainSundown

Pirate

Hunter Neptune

Neptune

2017

2016

2015

BEPS/ Sundown

Feb

Aug

Aug

Feb

Jun

Oct

2018

• YES, it works • YES YES YES, even more…..• RICH• Current customers?• IoC

Outline

• Inner Workings

• Potential Attacks

• Demonstrate Attack

• Future Possibilities

RIG 2.0

Victim

Proxy VDS

Panel Server

Redirect to TDS

Malicious Site

Exploited

Payload

proxy.php

Exploit

api.php• Proxy Info• VDS Info1

3

Payloads

Update proxy infousing API

• Decrypt VDS domain

• Proxy traffic

core.php

Fingerprinted

• Get proxy url with API• Redirect Victim to

Proxy

2Redirected to TDS Server

Browser

TDS

• OS• Browser• Location• Hash

MySQL

Access compromised

site

download.php

• Parse Fingerprint data from core.php

• Get appropriate payload

• Update statistics

Update Victim Info

Redirected to Proxy Server

Attack Infrastructure

• Fingerprint Victim• Send Victim info• Exploit Victim• Receive Payload from

Panel server • Send payload to victim

Panel Server (Admin)

Panel Server (Admin)

Panel Server (User)

“http://panel_server_domain/api.php?apitoken= l3SKfPrFJx_ESYjDJunDTaNXPBbaHE3SzYuckOM”.

API for Proxy

http://panel_server_domain/api.php?apitoken

Table name Table structure Sample data No:Rows

exploits id, name, fault - -files id, user_id, file, filename,

file size, avcheck exe files 2

flows id, user_id, file_id, last_token

39,127,2,1496975943 14

options id, option_name, option_value

2, real_path, /var/www/html/hitfm 7

proxy id, url, description, last_check

494, http://tree.changesomelives.com,,0 23

tarif id, user_id, len 400,131,1514753999 62traff id, ip, os, br, cc, us, referer,

exp, user_id, flow_id, hash'20756','94.156.115.146','Windows 7','MSIE 11.0','BG','Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko','oxprxt.tk','flash','133','51','390cc1ddfbdf70c5ff79d5d63c565b1b'

6882

userrights id, name, rights 1, admin, admin 2users id, user_login, user_pass,

rights, color, first_time, last_time, description, sid

134, ferdigstudios, a3a5823e48cccf107cf1eba5f2cdaa2d, user, 0000FF, 1423277805,1496974143,,a1a6557378ea20856aac56fa4229113

8

vds id, ip, description 1, http://94.23.207.221/core_hit.php, , 1

Inside the Leaked DB

http://tree.changesomelives.com/

Exploit Countunknown 5662ie10 793flash 263msie 135silver 21

Browser CountMSIE 11.0 2988MSIE 8.0 1198Unknown 795MSIE 9.0 766MSIE 7.0 656MSIE 10.0 430MSIE 6.0 40Firefox EB11 90Firefox D7F5 20

OS CountWindows 7 2729Windows 8.1 1483Unknown 891Windows XP 857Windows Vista 549Windows 8 169Windows Server 2003 93Windows 2000 90Windows 98 20Mac OS 1

Referrer domain Status of Domain (June 2017)

kouidri.com 217.23.6.139

hitrigenter.com NXDomainoxprxt.tk NXDomain

www.attentive.pl 58.128.170.129www.freesafeip.com 104.18.46.32, 104.18.47.32

- 104.25.229.53

Proxy Server Domains Status of Domain (June 2017) auto.challenge-this.com NXDomainbatton.changesomelives.com 46.182.30.163blank.challenge-this.com NXDomainblog.challenge-this.com NXDomainchange.changesomelives.com 46.182.30.163filter.changesomelives.com 46.182.30.163land.recondentalimplants.org NXDomainlive.captionthephoto.com NXDomainlog.challenge-this.com NXDomainmusic.captionthephoto.com NXDominone.changesomelives.com 46.182.30.163one.recondentalimplants.org NXDomainout.challenge-this.com NXDomainphoto.captionthephoto.com NXDomain some.changesomelives.com 46.182.30.163tank.captionthephoto.com NXDomainticket.recondentalimplants.org NXDomain tree.changesomelives.com 46.182.30.163trip.recondentalimplants.org NXDomaintwo.recondentalimplants.org NXDomain video.captionthephoto.com NXDomainwas.captionthephoto.com NXDomain

