Analyzing KaiXin Exploit Kit
FirstYesterday, the activity of KaiXin Exploit Kit has been reported by Brad.
I began learning about EK from February 2017. Therefore, I didn't know about KaiXin EK, so I tried to analyze.
What is KaiXin Exploit KitAccording to "Recent example of KaiXin exploit kit", KaiXin EK has been observed since August 2012. It's mainly used for attack campaign targeting China, and in recent years almost no activity has been reported. What kind of mechanism is attacking?
Traffic ChainFirst, I briefly introduce the chain of traffic generated by KaiXin EK. Please look at the images.
When accessing KaiXin EK's landing page, multiple attack codes are loaded. The attack code branches depending on the user's environment (IE, JRE, Flash Player version, etc). Ultimately, if the user is an attack target, malware (exe file) will be downloaded and executed.
Using the version information of JRE or IE, branch the next processing.
For example, if JRE version is between 17006 and 17011, load Java Applet "EyDsJd.jar". At that time, malware ("11.7.exe") URL is passed as argument, and jar downloads and executes that malware by exploiting the vulnerability of JRE.
The vulnerabilities used by each jar files are these.
After that, EK uses vulnerabilities other than JRE.
Let's look at each of the html files that are being loaded.
RfVvPx.html"RfVvPx.html" is always loaded. It attacks Adobe Flash Player vulnerabilities.
Use the version information of Flash Player and IE to change the swf file to be loaded. I don't know swf, but EK downloads and executes malware using some Adobe Flash Player's vulnerability.
XsSgBz.html"XsSgBz.html" is loaded when user is using Edge on Windows 10. This html attacks CVE-2016-7200 and CVE-2016-7201. This vulnerability was used in multiple EKs. Details are described on Kafeine's blog.
The first part contains the code to decode the URL of the download destination and the shellcode to download and execute the malware.
shellcode is published in github below.
The second part is an exploit for Microdoft Edge. (CVE-2016-7200 and CVE-2016-7201). Just deleting comments etc. will almost match the code published on the following github page.
OvTiFx.html and HiFyUd.html"OvTiFx.html" and "HiFyUd.html" use CVE-2016-0189. This vulnerability is also used in RigEK and others. For details, please see here.
MalwareThis malware is used by KaiXin EK. I cannot identify this. Please tell me if you can analyze.
MD5 : 1a1929f525a710c81dfb7873ddad9d33
SHA256 : f710f3c77276e7082d68d365413a658d80b6cac66c8b0c9a67b20426259a2035
FinallyKaiXin EK didn't have much complicated mechanism, but logic was interesting. The vulnerabilities used by EK are old and not very strong, but I enjoyed the analysis ;)
Zip archive of the IOC files is here