blackhat ppt 20170316...api server database server landing server update server exploits fingerprint...
TRANSCRIPT
-
Counter InfiltrationFuture-Proof Counter Attacks Against Exploit Kit Infrastructure
-
About Us
Hiroshi KumagaiSenior ResearcherCyber Security Laboratory PwC, Japan
Masaki KamizonoHead of LaboratoryCyber Security Laboratory PwC, Japan
Yin Minn Pa Pa , Ph.D. Researcher Cyber Security LaboratoryPwC, Japan
Takahiro Kasama , Ph.D. Senior Researcher Cyber Security LaboratoryNICT, Japan
-
Introduction
Exploit Kit Operator
Traffic Direction System
Proxies
Panel Server
API Server
Database Server
Landing Server
Update Server
Exploits
Fingerprint Server
-
Take-away
Inner Workings
ChokePoints
WeaknessesHow to Counter Attack
-
What Exploit Kits?
RIG 2.0
RIG 3.0
RIG 4.0
Nebula
DisdainSundown
Pirate
Hunter Neptune
Neptune
2017
2016
2015
BEPS/ Sundown
Feb
Aug
Aug
Feb
Jun
Oct
2018
• YES, it works • YES YES YES, even more…..• RICH• Current customers?• IoC
-
Outline
• Inner Workings
• Potential Attacks
• Demonstrate Attack
• Future Possibilities
-
RIG 2.0
-
Victim
Proxy VDS
Panel Server
Redirect to TDS
Malicious Site
Exploited
Payload
proxy.php
Exploit
api.php• Proxy Info• VDS Info1
3
Payloads
Update proxy infousing API
• Decrypt VDS domain
• Proxy traffic
core.php
Fingerprinted
• Get proxy url with API• Redirect Victim to
Proxy
2Redirected to TDS Server
Browser
TDS
• OS• Browser• Location• Hash
MySQL
Access compromised
site
download.php
• Parse Fingerprint data from core.php
• Get appropriate payload
• Update statistics
Update Victim Info
Redirected to Proxy Server
Attack Infrastructure
• Fingerprint Victim• Send Victim info• Exploit Victim• Receive Payload from
Panel server • Send payload to victim
-
Panel Server (Admin)
-
Panel Server (Admin)
-
Panel Server (User)
-
“http://panel_server_domain/api.php?apitoken= l3SKfPrFJx_ESYjDJunDTaNXPBbaHE3SzYuckOM”.
API for Proxy
http://panel_server_domain/api.php?apitoken
-
Table name Table structure Sample data No:Rows
exploits id, name, fault - -files id, user_id, file, filename,
file size, avcheck exe files 2
flows id, user_id, file_id, last_token
39,127,2,1496975943 14
options id, option_name, option_value
2, real_path, /var/www/html/hitfm 7
proxy id, url, description, last_check
494, http://tree.changesomelives.com,,0 23
tarif id, user_id, len 400,131,1514753999 62traff id, ip, os, br, cc, us, referer,
exp, user_id, flow_id, hash'20756','94.156.115.146','Windows 7','MSIE 11.0','BG','Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko','oxprxt.tk','flash','133','51','390cc1ddfbdf70c5ff79d5d63c565b1b'
6882
userrights id, name, rights 1, admin, admin 2users id, user_login, user_pass,
rights, color, first_time, last_time, description, sid
134, ferdigstudios, a3a5823e48cccf107cf1eba5f2cdaa2d, user, 0000FF, 1423277805,1496974143,,a1a6557378ea20856aac56fa4229113
8
vds id, ip, description 1, http://94.23.207.221/core_hit.php, , 1
Inside the Leaked DB
http://tree.changesomelives.com/
-
Exploit Countunknown 5662ie10 793flash 263msie 135silver 21
Browser CountMSIE 11.0 2988MSIE 8.0 1198Unknown 795MSIE 9.0 766MSIE 7.0 656MSIE 10.0 430MSIE 6.0 40Firefox EB11 90Firefox D7F5 20
