A Peek Into the Lion's Den – The Magnitude [aka PopAds] Exploit Kit

Recently we managed to get an unusual peek into the content that is used on the servers of the prevalent exploit kit, Magnitude. In this blog post we'll review its most up-to-date administration panel and capabilities, as well as review some infection statistics provided by Magnitude over the course of several weeks. (Check out a second article in this blog series here.)

These days, after the arrest of Paunch, Blackhole exploit kit creator, exploit kit developers and sellers have learned their lesson regarding doing business in the underground. Unlike the "last generation" exploit kits – today's leading exploit kits cost customers much more than before due to an "additional risk fee", plus exploit kit vendors don't tend to advertise in the underground forums like they used to in the past. If one wishes to rent an exploit kit instance, they must know a guy who knows guy who knows someone (etc.) that can connect the buyer with the actual seller. It's all based on trust among these forums.

The Magnitude exploit kit is one of the most prevalent exploit kits these days and holds 31% of the exploit kit market share as described in Trustwave's 2014 Global Security Report. Magnitude is notorious for being used in infections of several high profile websites such as Yahoo Ad Network and the php.net site, both of which were exploited to redirect users to instances of that exploit kit. Several researchers had some greatwrite-ups about Magnitude, yet due to these exploit kits becoming so sneaky, it's hard to find more information about the inner workings of the exploit kit itself.

Magnitude's Administration Panel

Here is a screen shot of Magnitude's admin panel:

Magnitude1

Magnitude's admin panel is written almost entirely in Russian. We included translation to the main parts below. This admin panel is quite minimalistic in terms of design but make no mistake about it, this panel contains every bit of information and statistics a campaign manager needs to keep track of: Infection rates, exploits' AV detection rates , domain blacklisting etc.

By its nature, Magnitude cannot be rented for a weekly or monthly use. Instead, every potential customer can redirect traffic to the exploit kit and enjoy the robust infrastructure of new and unknown rotating domains, exploits that bypass many leading AV products, a statistics' panel etc. In return, 5-20% of the victims are allocated to the exploit kit's writer who infects those victims with his own malware of choice. Customers who generate more traffic have to allocate lower percentage of victims. You can call that "a volume discount".

This model may not sound very profitable for the Magnitude author but in reality it is. For example, over the course of a few weeks the author distributed Cryptowall Defense, a well-known Ransomware to these victim's computers. This malware encrypts files and forces the user to pay the attacker a decent price, normally around $500 USD, for decrypting them. Users had to pay in Bitcoins to a virtual wallet that was specified in the malware. We found that in a single week BitCoins worth of $60,000 USD were deposited to the cybercriminal's wallet, making this model more profitable than the traditional rental business. In addition it makes it easier for new customers to start working with him, since they don't need to pay money upfront in order to use the system and instead just "donate" part of their own traffic.

Admin Panel in Detail

Let's have a look now at each section of the admin panel. Infection statistics from the past few days show in the expanding view on the top left corner:

Magnitude2

What can we learn from the statistics above?

  • The malicious campaign manager redirected 19,833 victims to Magnitude instances on 12.05.2014. About 12,710 of those were unique.
  • Of the 12,710 unique victims, a whopping 5,174 hosts were infected by Magnitude. That is 40.7% of all victims' computers that day!
  • 642 of the victims were blocked due to IP geo-location restrictions (more about that later).
  • The most successful exploit that day was Internet Explorer VML exploit (CVE-2013-2551). This is due to the fact that many of the victims that were redirected by that Magnitude campaign used old or non-fully patched versions of Internet Explorer.

The Magnitude Admin panel also allows campaign managers to upload an executable as the payload for infection or alternately provide a URL for the executable. Executables are pulled by the exploit kit every couple of hours.

Let's have a look at the daily update board. See the translation below for each section.

Magnitude3

The Magnitude administration keeps its users updated on the latest news about the exploit kit. Since most of our blog readers aren't fluent in Russian, we provide below the translation and some commentary:

1. 11.05.2014: For security reasons, it was decided to reset the statistics every Monday and Thursday at 00:00.

"Security" in the criminal context is obviously the opposite of the normal meaning: The cybercriminals are concerned about the Info-security community and industry blacklisting Magnitude domains, payloads, etc.