Inside the Leaked DB

• Total 75 countries

• Italy (3849)

• US (2118)

• Singapore(131)

http://kouidri.com/http://hitrigenter.com/http://www.attentive.pl/http://www.freesafeip.com/

Victim

Proxy VDS

Panel Server

Redirect to TDS

Malicious Site

Exploited

Payload

proxy.php

Exploit

api.php• Proxy Info• VDS Info1

3

Payloads

Update proxy infousing API

• Decrypt VDS domain

• Proxy traffic

core.php

Fingerprinted

• Get proxy url with API• Redirect Victim to

Proxy

2Redirected to TDS Server

Browser

TDS

• OS• Browser• Location• Hash

MySQL

Access compromised

site

download.php

• Parse Fingerprint data from core.php

• Get appropriate payload

• Update statistics

Update Victim Info

Redirected to Proxy Server

• Fingerprint Victim• Send Victim info• Exploit Victim• Receive Payload from

Panel server • Send payload to victim

Decoying Proxies

“http://panel_server_domain/api.php?apitoken=l3SKfPrFJx_ESYjDJunDTaNXPBbaHE3SzYuckOM”

“http://proxydomain/proxy.php?PHPSSESID=njrMNruDMh7GCJzBKvPcT7tEMU7PSRnMmdLGyvrPVsbu|

ZDA0ZTUyNDA1OWMzN2EwZTEzMTM5ZWZiOGRmNjBhYTk”“http://proxydomain/proxy.php?PHPSSESID=njrMNruDMh7GCJzBKvPcT7tEMU7PSRnMmdLGyvrPVsbu|

ZDA0ZTUyNDA1OWMzN2EwZTEzMTM5ZWZiOGRmNjBhYTk”“http://proxydomain/proxy.php?PHPSSESID=njrMNruDMh7GCJzBKvPcT7tEMU7PSRnMmdLGyvrPVsbu|

ZDA0ZTUyNDA1OWMzN2EwZTEzMTM5ZWZiOGRmNjBhYTk”“http://proxydomain/proxy.php?PHPSSESID=njrMNruDMh7GCJzBKvPcT7tEMU7PSRnMmdLGyvrPVsbu|

ZDA0ZTUyNDA1OWMzN2EwZTEzMTM5ZWZiOGRmNjBhYTk”“http://proxydomain/proxy.php?PHPSSESID=njrMNruDMh7GCJzBKvPcT7tEMU7PSRnMmdLGyvrPVsbu|

ZDA0ZTUyNDA1OWMzN2EwZTEzMTM5ZWZiOGRmNjBhYTk”

http://panel_server_domain/api.php?apitokenhttp://proxydomain/proxy.php?PHPSSESIhttp://proxydomain/proxy.php?PHPSSESIDhttp://proxydomain/proxy.php?PHPSSESIhttp://proxydomain/proxy.php?PHPSSESIDhttp://proxydomain/proxy.php?PHPSSESIhttp://proxydomain/proxy.php?PHPSSESIDhttp://proxydomain/proxy.php?PHPSSESIhttp://proxydomain/proxy.php?PHPSSESIDhttp://proxydomain/proxy.php?PHPSSESIhttp://proxydomain/proxy.php?PHPSSESID

RIG 4.0

Message

7.8 Million US$

The Rich?

0

2

4

6

8

10

12

2014

Sep

tem

ber

2014

Oct

ober

2014

Nov

embe

r

2014

Dec

embe

r

2015

Janu

ary

2015

Feb

ruar

y

2015

Mar

ch

2015

Apr

il

2015

May

2015

June

2015

July

2015

Aug

ust

2015

Sep

tem

ber

2015

Oct

ober

2015

Nov

embe

r

2015

Dec

embe

r

2016

Janu

ary

2016

Feb

ruar

y

2016

Mar

ch

2016

Apr

il

2016

May

2016

June

2016

July

2016

Aug

ust

2016

Sep

tem

ber

2016

Oct

ober

2016

Nov

embe

r

2016

Dec

embe

r

2017

Janu

ary

2017

Feb

ruar

y

2017

Mar

ch

2017

Apr

il

2017

May

2017

June

2017

July

2017

Aug

ust

2017

Sep

tem

ber

2017

Oct

ober

2017

Nov

embe

r

2017

Dec

embe

r

2018

Janu

ary

2018

Feb

ruar

y

Bitc

oin

Amou

nt

Bitcoin Received

Bitcoin Received

Till RIG 2.0 RIG 3.0 RIG 4.0

The Rich?