OS CountWindows 7 2729Windows 8.1 1483Unknown 891Windows XP 857Windows Vista 549Windows 8 169Windows Server 2003 93Windows 2000 90Windows 98 20Mac OS 1
Referrer domain Status of Domain (June 2017)
kouidri.com 217.23.6.139
hitrigenter.com NXDomainoxprxt.tk NXDomain
www.attentive.pl 58.128.170.129www.freesafeip.com 104.18.46.32, 104.18.47.32
- 104.25.229.53
Proxy Server Domains Status of Domain (June 2017) auto.challenge-this.com NXDomainbatton.changesomelives.com 46.182.30.163blank.challenge-this.com NXDomainblog.challenge-this.com NXDomainchange.changesomelives.com 46.182.30.163filter.changesomelives.com 46.182.30.163land.recondentalimplants.org NXDomainlive.captionthephoto.com NXDomainlog.challenge-this.com NXDomainmusic.captionthephoto.com NXDominone.changesomelives.com 46.182.30.163one.recondentalimplants.org NXDomainout.challenge-this.com NXDomainphoto.captionthephoto.com NXDomain some.changesomelives.com 46.182.30.163tank.captionthephoto.com NXDomainticket.recondentalimplants.org NXDomain tree.changesomelives.com 46.182.30.163trip.recondentalimplants.org NXDomaintwo.recondentalimplants.org NXDomain video.captionthephoto.com NXDomainwas.captionthephoto.com NXDomain
Inside the Leaked DB
• Total 75 countries
• Italy (3849)
• US (2118)
• Singapore(131)
http://kouidri.com/http://hitrigenter.com/http://www.attentive.pl/http://www.freesafeip.com/
-
Victim
Proxy VDS
Panel Server
Redirect to TDS
Malicious Site
Exploited
Payload
proxy.php
Exploit
api.php• Proxy Info• VDS Info1
3
Payloads
Update proxy infousing API
• Decrypt VDS domain
• Proxy traffic
core.php
Fingerprinted
• Get proxy url with API• Redirect Victim to
Proxy
2Redirected to TDS Server
Browser
TDS
• OS• Browser• Location• Hash
MySQL
Access compromised
site
download.php
• Parse Fingerprint data from core.php
• Get appropriate payload
• Update statistics
Update Victim Info
Redirected to Proxy Server
• Fingerprint Victim• Send Victim info• Exploit Victim• Receive Payload from
Panel server • Send payload to victim
Decoying Proxies
“http://panel_server_domain/api.php?apitoken=l3SKfPrFJx_ESYjDJunDTaNXPBbaHE3SzYuckOM”
“http://proxydomain/proxy.php?PHPSSESID=njrMNruDMh7GCJzBKvPcT7tEMU7PSRnMmdLGyvrPVsbu|
ZDA0ZTUyNDA1OWMzN2EwZTEzMTM5ZWZiOGRmNjBhYTk”“http://proxydomain/proxy.php?PHPSSESID=njrMNruDMh7GCJzBKvPcT7tEMU7PSRnMmdLGyvrPVsbu|
ZDA0ZTUyNDA1OWMzN2EwZTEzMTM5ZWZiOGRmNjBhYTk”“http://proxydomain/proxy.php?PHPSSESID=njrMNruDMh7GCJzBKvPcT7tEMU7PSRnMmdLGyvrPVsbu|
ZDA0ZTUyNDA1OWMzN2EwZTEzMTM5ZWZiOGRmNjBhYTk”“http://proxydomain/proxy.php?PHPSSESID=njrMNruDMh7GCJzBKvPcT7tEMU7PSRnMmdLGyvrPVsbu|
ZDA0ZTUyNDA1OWMzN2EwZTEzMTM5ZWZiOGRmNjBhYTk”“http://proxydomain/proxy.php?PHPSSESID=njrMNruDMh7GCJzBKvPcT7tEMU7PSRnMmdLGyvrPVsbu|
ZDA0ZTUyNDA1OWMzN2EwZTEzMTM5ZWZiOGRmNjBhYTk”
http://panel_server_domain/api.php?apitokenhttp://proxydomain/proxy.php?PHPSSESIhttp://proxydomain/proxy.php?PHPSSESIDhttp://proxydomain/proxy.php?PHPSSESIhttp://proxydomain/proxy.php?PHPSSESIDhttp://proxydomain/proxy.php?PHPSSESIhttp://proxydomain/proxy.php?PHPSSESIDhttp://proxydomain/proxy.php?PHPSSESIhttp://proxydomain/proxy.php?PHPSSESIDhttp://proxydomain/proxy.php?PHPSSESIhttp://proxydomain/proxy.php?PHPSSESID
-
RIG 4.0
-
Message
-
7.8 Million US$
The Rich?
