Analyzing GrandSoft Exploit Kit

First

I didn't know GrandSoft EK several weeks ago. Because GrandSoft EK was active around 2012~13, but I started studying web security since 2017. I thought he was the same as a lot of EKs that was not active. However, as Kafeine tweeted on January 30, they resumed their activities.

Hello again GrandSoft EK. Dropping ... GandCrab pic.twitter.com/yfjzju16KG
— Kafeine (@kafeine) 2018年1月30日

Looking at this tweet, I immediately investigated GrandSoft EK. Even if I search "GrandSoft Exploit Kit" on Google, I didn't get much info (only Kafeine's awesome blogs were found). But these were written in 2012~13 (a little old).

http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html
http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html

When you look at MISP Galaxy, you get info about it.


https://github.com/MISP/misp-galaxy/blob/master/clusters/exploit-kit.json#L323-L338

According to this, GrandSoft EK was active around 2012~13. It seems that it has not been observed since March 2014. This info is old. When you search on Twitter, there are records that were observed in September 2017.

Whaaat ?! GrandSoft Exploit Kit used to spread zloader in ESP/ITA with CVE-2016-0189.
cc/tx @malc0de @EKwatcher @jspchc pic.twitter.com/TwOB0lm3jM
— Kafeine (@kafeine) 2017年9月22日

After this, for the time being a blank, events of the other day occur. In January 2018, it was observed that GrandSoft EK is sending GandCrab.

https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/
https://zerophagemalware.com/2018/02/10/grandsoft-ek-via-slots-drops-leviarcoin-miner/

Jerome and Zerophage wrote wonderful articles. Just reading these can get a lot of info about attacks. But I knew a little about what is not written in these. So, I write some of the info I got here.

Traffic Analysis

I analyze this traffic this time. Please refer my saz file if necessary.

https://traffic.moe/2018/02/09/index.html

The beginning is the ad network. When you browse legitimate websites, you reach the Gate of attack campaign (some people call this "Slots Campaign") from certain ad networks.

Please see this for "Slots Campaign".

Check out my blogpost - A new #RigEK campaign #Slots dropping #XMRig minerhttps://t.co/byEJOmA551https://t.co/jAmlTsq2e9@CheckPointSW
CC: @nao_sec @VK_Intel @malware_traffic
— Aviran Hazum (@MrHazum) 2018年2月8日

In Slots Campaign's Gate, redirect is done by HTTP Location Header. This will reach the Landing Page of GrandSoft EK.


The Landing Page checks the user's environment. He gets the info as URL strings and sends attack codes.


GrandSoft EK only uses CVE-2016-0189. CVE-2016-0189 is frequently used in other EK. It's no longer fun itself. However, GrandSoft EK code is a little different from other EK. Let's see the GrandSoft EK code.

https://gist.github.com/anonymous/3dfd73cb212ecfe4c100bd356e429403

GrandSoft EK is mixing unnecessary code. Deleting all of them will result in a familiar code. For example, these codes are not necessary.

z9TmaQnrKIX = "Set t7BdKL = New Q6dZEWZ End Function End Function "

Dim Q0GzfxxyDx2

GrandSoft EK is different from the current code around January 30th. There was another obfuscation in the past. This is the previous code. This was a bit annoying...


https://gist.github.com/anonymous/089810f4581b86edf27827a0a4ebeff4

Well, you deobfuscate this, basically it's the same code as other EK. What is different is the process of generating a URL for downloading malware and the process of decrypting the downloaded file by it.


A value called "keyRand" is generated and becomes part of the URL. "keyRand" is also used to decrypt files. Like RIG, GrandSoft EK downloads RC4 encoded malware.


"arcnsave" is also in RIG. Such a code.


For this reason, encryption key is not hard-coded. In order to know the key, it's necessary to obtain the URL from the traffic.


Finally

GrandSoft EK is not an advanced EK. But there was a little fun feature. I want to follow up on future updates😊

Analyzing Ramnit used in Seamless campaign

First

Seamless campaign which is a Drive-by Download attack campaign uses Ramnit banking trojan. Many articles about Seamless campaign are published. For example, Cisco Umbrella, Malware-Traffic-Analysis and traffic.moe. Seamless has been using Ramnit since it began to be observed. Once run, Ramnit injects code into the web page to steal information such as credit cards. Ramnit is a previously reported banking trojan, but since I didn't know much about it, so I investigated about it.