Victim

Fingerprint Server Landing Server

Panel Server

Redirect to TDS

Malicious Site

Exploited

Payload

• OS• Browser• Location

Referrer3

Update proxy information using API

Fingerprint Info?Fingerprinted

• Get proxy url with API• Redirect to fingerprint

& proxy servers

2

4

Redirected to TDS

Browser

TDS Server

MySQL

Access compromised

site

Proxy Server

23.php• Proxy Info • VDS Info?

API Server

Update Info

Proxying Trafficindex.php

Web Application

Payload Server

Check updates on payload

Connect every 10 minutes

Get Payload

core.php?

Payload Exploit?

Redirected to Proxy Server

Redirected to Fingerprint

Server

Attack Infrastructure

Singapore!!!

Russia

Russia

Russia

• Process fingerprint info• Exploit victim • Get appropriate payload

1

Panel Server (User)

API Link

Decoying Proxies Victim

Fingerprint Server Landing Server

Panel Server

Redirect to TDS

Malicious Site

Exploited

Payload

• OS• Browser• Location

Referrer3

Update proxy information using API

Fingerprint Info?Fingerprinted

• Get proxy url with API• Redirect to fingerprint

& proxy servers

2

4

Redirected to TDS

Browser

TDS Server

MySQL

Access compromised

site

Proxy Server

23.php• Proxy Info • VDS Info?

API Server

Update Info

Proxying Trafficindex.php

Web Application

Payload Server

Check updates on payload

Connect every 10 minutes

Get Payload

core.php?

Payload Exploit?

Redirected to Proxy Server

Redirected to Fingerprint

Server

Singapore!!!

Russia

Russia

Russia

• Process fingerprint info• Exploit victim • Get appropriate payload

1

0

2

4

6

8

10

12

14

16

18

20

22-Feb 23-Feb 24-Feb 25-Feb 26-Feb 27-Feb 28-Feb 1-Mar 2-Mar 3-Mar 4-Mar 5-Mar

Uniq

ue IP

coun

t

Proxy Server IP count

Link 1 Link 2

Decoying Proxies

•Other users are also using same proxy

•Change Proxy Randomly

•Total IP - 108 Proxies (5th March 2018)

•Location - Russia

•Hosting - timeweb hosting Russia, telecom.uk

Decoying Proxies

Reveal the Hidden IP

More and More Proxies

• Insufficient Authentication at API Server

•Get Proxy IP even after subscription period

•Updated Proxy List Till Today is XXXX

Directory Listing

Peaking Attackers

• 400 Customers till 2018/02• 21 Customers Data …..

No Flow ID Top Country Hits Exploits % Top Browser Top OS ReferrersDomain

ExploitTypes

1 874 (mxmxmx) Mexico 9 2 22.2 MSIE 11.0 Windows 10 1 2

2 975 (mx) Mexico 5437 378 7 MSIE 11.0 Windows 7 9 6

3 880 Brazil 714451 94351 13.2 MSIE 11.0 Windows 7 10 6

4 884 (TRAFF) United Kingdom 1 0 0 MSIE 8.0 Windows Vista 0 0

5 887 US 14982 418 2.8 MSIE 11.0 Windows 7 10 5

6 890 United Kingdom 1 0 0 MSIE 11.0 Windows 7 0 0

7 898(col) US 213 6 2.8 MSIE 11.0 Windows 10 4 28 899 (korsaisback) Netherlands 190 4 2.1 MSIE 11.0 Windows 7 10 2