-
0
2
4
6
8
10
12
2014
Sep
tem
ber
2014
Oct
ober
2014
Nov
embe
r
2014
Dec
embe
r
2015
Janu
ary
2015
Feb
ruar
y
2015
Mar
ch
2015
Apr
il
2015
May
2015
June
2015
July
2015
Aug
ust
2015
Sep
tem
ber
2015
Oct
ober
2015
Nov
embe
r
2015
Dec
embe
r
2016
Janu
ary
2016
Feb
ruar
y
2016
Mar
ch
2016
Apr
il
2016
May
2016
June
2016
July
2016
Aug
ust
2016
Sep
tem
ber
2016
Oct
ober
2016
Nov
embe
r
2016
Dec
embe
r
2017
Janu
ary
2017
Feb
ruar
y
2017
Mar
ch
2017
Apr
il
2017
May
2017
June
2017
July
2017
Aug
ust
2017
Sep
tem
ber
2017
Oct
ober
2017
Nov
embe
r
2017
Dec
embe
r
2018
Janu
ary
2018
Feb
ruar
y
Bitc
oin
Amou
nt
Bitcoin Received
Bitcoin Received
Till RIG 2.0 RIG 3.0 RIG 4.0
The Rich?
-
Victim
Fingerprint Server Landing Server
Panel Server
Redirect to TDS
Malicious Site
Exploited
Payload
• OS• Browser• Location
Referrer3
Update proxy information using API
Fingerprint Info?Fingerprinted
• Get proxy url with API• Redirect to fingerprint
& proxy servers
2
4
Redirected to TDS
Browser
TDS Server
MySQL
Access compromised
site
Proxy Server
23.php• Proxy Info • VDS Info?
API Server
Update Info
Proxying Trafficindex.php
Web Application
Payload Server
Check updates on payload
Connect every 10 minutes
Get Payload
core.php?
Payload Exploit?
Redirected to Proxy Server
Redirected to Fingerprint
Server
Attack Infrastructure
Singapore!!!
Russia
Russia
Russia
• Process fingerprint info• Exploit victim • Get appropriate payload
1
-
Panel Server (User)
-
API Link
-
Decoying Proxies Victim
Fingerprint Server Landing Server
Panel Server
Redirect to TDS
Malicious Site
Exploited
Payload
• OS• Browser• Location
Referrer3
Update proxy information using API
Fingerprint Info?Fingerprinted
• Get proxy url with API• Redirect to fingerprint
& proxy servers
2
4
Redirected to TDS
Browser
TDS Server
MySQL
Access compromised
site
Proxy Server
23.php• Proxy Info • VDS Info?
API Server
Update Info
Proxying Trafficindex.php
Web Application
Payload Server
Check updates on payload
Connect every 10 minutes
Get Payload
core.php?
Payload Exploit?
Redirected to Proxy Server
Redirected to Fingerprint
Server
Singapore!!!
Russia
Russia
Russia
• Process fingerprint info• Exploit victim • Get appropriate payload
1
-
0
2
4
6
8
10
12
14
16
18
20
22-Feb 23-Feb 24-Feb 25-Feb 26-Feb 27-Feb 28-Feb 1-Mar 2-Mar 3-Mar 4-Mar 5-Mar
Uniq
ue IP
coun
t
Proxy Server IP count
Link 1 Link 2
Decoying Proxies
-
•Other users are also using same proxy
•Change Proxy Randomly
•Total IP - 108 Proxies (5th March 2018)
•Location - Russia
•Hosting - timeweb hosting Russia, telecom.uk
Decoying Proxies
-
Reveal the Hidden IP
-
More and More Proxies
• Insufficient Authentication at API Server
•Get Proxy IP even after subscription period
•Updated Proxy List Till Today is XXXX
-
Directory Listing
-
Peaking Attackers
• 400 Customers till 2018/02• 21 Customers Data …..