Seamless Campaign Traffic

First, about Seamless campaign. Seamless campaign consists of the following traffic.


When reaching Seamless's Pre-Gate from the ad network, Pre-Gate gets the user's time zone information and sends it to the server. If the user belongs to the target time zone, Pre-Gate redirects the user to Gate via several redirectors. The user reads the landing page of the RIG Exploit Kit at Gate, which attacks and sends Ramnit.


Seamless is sensitive to the user's geolocation. Pre-Gate exists for each target country. For example, Pre-Gate for USA redirect to Gate for USA and Ramnit for USA is sent.

Ramnit Traffic

Ramnit uses the original protocol when communicating with C2. Following this protocol, I try to extract the configs and modules from the traffic of Ramnit and C2.

This protocol uses port 443. But, not https. A simple mechanism is on tcp. Packet consists of multiple commands and data. The structure is as follows.



magic number is a fixed value. Packets start with this bytes. length is the length of command and data. In other words, strlen(command + data). command is 1 byte. There are various kinds of this.



Data has three structures.



The encryption key of RC4 seems to be stable. In my environment `fenquyidh` is the key.

Let's look at the data using actual traffic. If you have Ramnit traffic, use it. If you do not have it, look for Ramnit and move it, or look for pcap etc. For example, if you look at the #Ramnit tag on Twitter, you will find many Tweets. You will surely get Ramnit or its traffic.

Ramnit is banking trojan. It depends on the target country/region. For example, Ramnit used in attack campaign targeting Japan doesn't work with IP addresses of countries other than Japan. The configs and modules that Ramnit acquires from C2 also change. This time, let's see the traffic of Ramnit for Japan. If you are not able to get the traffic of Ramnit for Japan, please refer to this link. It seems that someone kindly released pcap ;)

https://gist.github.com/anonymous/2d7eef0c0ffba19338afd74823d7a8c9

Let's open pcap and look at the first packet.



When parsing this according to the protocol, it becomes as follows.



This data is encoded with RC4. So I decode it. RC 4 is a simple algorithm, write the code.



The results are as follows. Ramnit is sending two MD5 values to C2. Registration is done to bot by this.

string(32) "d5ad437b032fd239616c1d0d97a6b6eb"
string(32) "e4b7a6323fab5960363d771a124b6079"

This is what automates these processes.

https://github.com/nao-sec/ramnit_traffic_parser

This script uses tshark. If not installed, please install and set environment variables. Now, let's run the script.



Files are created in the output directory. Let's look at `064_21.bin`.

This file says "Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)". You can see that there is MZ header below 0x120 and it is a PE file. Cutting out 0x120 or later result in the following.



It is unpacked because packed by UPX.



Looking at this DLL with IDA, you can see that it is a program that interferes with Anti-Virus software.

Several DLL modules (067_21.bin, 070_21.bin, 073_21.bin) are downloaded like this.

Next, let's see 106_15.bin. This file seems to be zip. Looking inside it was IE's cookies. There was a DLL module that zipped the cookie, so it might be related.



Finally, look at 139_13.bin. This is the config of the injecting code for the web page.



Looking at this configuration, URLs of many credit card companies and related companies exist. It was localized for Japan.

Ramnit Modules

I analyzed the modules that Ramnit downloads. All modules had data added at the beginning of the PE format.


Also, its PE file is a DLL, packed with UPX.


At the beginning of the module there is a comment like a description of the role. Most of them are similar to the information already analyzed by analysts.




For Japan

[module 1]



Add to antivirus software exception list

[module 2]



Compress and send cookies of browsers (firefox, chorome, opera, IE) to zip.

[module 3]



[module 4]
Browser communication hook




I think it is similar to this code.
https://github.com/gbrindisi/malware/blob/master/windows/gozi-isfb/AcDll/activdll.c

[module 5]



For USA

module 1~4 is the same. module5 had the following functions instead.




And In US IP, AZORult has been downloaded.

https://www.hybrid-analysis.com/sample/37b66f9117a2140fa11badad967c09142860d04af9a3564bfe58527d7d7e9270

IOCs

https://github.com/nao-sec/ioc/blob/master/nao_sec/5a34bc94-1eb8-4213-9ab8-34dbc0a8010a.json

Finally

The Ramnit has not changed very much for a long time. It was consistent with Symantec's contents published in 2014.

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf

The configuration changes depending on the IP address, but the same module was downloaded.

Ramnit traffic is interesting ;)