9 902 Turkey 58560 7874 13.4 MSIE 11.0 Windows 7 10 6

10 906 Turkey 794 96 12.1 MSIE 11.0 Windows 7 1 3

11 907 Mexico 2 0 0 MSIE 11.0 Windows 7 1 0

12 908 (Nutrino) US 11 0 0 MSIE 11.0 Windows 10 0 0

13 910 US 788 28 3.6 MSIE 11.0 Windows 7 1 5

14 912 (First Server) US 2860 41 1.4 MSIE 11.0 Windows 7 10 3

15 913 (Second Server) US 3241 47 1.5 MSIE 11.0 Windows 7 10 3

16 914 Egypt 140 10 7.1 MSIE 11.0 Windows 7 1 2

17 920 (first) Brazil 83293 7261 8.7 MSIE 11.0 Windows 7 10 6

18 921 (Maaa) Germany 1 1 100 MSIE 8.0 Windows 7 0 1

19 923 (test) Taiwan 5530 691 12.5 MSIE 11.0 Windows 7 10 6

20 927 (test) US 110 32 29.1 MSIE 7.0 Windows XP 10 5

21 929 US 417 15 3.6 MSIE 11.0 Windows 7 0 2Total 891,031 111,255 12.4 108 65

• Decoying Proxy IP with Customer Privilege

• Reveal Hidden IP of Panel Server

• List Directories

• Get More Proxies

• Peaking Attackers

RIG 4.0 – Attack Summary

BEPS/ Sundown

Victim

Proxy

Panel Server

Redirect to TDS

Malicious Site

Exploited

Payload

index.php

api.phpProxy Info

OS, BrowserLocation

1

3

Payload

Update proxy informationusing API

Update Victim Info (hits)

Fingerprinted

Access Compromised

Site

Redirected to Proxy

Browser

statistics.phpStatistics

• Fingerprint victim• Update Victim info• Self Protection from

crawlers• Call landing_$flowid.php

z.php• Update hits table• Get appropriate payload

TDS

Get proxy urlusing API

dga.php, sub.phpProxy Domain

Control

namecheap DNS server

RegisterDomain

ManageA records

Master proxy domains

cloudnsDNS server

Proxy domainsMySQL

landing_$flowid.php

2

VDS Server

Exploit

Update Victim Info(exploited hits)

Redirected to TDS

Attack Infrastructure

Panel Server (Admin)

Panel Server (User)

API Link

Table Name Table Structure Sample Data Rowsdomains id, name 622, wallstreetsradar.org 30file_scans id, file, owner, name, hash, rate, result 217,750,59,accelerate.exe,ba3f78935efde883e1c07a89

0fb71adf5a3ab9a3, 1/35, AVDFree:OK Avast:OK218

files id, owner, name, file, hash, description, timestamp, url

676, 60, tihjyuu.exe, exe_file, fa35b9cf029d867ee509a3891a1ce643e38ea22,’ ‘, 1473195774, NULL

24

flows id, user_id, file_id, last_token 126, 60, 738, 1473246262 126hits id, owner, flow, ip, agent, referrer, country,

city, browser, exploited, timestamp, os 889961,22,44,'221.40.158.156','Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) likeGecko','http://nikefukuoka.jp/m/banner.php','JP','Unknown','MSIE11.0',0,1465996320,'Windows 8.1'

404,905

proxy id, url, description, last_check 10880, http://rig.mexicanvoter.info/index.php, autogenerated, 1473246001

9

tokens token, flow_id, timestamp 5stcclXg49RSo, 126, 1473246262 103users id, name, pwd, registered, last_login,

last_ip, expiration, uid, comment, token40, firebender, $2y$10$dJ6IkN4JMxzqX87SNxQ0oe4rnBCzufIjDV1TZFLpYesd8QZkxPrQm, 1469572046, 1473225147, 185.93.185.229, 1473552000, 1a80cc68, ,95RJctOWpJv0

9

vds id, ip, description 9, http://109.236.92.187/index.php 1

Data in the Leaked DB

,'JP','Unknown','MSIE11.0',0,1465996320,

No Browser Count

1 MSIE 11.0 92,4252 MSIE 8.0 42,1153 MSIE 7.0 28,1954 MSIE 10.0 27,1255 MSIE 9.0 24,2156 Chrome 50.0.2661.102 5,4407 MSIE 6.0 4,1778 Firefox 46.0 1,9669 Chrome 46.0.2486.0 1,790

10 Chrome 49.0.2623.112 1,071

No OS Count1 Windows 7 136,0592 Windows 8 22,9353 Windows XP 22,1554 Windows 8.1 20,4435 Windows 10 16,8626 Windows Vista 9,7037 Unknown 2,6288 Mac OS 1,5919 Linux 1,442

