CVE-2018-8174 exploit code published in 2018-05-21.
GrandSoft Exploit Kit used to be CVE-2016-0189 before. Now, it's using CVE-2018-8174. It's almost the same as PoC, except that some obfuscation has been added. However shellcode is unique. Previously VBScript (CVE-2016-0189) code generated cryptographic keys and decoded the payload. It was changed to doing in shellcode.
Previously flow is as follows: Random Number Generation -> Generate key Using Random Number -> Add the key to the End of URL -> Download Encrypted Malware -> Decode by the key
new flow is as follows: Random key Generation -> Add the key to the End of URL -> Download Encrypted Malware -> Decode by the key
* in shellcode
TrafficFirst let's see the recent GrandSoft traffic. The link of saz file is introduced in Kafeine's blog.
Looking at this saz file, it looks like the following.
The flow of traffic is the same. It consists of Landing Page, Exploit and Malware. CVE-2018-8174 is used for exploit, which downloads and executes malware. Malware payload is encrypted. Therefore, the shellcode decrypts the malware using some numerical values of the URL.
CVE-2018-8174For technical explanation of CVE-2018-8174 please refer to other articles.
Actually the code used in GrandSoft is like this.
Dead code is included, but it is basically the same as PoC. What is different is PoC with GetShellcode part. GrandSoft's GetShellcode function has been renamed to the c111111 function, and it is such a function.
Shellcode calls API using hash, however this hash differs from well-known one.
Shellcode Hash Algorithm is ror14AddHash32.
pseudocode is as follows:
Shellcode uses GetTickCount function to generate keys.
Decoding algorithm was not changed as of vbs.
pseudocode is as follows:
GrandSoft got CVE-2018-8174. This may be a bit more powerful. Shellcode is a little characteristic. Enjoy analysis of shellcode!
FirstI didn't know GrandSoft EK several weeks ago. Because GrandSoft EK was active around 2012~13, but I started studying web security since 2017. I thought he was the same as a lot of EKs that was not active. However, as Kafeine tweeted on January 30, they resumed their activities.
Looking at this tweet, I immediately investigated GrandSoft EK. Even if I search "GrandSoft Exploit Kit" on Google, I didn't get much info (only Kafeine's awesome blogs were found). But these were written in 2012~13 (a little old).
When you look at MISP Galaxy, you get info about it.
According to this, GrandSoft EK was active around 2012~13. It seems that it has not been observed since March 2014. This info is old. When you search on Twitter, there are records that were observed in September 2017.
After this, for the time being a blank, events of the other day occur. In January 2018, it was observed that GrandSoft EK is sending GandCrab.
Jerome and Zerophage wrote wonderful articles. Just reading these can get a lot of info about attacks. But I knew a little about what is not written in these. So, I write some of the info I got here.
Traffic AnalysisI analyze this traffic this time. Please refer my saz file if necessary.
The beginning is the ad network. When you browse legitimate websites, you reach the Gate of attack campaign (some people call this "Slots Campaign") from certain ad networks.
Please see this for "Slots Campaign".
In Slots Campaign's Gate, redirect is done by HTTP Location Header. This will reach the Landing Page of GrandSoft EK.
The Landing Page checks the user's environment. He gets the info as URL strings and sends attack codes.
GrandSoft EK only uses CVE-2016-0189. CVE-2016-0189 is frequently used in other EK. It's no longer fun itself. However, GrandSoft EK code is a little different from other EK. Let's see the GrandSoft EK code.
GrandSoft EK is mixing unnecessary code. Deleting all of them will result in a familiar code. For example, these codes are not necessary.
z9TmaQnrKIX = "Set t7BdKL = New Q6dZEWZ End Function End Function "
GrandSoft EK is different from the current code around January 30th. There was another obfuscation in the past. This is the previous code. This was a bit annoying...
Well, you deobfuscate this, basically it's the same code as other EK. What is different is the process of generating a URL for downloading malware and the process of decrypting the downloaded file by it.
A value called "keyRand" is generated and becomes part of the URL. "keyRand" is also used to decrypt files. Like RIG, GrandSoft EK downloads RC4 encoded malware.
"arcnsave" is also in RIG. Such a code.
For this reason, encryption key is not hard-coded. In order to know the key, it's necessary to obtain the URL from the traffic.
GrandSoft EK is not an advanced EK. But there was a little fun feature. I want to follow up on future updates😊