2. 10.01.2014: Statistics' data were reset and the delivery mechanism was improved. Exploit rate is expected to increase.

This means the author has improved the exploits' stability. It is not an easy task to make sure the exploits work successfully on a variety of systems (various browsers, plugins, operating systems, etc.)

3. 06.12.2013: We added the possibility to refresh the executable file automatically without contacting tech support.

This shows how the service has evolved with automation similar to legitimate software products.

4. 22.11.2013: Increased infection rates by 30% due to the cardinal change in the way we serve the payloads, hurry up and send your traffic!

5. 10.10.2013: We are no longer accepting traffic from the following countries (Former USSR countries, small countries from Asia, the Middle East, Africa and South America):
A1 A2 O1 SU RU UA BY UZ KZ GE AZ LT MD LV KG TJ AM TM JP JA CN TH VN ID MY TZ PH RO SG TT YE LK PK SA BG UY RS OM IQ KW DO SV TN KE EU NP BD MN SK CR JO LU BB MU NI AP BS MQ NG CY BO AO PY MK GU BH SI NA LB BA BN GD LA BZ PG ZM SY LY SD HT MO PS UG GF RE AF SN LR NC KH GP BW HN AW PF CW VI IS KN AG BM GY DM MT BT MZ EE GL CI MG MV MC GA CD LI GQ ZW CM SR JE DJ CV SZ ME FJ LC KY GH SB VU ET RW MW ER LS EG AE TW ZA

This illustrates a common practice among malware distributers. There are several reasons why they use this geographical blacklisting:

  • Many countries on this list have extradition policies with Russia, thus posing an actual legal threat for the exploit kit author (who is believed to be of Russian origin) and for their customers.
  • Some countries have low ROI for the malware distributers. Normally these are undeveloped or developing countries.
  • In order to avoid detection of exploits by security products and blacklisting of the domains, exploits will not be served unless the criteria defined have been met (geo-location, OS, browser, etc.)

6. FAQ:
6.1. The link in "UPDATE URL FROM" is valid for 5 minutes after the update.

A common practice to avoid detection by products that blacklist URLs is to frequently change the domain. The "link" mentioned above is an API for retrieving the URL for the landing page of the Magnitude exploit kit. Customers are expected to automate the retrieval of the new URL in order to update their traffic redirection schemes.

6.2. Automatically checks files and domains once every 30 minutes, starting from 00:00.

"Checks" here means scanning the malware with various AV/security products in order to make sure that the malware sample distributed by Magnitude will go undetected.

6.3. Stats will be reset at 00:00 Moscow Time.
6.3. Clicking the domain on the right side displays a detailed list of unique hits, OS , referrals , etc.
6.3. Accounts inactive for more than 2 days are removed :)
6.4. In order to use the API that provides the landing page URL, you must first provide the support team with the origin IP for your automation.

The bad guys restrict access to their API similar to what legitimate cloud service provider do.

6.5. Our exploit kit will exploit only Internet Explorer – all other browsers will be automatically filtered out. If you believe that some other browser can be exploited – talk to support.

7. Advertising from partners ("Реклама от партнеров")

Magnitude advertises the Podmena2014 [a.k.a Simda] affiliation. You can read more about it here. We can also notice the Cashalot affiliation, a new affiliation that aims to infect victims with malware that covertly clicks on advertisements, replacing advertisements on the fly. This malware helps generate revenues through both ad networks and SEO schemes. Moreover this malware is conveniently integrated with a crypto currency miner.

The next section provides detailed statistics:

Magnitude4

  1. SHOW DIRECT LINKS: clicking the button will show a detailed view of each redirected victim (including date, IP, Country, referrer, user-agent etc.)
  2. FAQ for serving fake pages for traffic exchanges: This FAQ reveals a creative solution for Magnitude customers who plan to deliver traffic from various traffic exchange networks. Criminals face a "problem" when buying traffic from such services (traffic exchanges). Once an account is set up with a traffic broker, the admin of that service will want to make sure that the "receiving end" of the traffic isn't malicious. Magnitude interface allows in such case to define a "fake site". This way the customer can simply turn on this option and from now on the content that will be served from the malicious domain will be a replica of some legitimate site – effectively impersonating our malicious site with the content of a legitimate website. Once the traffic exchange admin has verified the legitimacy of our "fake website" the customer of Magnitude can turn off that option and from that point on his domain will serve Magnitude's landing page. Simple, yet very effective.
  3. Redirects: This is the status of the current URL (censored) that serves Magnitude landing page. A click on the URL opens an AV and URL blacklisting status provided by scan4you – a shady, anonymous, multi-engine malware and URL scanner service used mainly for malicious purposes. Simply put, it is an underground VirusTotal alternative (see more here):

Magnitude5

Do you even infect, bro??