No Country Count1 RU (Russia) 381452 GB (United Kingdom) 32083

3 US (United States) 153164 BR (Brazil) 144855 JP (Japan) 140396 IN (India) 122987 DE (Germany) 100938 ES (Spain) 97789 FR (France) 8357

10 IT (Italy) 638911 VN (Vietnam) 5290

Total victim IP count is 224,727 Referrer URL is 51,826Domains 1,390

Data in Hits Table

No User Hits Exploited Threads (exploit type) Rate of infection

1 admin 223298 77588 - -

2 stalin 10379 620 3 6%

3 firebender 13066 7644 4 59%

4 rfrswefg 24 8 2 33%

5 mycucu 22 33 2 150%

6 bullxx2 24 7 4 29%

7 djaro 31 15 2 48%

8 synkox 12313 2549 1 21

9 Andsdig 343 40 1 12

10 goldendragon 28294 8307 3 29%

Attackers List in Database

http://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8

FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJB

http://panelserver_IP/api.php?sid=9Hbrbjv_nfRcSSPd0al

http://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8

FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8

FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8

FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8

FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8

FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8

FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8

FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8

FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJB

Decoy Proxies

http://panelserver_ip/api.php?sid=9Hbrbjv_nfRcSSPd0al

Fake API AccessVictim

Proxy

Panel Server

Redirect to TDS

Malicious Site

Exploited

Payload

index.php

api.phpProxy Info

OS, BrowserLocation

1

3

Payload

Update proxy informationusing API

Update Victim Info (hits)

Fingerprinted

Access Compromised

Site

Redirected to Proxy

Browser

statistics.phpStatistics

• Fingerprint victim• Update Victim info• Self Protection from

crawlers• Call landing_$flowid.php

z.php• Update hits table• Get appropriate payload

TDS

Get proxy url using API

dga.php, sub.phpProxy Domain

Control

namecheap DNS server

RegisterDomain

ManageA records

Master proxy domains

cloudnsDNS server

Proxy domainsMySQL

landing_$flowid.php

2

VDS Server

Exploit

Update Victim Info(exploited hits)

Redirected to TDS

NOT Whitelisted

Hunter

Attack Infrastructure

Panel Server

•Detect Panel Server

• Find Landing Server

•Related Servers on Internet

Potential Attacks

Neptune

Attack Infrastructure

Panel Server

Potential Attacks

• Fake API Access

•Related Servers on Internet

Future Possibilities

• RIG• SAKURA• BEPS/Sundown• Hunter• 0x88• Neptune• Siberia• Sava• Elenore• Elenore Exp• Fragus• Demon Hunter• Impassion Frameshit

• adpack-1• adpack-2• Armitage• fiesta• firepack• g-pack• ice-pack• infector• mpack• multisploit• my-poly-sploit• RDS• SmartPack

• Target Exploit• Tor• Mushroom• Bleeding Life• Crimepack• DCpp• Phoenix• Blackhole• Ddos

Leaked Exploit Kits

Future Possibilities

• Similarity in Attack Infrastructure

•Code Reuse

Exploits

Database

Landing Server

Old Days vs New DaysProxies

Panel Server

API Server

Database Server

Landing Server

Update Server

Exploits

Fingerprint Server

Exploit Kit Operator

Code Reuse

RIG , Hunter , Neptune(Blaze) , BEPS/Sundownдебаг

Demon Hunter , Bleeding LifeCVisitors

Sakura , Armitagedetect_country

0x88 , multisploit , RDS , infectorCultureToCountryCode

Mushroom , Elenorecrypt_with_key

ice-pack , Torx1.php

adpack, blackhole, crimepack, cry217, dcpp, fiesta, firepack, fragus, g-pack, impassioned FrameShit, mpack, my-poly-spolit, phoenix_2.5, sava, siberia, smartpack, target-exploit

Code ReuseRIG

Demon Hunter

Sakura

0x88

Mushroom

Ice-pack

Others

Conclusion

Analyze Leaked

Exploit Kits Know Inner Workings

Potential Attacks Pr

ove

Attack

s Future Possibilities

RIG 4.0 RIG 2.0 BEPS/SundownHunterNeptune

Complex Vulnerable Take Down

Future-Proof

Final Take-away