-
No Flow ID Top Country Hits Exploits % Top Browser Top OS ReferrersDomain
ExploitTypes
1 874 (mxmxmx) Mexico 9 2 22.2 MSIE 11.0 Windows 10 1 2
2 975 (mx) Mexico 5437 378 7 MSIE 11.0 Windows 7 9 6
3 880 Brazil 714451 94351 13.2 MSIE 11.0 Windows 7 10 6
4 884 (TRAFF) United Kingdom 1 0 0 MSIE 8.0 Windows Vista 0 0
5 887 US 14982 418 2.8 MSIE 11.0 Windows 7 10 5
6 890 United Kingdom 1 0 0 MSIE 11.0 Windows 7 0 0
7 898(col) US 213 6 2.8 MSIE 11.0 Windows 10 4 28 899 (korsaisback) Netherlands 190 4 2.1 MSIE 11.0 Windows 7 10 2
9 902 Turkey 58560 7874 13.4 MSIE 11.0 Windows 7 10 6
10 906 Turkey 794 96 12.1 MSIE 11.0 Windows 7 1 3
11 907 Mexico 2 0 0 MSIE 11.0 Windows 7 1 0
12 908 (Nutrino) US 11 0 0 MSIE 11.0 Windows 10 0 0
13 910 US 788 28 3.6 MSIE 11.0 Windows 7 1 5
14 912 (First Server) US 2860 41 1.4 MSIE 11.0 Windows 7 10 3
15 913 (Second Server) US 3241 47 1.5 MSIE 11.0 Windows 7 10 3
16 914 Egypt 140 10 7.1 MSIE 11.0 Windows 7 1 2
17 920 (first) Brazil 83293 7261 8.7 MSIE 11.0 Windows 7 10 6
18 921 (Maaa) Germany 1 1 100 MSIE 8.0 Windows 7 0 1
19 923 (test) Taiwan 5530 691 12.5 MSIE 11.0 Windows 7 10 6
20 927 (test) US 110 32 29.1 MSIE 7.0 Windows XP 10 5
21 929 US 417 15 3.6 MSIE 11.0 Windows 7 0 2Total 891,031 111,255 12.4 108 65
-
• Decoying Proxy IP with Customer Privilege
• Reveal Hidden IP of Panel Server
• List Directories
• Get More Proxies
• Peaking Attackers
RIG 4.0 – Attack Summary
-
BEPS/ Sundown
-
Victim
Proxy
Panel Server
Redirect to TDS
Malicious Site
Exploited
Payload
index.php
api.phpProxy Info
OS, BrowserLocation
1
3
Payload
Update proxy informationusing API
Update Victim Info (hits)
Fingerprinted
Access Compromised
Site
Redirected to Proxy
Browser
statistics.phpStatistics
• Fingerprint victim• Update Victim info• Self Protection from
crawlers• Call landing_$flowid.php
z.php• Update hits table• Get appropriate payload
TDS
Get proxy urlusing API
dga.php, sub.phpProxy Domain
Control
namecheap DNS server
RegisterDomain
ManageA records
Master proxy domains
cloudnsDNS server
Proxy domainsMySQL
landing_$flowid.php
2
VDS Server
Exploit
Update Victim Info(exploited hits)
Redirected to TDS
Attack Infrastructure
-
Panel Server (Admin)
-
Panel Server (User)
API Link
-
Table Name Table Structure Sample Data Rowsdomains id, name 622, wallstreetsradar.org 30file_scans id, file, owner, name, hash, rate, result 217,750,59,accelerate.exe,ba3f78935efde883e1c07a89
0fb71adf5a3ab9a3, 1/35, AVDFree:OK Avast:OK218
files id, owner, name, file, hash, description, timestamp, url
676, 60, tihjyuu.exe, exe_file, fa35b9cf029d867ee509a3891a1ce643e38ea22,’ ‘, 1473195774, NULL
24
flows id, user_id, file_id, last_token 126, 60, 738, 1473246262 126hits id, owner, flow, ip, agent, referrer, country,
city, browser, exploited, timestamp, os 889961,22,44,'221.40.158.156','Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) likeGecko','http://nikefukuoka.jp/m/banner.php','JP','Unknown','MSIE11.0',0,1465996320,'Windows 8.1'
404,905
proxy id, url, description, last_check 10880, http://rig.mexicanvoter.info/index.php, autogenerated, 1473246001
9
tokens token, flow_id, timestamp 5stcclXg49RSo, 126, 1473246262 103users id, name, pwd, registered, last_login,
last_ip, expiration, uid, comment, token40, firebender, $2y$10$dJ6IkN4JMxzqX87SNxQ0oe4rnBCzufIjDV1TZFLpYesd8QZkxPrQm, 1469572046, 1473225147, 185.93.185.229, 1473552000, 1a80cc68, ,95RJctOWpJv0
9
vds id, ip, description 9, http://109.236.92.187/index.php 1
Data in the Leaked DB
,'JP','Unknown','MSIE11.0',0,1465996320,
-
No Browser Count
1 MSIE 11.0 92,4252 MSIE 8.0 42,1153 MSIE 7.0 28,1954 MSIE 10.0 27,1255 MSIE 9.0 24,2156 Chrome 50.0.2661.102 5,4407 MSIE 6.0 4,1778 Firefox 46.0 1,9669 Chrome 46.0.2486.0 1,790
10 Chrome 49.0.2623.112 1,071
No OS Count1 Windows 7 136,0592 Windows 8 22,9353 Windows XP 22,1554 Windows 8.1 20,4435 Windows 10 16,8626 Windows Vista 9,7037 Unknown 2,6288 Mac OS 1,5919 Linux 1,442
