Analyzing GrandSoft Exploit Kit
First
I didn't know GrandSoft EK several weeks ago. Because GrandSoft EK was active around 2012~13, but I started studying web security since 2017. I thought he was the same as a lot of EKs that was not active. However, as Kafeine tweeted on January 30, they resumed their activities.Hello again GrandSoft EK. Dropping ... GandCrab pic.twitter.com/yfjzju16KG— Kafeine (@kafeine) 2018年1月30日
Looking at this tweet, I immediately investigated GrandSoft EK. Even if I search "GrandSoft Exploit Kit" on Google, I didn't get much info (only Kafeine's awesome blogs were found). But these were written in 2012~13 (a little old).
http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html
http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html
When you look at MISP Galaxy, you get info about it.
https://github.com/MISP/misp-galaxy/blob/master/clusters/exploit-kit.json#L323-L338
According to this, GrandSoft EK was active around 2012~13. It seems that it has not been observed since March 2014. This info is old. When you search on Twitter, there are records that were observed in September 2017.
Whaaat ?! GrandSoft Exploit Kit used to spread zloader in ESP/ITA with CVE-2016-0189.— Kafeine (@kafeine) 2017年9月22日
cc/tx @malc0de @EKwatcher @jspchc pic.twitter.com/TwOB0lm3jM
After this, for the time being a blank, events of the other day occur. In January 2018, it was observed that GrandSoft EK is sending GandCrab.
https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/
https://zerophagemalware.com/2018/02/10/grandsoft-ek-via-slots-drops-leviarcoin-miner/
Jerome and Zerophage wrote wonderful articles. Just reading these can get a lot of info about attacks. But I knew a little about what is not written in these. So, I write some of the info I got here.
Traffic Analysis
I analyze this traffic this time. Please refer my saz file if necessary.https://traffic.moe/2018/02/09/index.html
The beginning is the ad network. When you browse legitimate websites, you reach the Gate of attack campaign (some people call this "Slots Campaign") from certain ad networks.
Please see this for "Slots Campaign".
Check out my blogpost - A new #RigEK campaign #Slots dropping #XMRig minerhttps://t.co/byEJOmA551https://t.co/jAmlTsq2e9@CheckPointSW— Aviran Hazum (@MrHazum) 2018年2月8日
CC: @nao_sec @VK_Intel @malware_traffic
In Slots Campaign's Gate, redirect is done by HTTP Location Header. This will reach the Landing Page of GrandSoft EK.
The Landing Page checks the user's environment. He gets the info as URL strings and sends attack codes.
GrandSoft EK only uses CVE-2016-0189. CVE-2016-0189 is frequently used in other EK. It's no longer fun itself. However, GrandSoft EK code is a little different from other EK. Let's see the GrandSoft EK code.
https://gist.github.com/anonymous/3dfd73cb212ecfe4c100bd356e429403
GrandSoft EK is mixing unnecessary code. Deleting all of them will result in a familiar code. For example, these codes are not necessary.
z9TmaQnrKIX = "Set t7BdKL = New Q6dZEWZ End Function End Function "
Dim Q0GzfxxyDx2
GrandSoft EK is different from the current code around January 30th. There was another obfuscation in the past. This is the previous code. This was a bit annoying...
https://gist.github.com/anonymous/089810f4581b86edf27827a0a4ebeff4
Well, you deobfuscate this, basically it's the same code as other EK. What is different is the process of generating a URL for downloading malware and the process of decrypting the downloaded file by it.
A value called "keyRand" is generated and becomes part of the URL. "keyRand" is also used to decrypt files. Like RIG, GrandSoft EK downloads RC4 encoded malware.
"arcnsave" is also in RIG. Such a code.
For this reason, encryption key is not hard-coded. In order to know the key, it's necessary to obtain the URL from the traffic.