Analyzing Shellcode of GrandSoft's CVE-2018-8174

First

CVE-2018-8174 exploit code published in 2018-05-21.
https://www.exploit-db.com/exploits/44741/

GrandSoft Exploit Kit used to be CVE-2016-0189 before. Now, it's using CVE-2018-8174. It's almost the same as PoC, except that some obfuscation has been added. However shellcode is unique. Previously VBScript (CVE-2016-0189) code generated cryptographic keys and decoded the payload. It was changed to doing in shellcode.

Previously flow is as follows:
    Random Number Generation -> Generate key Using Random Number -> 
    Add the key to the End of URL -> Download Encrypted Malware -> 
    Decode by the key

new flow is as follows:
    Random key Generation ->  Add the key to the End of URL -> 
    Download Encrypted Malware -> Decode by the key

      in shellcode

Traffic

First let's see the recent GrandSoft traffic. The link of saz file is introduced in Kafeine's blog.
https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html

Looking at this saz file, it looks like the following.


The flow of traffic is the same. It consists of Landing Page, Exploit and Malware. CVE-2018-8174 is used for exploit, which downloads and executes malware. Malware payload is encrypted. Therefore, the shellcode decrypts the malware using some numerical values of the URL.

CVE-2018-8174

For technical explanation of CVE-2018-8174 please refer to other articles.
https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/

Actually the code used in GrandSoft is like this.

Dead code is included, but it is basically the same as PoC. What is different is PoC with GetShellcode part. GrandSoft's GetShellcode function has been renamed to the c111111 function, and it is such a function.


Shellcode

Shellcode calls API using hash, however this hash differs from well-known one.




Shellcode Hash Algorithm is ror14AddHash32.
pseudocode is as follows:



Shellcode uses GetTickCount function to generate keys.


Decoding algorithm was not changed as of vbs.


pseudocode is as follows:


Conclusion

GrandSoft got CVE-2018-8174. This may be a bit more powerful. Shellcode is a little characteristic. Enjoy analysis of shellcode!

Analyzing GrandSoft Exploit Kit

First

I didn't know GrandSoft EK several weeks ago. Because GrandSoft EK was active around 2012~13, but I started studying web security since 2017. I thought he was the same as a lot of EKs that was not active. However, as Kafeine tweeted on January 30, they resumed their activities.

Hello again GrandSoft EK. Dropping ... GandCrab pic.twitter.com/yfjzju16KG
— Kafeine (@kafeine) 2018年1月30日

Looking at this tweet, I immediately investigated GrandSoft EK. Even if I search "GrandSoft Exploit Kit" on Google, I didn't get much info (only Kafeine's awesome blogs were found). But these were written in 2012~13 (a little old).

http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html
http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html

When you look at MISP Galaxy, you get info about it.


https://github.com/MISP/misp-galaxy/blob/master/clusters/exploit-kit.json#L323-L338

According to this, GrandSoft EK was active around 2012~13. It seems that it has not been observed since March 2014. This info is old. When you search on Twitter, there are records that were observed in September 2017.

Whaaat ?! GrandSoft Exploit Kit used to spread zloader in ESP/ITA with CVE-2016-0189.
cc/tx @malc0de @EKwatcher @jspchc pic.twitter.com/TwOB0lm3jM
— Kafeine (@kafeine) 2017年9月22日

After this, for the time being a blank, events of the other day occur. In January 2018, it was observed that GrandSoft EK is sending GandCrab.

https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/
https://zerophagemalware.com/2018/02/10/grandsoft-ek-via-slots-drops-leviarcoin-miner/

Jerome and Zerophage wrote wonderful articles. Just reading these can get a lot of info about attacks. But I knew a little about what is not written in these. So, I write some of the info I got here.

Traffic Analysis

I analyze this traffic this time. Please refer my saz file if necessary.

https://traffic.moe/2018/02/09/index.html

The beginning is the ad network. When you browse legitimate websites, you reach the Gate of attack campaign (some people call this "Slots Campaign") from certain ad networks.

Please see this for "Slots Campaign".

Check out my blogpost - A new #RigEK campaign #Slots dropping #XMRig minerhttps://t.co/byEJOmA551https://t.co/jAmlTsq2e9@CheckPointSW
CC: @nao_sec @VK_Intel @malware_traffic
— Aviran Hazum (@MrHazum) 2018年2月8日

In Slots Campaign's Gate, redirect is done by HTTP Location Header. This will reach the Landing Page of GrandSoft EK.


The Landing Page checks the user's environment. He gets the info as URL strings and sends attack codes.


GrandSoft EK only uses CVE-2016-0189. CVE-2016-0189 is frequently used in other EK. It's no longer fun itself. However, GrandSoft EK code is a little different from other EK. Let's see the GrandSoft EK code.

https://gist.github.com/anonymous/3dfd73cb212ecfe4c100bd356e429403

GrandSoft EK is mixing unnecessary code. Deleting all of them will result in a familiar code. For example, these codes are not necessary.

z9TmaQnrKIX = "Set t7BdKL = New Q6dZEWZ End Function End Function "

Dim Q0GzfxxyDx2

GrandSoft EK is different from the current code around January 30th. There was another obfuscation in the past. This is the previous code. This was a bit annoying...


https://gist.github.com/anonymous/089810f4581b86edf27827a0a4ebeff4

Well, you deobfuscate this, basically it's the same code as other EK. What is different is the process of generating a URL for downloading malware and the process of decrypting the downloaded file by it.


A value called "keyRand" is generated and becomes part of the URL. "keyRand" is also used to decrypt files. Like RIG, GrandSoft EK downloads RC4 encoded malware.


"arcnsave" is also in RIG. Such a code.


For this reason, encryption key is not hard-coded. In order to know the key, it's necessary to obtain the URL from the traffic.


Finally

GrandSoft EK is not an advanced EK. But there was a little fun feature. I want to follow up on future updates😊