No Country Count1 RU (Russia) 381452 GB (United Kingdom) 32083
3 US (United States) 153164 BR (Brazil) 144855 JP (Japan) 140396 IN (India) 122987 DE (Germany) 100938 ES (Spain) 97789 FR (France) 8357
10 IT (Italy) 638911 VN (Vietnam) 5290
Total victim IP count is 224,727 Referrer URL is 51,826Domains 1,390
Data in Hits Table
-
No User Hits Exploited Threads (exploit type) Rate of infection
1 admin 223298 77588 - -
2 stalin 10379 620 3 6%
3 firebender 13066 7644 4 59%
4 rfrswefg 24 8 2 33%
5 mycucu 22 33 2 150%
6 bullxx2 24 7 4 29%
7 djaro 31 15 2 48%
8 synkox 12313 2549 1 21
9 Andsdig 343 40 1 12
10 goldendragon 28294 8307 3 29%
Attackers List in Database
-
http://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8
FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJB
http://panelserver_IP/api.php?sid=9Hbrbjv_nfRcSSPd0al
http://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8
FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8
FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8
FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8
FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8
FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8
FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8
FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJBhttp://ablt.mexicanvoter.info/index.php?zX3kA02R2cBabnur=tie3YDn12KddRG32N1kce8
FmnhMZmrxBhrlf6mlQwcgmmksnik7V3FDJB
Decoy Proxies
http://panelserver_ip/api.php?sid=9Hbrbjv_nfRcSSPd0al
-
Fake API AccessVictim
Proxy
Panel Server
Redirect to TDS
Malicious Site
Exploited
Payload
index.php
api.phpProxy Info
OS, BrowserLocation
1
3
Payload
Update proxy informationusing API
Update Victim Info (hits)
Fingerprinted
Access Compromised
Site
Redirected to Proxy
Browser
statistics.phpStatistics
• Fingerprint victim• Update Victim info• Self Protection from
crawlers• Call landing_$flowid.php
z.php• Update hits table• Get appropriate payload
TDS
Get proxy url using API
dga.php, sub.phpProxy Domain
Control
namecheap DNS server
RegisterDomain
ManageA records
Master proxy domains
cloudnsDNS server
Proxy domainsMySQL
landing_$flowid.php
2
VDS Server
Exploit
Update Victim Info(exploited hits)
Redirected to TDS
NOT Whitelisted
-
Hunter
-
Attack Infrastructure
-
Panel Server
-
•Detect Panel Server
• Find Landing Server
•Related Servers on Internet
Potential Attacks
-
Neptune
-
Attack Infrastructure
-
Panel Server
-
Potential Attacks
• Fake API Access
•Related Servers on Internet
-
Future Possibilities
-
• RIG• SAKURA• BEPS/Sundown• Hunter• 0x88• Neptune• Siberia• Sava• Elenore• Elenore Exp• Fragus• Demon Hunter• Impassion Frameshit
• adpack-1• adpack-2• Armitage• fiesta• firepack• g-pack• ice-pack• infector• mpack• multisploit• my-poly-sploit• RDS• SmartPack
• Target Exploit• Tor• Mushroom• Bleeding Life• Crimepack• DCpp• Phoenix• Blackhole• Ddos
Leaked Exploit Kits
-
Future Possibilities
• Similarity in Attack Infrastructure
•Code Reuse
-
Exploits
Database
Landing Server
Old Days vs New DaysProxies
Panel Server
API Server
Database Server
Landing Server
Update Server
Exploits
Fingerprint Server
Exploit Kit Operator
-
Code Reuse
-
RIG , Hunter , Neptune(Blaze) , BEPS/Sundownдебаг
Demon Hunter , Bleeding LifeCVisitors
Sakura , Armitagedetect_country
0x88 , multisploit , RDS , infectorCultureToCountryCode
Mushroom , Elenorecrypt_with_key
ice-pack , Torx1.php
adpack, blackhole, crimepack, cry217, dcpp, fiesta, firepack, fragus, g-pack, impassioned FrameShit, mpack, my-poly-spolit, phoenix_2.5, sava, siberia, smartpack, target-exploit
Code ReuseRIG
Demon Hunter
Sakura
0x88
Mushroom
Ice-pack
Others
-
Conclusion
Analyze Leaked
Exploit Kits Know Inner Workings
Potential Attacks Pr
ove
Attack
s Future Possibilities
RIG 4.0 RIG 2.0 BEPS/SundownHunterNeptune
-
Complex Vulnerable Take Down
Future-Proof
Final Take-away