Now let's talk numbers and see some of Magnitude's overall statistics:

  • This Magnitude instance made use of only three exploits:
    • CVE-2013-2551 (VML) for IE 6 - 10, which infected 85% of victims
    • CVE-2013-2463 (Java Raster) for Java <= 7.21 and <=6.45, which includes JNLP click-to-play bypass and infected 9% of victims
    • CVE-2012-0507 (Java Atomic) for Java <= 7.2 and <=6.30, which infected 6% of victims

Magnitude Pie Chart

  • Every successful Magnitude infection "rewards" the victim with up to seven malwares (previously mentioned here). This rationale is simple: our exploit kit admin is trying to increase the infection rate for each of his customers and infect machines with his own malware.
  • Over the course of one month, the Magnitude exploit kit attempted to exploit 1.1 million unique machines and managed to infect about 210,000 unique machines, yielding a decent infection rate of nearly 20%. As written in the above bulletin, every infection installed about 7 different malware variants on each PC, ending with huge malware distribution.
  • The infected machines belong both to consumers and business workers. A few hundred of the machines that Magnitude attempted to infect were from government agencies from the US, Canada, UK and several other countries. Also recorded computers from several universities in Australia, Hong Kong, the US and others.
  • In terms of attempted infections, USA, France, Iran and the UK are at the top of the list. Below is a chart of the overall exploitation attempts by country:

Magnitude7

Note: Countries with less than 5,000 attempted infections are not shown in the chart.

Successful exploit statistics (a complete list is available here):

Magnitude8

Note: Countries with less than 500 infections are not shown in the chart.

Although the number of infected machines is highest in the US, the infection rate in the US (as well as France and other European countries) is much lower than it was in other countries such as Iran, Vietnam and India. This likely reflects the difference in level of security awareness and security product deployment between these groups of countries.

Magnitude9

Let's talk Malware

One of the most important steps in configuring any malicious campaign is choosing the malware which will be distributed to victims. Let's have a look at the malware variants that were selected by Magnitude customers:

  • Overall, 211 unique malware samples were distributed by Magnitude over the course of a few weeks. Each successful infection resulted in the victim receiving 5-6 of them. Some of the variants belonged to the same malware family.
  • Only 85 of the samples were uploaded to VirusTotal by the time we checked. The other 126 samples were never previously scanned by VirusTotal.
  • A List of all the malware hashes (MD5) can be found here.

The following is a breakdown of malware used in the recent Magnitude campaign:

Magnitude10

Alureon - Info stealer family. These Trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information from your computer such as user names, passwords, and credit card data.

CryptoWall - Ransomware that encrypts files using RSA-2048. Requires victims to pay the attacker via BitCoin for the decryption key.

Necurs - Backdoor. Necurs is a Trojan that opens a backdoor on the compromised machine. The Trojan may also disable antivirus products as well as download and install additional malware.

Nymaim – Essentially a backdoor: It injects into a running process and connects to a remote web server to receive commands.

Simda - A backdoor. Injects into a common running process. Attempts to kill security/reversing/analysis software. Hooks common Windows API calls. Accesses a remote C&C server.

Tepfer - An info stealer. Grabs usernames/passwords from common applications on the victim machine.

Vawtrak - Another backdoor family. Injects into a browser executable or explorer.exe. It provides control to a remote attacker, and may steal credentials to popular banking sites.

Trustwave contacted legal enforcement agencies with the details of this research prior to posting this blog.

Customers of Trustwave Secure Web Gateway (SWG) are protected against Magnitude and other exploit kits without any further updates.

Magnitude11

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.