Q: What does it take to create a simple, yet fully functioning exploit kit?
A: Just a little bit of determination.
A few weeks ago a website popped up on our radar: www[.]***empowernetwork[.]com
This web site, like many others in our telemetry, is launching an infection campaign but its naïve and direct approach made it stand out among the others:
- Attackers usually host exploits on subdomains (domain shadowing) that point to their own servers and are unrelated to the main domain. However, in this case all the exploits are hosted on the main domain.
- Experienced attackers don't allow direct request to their landing page. They use several evasion and detection techniques, such as referrer checks, before serving any exploits. In this case however a direct request to the landing page will return a bunch of unconditional exploits (also known as "Carpet Bombing" – previously seen with Sundown EK and other mediocre exploit kits).
Taking a quick look at it revealed something interesting yet worrying: a full-blown exploit kit was deployed on this web site. There were 8 different operational exploits in this kit when we first observed it:
CVE-2014-6332 - Internet Explorer
CVE-2016-0189 - Internet Explorer
CVE-2015-5119 - Adobe Flash
CVE-2015-5122 - Adobe Flash
CVE-2013-1670/CVE-2013-1710 - Firefox
CVE-2014-1510/CVE-2014-1511 - Firefox
CVE-2014-8636 - Firefox
CVE-2015-4495 - Firefox
Here's a quick look at the landing page as it looked at the time of our analysis:
Figure 1: Terror Landing page from 06-Dec-2016
ie1.html => publicly available CVE-2014-6332 IE Exploit
ie2.html => publicly available CVE-2016-0189 IE Exploit
ie3.html => publicly available CVE-2014-6332 IE Exploit, again
firefox1.js => CVE-2013-1670/CVE-2013-1710 from metasploit + obfuscation
firefox2.js => CVE-2014-1510/CVE-2014-1511 from metasploit + obfuscation
firefox3.js => CVE-2014-8636 from metasploit + obfuscation
firefox4.html => CVE-2015-4495 from metasploit
mozilla.html => CVE-2013-1670/CVE-2013-1710 from metasploit
flash1.swf => CVE-2015-5122 from hacking team
flash2.swf => CVE-2015-5119 from hacking team
Additionally, there were 8 exploits which were commented out:
adobe1.html => sadjhg12390.swf (md5: 4984c607b8f40c3dce221f4d9c849530) => CVE-2015-3105 from metasploit. In fact, the md5 is an exact match for the Hunter EK sample.
adobe2.html => 123kappa123.swf (md5: 6b2befdd397c9032fcc01b73e6797126) => CVE-2015-5122 From Sundown/Hunter which is the exploit from metasploit obfuscated with secureSWF
adobe3.html => aakj1678jasdhbgty.swf (md5: ddf6fcbc721eab9bb220e862995f087b) => poc2.flv => CVE-2015-3113 from metasploit, although the md5 is exactly as in Hunter EK
adobe4.html => 360a296ea1e0abb38f1080f5e802fb4b => CVE-2014-0515 same md5 as sundown, this is the metasploit exploit obfuscated with Leawo SWF Encrypt and SWF Defender
adobe5.html => 1493f0e60aca5bcc753405d96c739bb4 => CVE-2015-3090 from metasploit, although the md5 is exactly as in Hunter EK
adobe6.html => 3930b19ce86a4a5545c8deb0c94990b5 => CVE-2015-0359 from metasploit, although the md5 is exactly as in Hunter EK
adobe7.html => d11a10ea60a2b8c01e7a2b620723471a => CVE-2015-0311 from Hunter EK
m3.class => CVE-2013-2465 from Hunter EK
Since this kit is a work in progress, we can assume that they have commented out the exploits either due to the fact that they haven't been fully tested yet, or because they are outdated and the author found the 8 current exploits to be sufficient.
Over the past year the exploit kit market has suffered a big blow due to the disappearance of some big players like Angler, Neutrino and Nuclear. In this context it makes sense that we see small initiatives of cyber criminals who try to fill the vacuum by orchestrating DIY exploit kits using Metasploit's ready-to-use exploits.
As we were examining the exploits we found them to be a little too familiar. This is because all the exploits are a nice combination of Metasploit exploits and exploits stolen from other kits. The stolen exploits are from either Sundown or Hunter EK's during their early stages when the two kits were almost identical and stole exploits from each other. We also saw the publicly available Hacking Team's flash exploit and the publicly available IE CVE-2016-0189 exploit as part of the kit.
After starting our investigation we realized that this website is not compromised, but rather is a clone of a real site (http://www.empowernetwork.com/) and that the author simply added the "kit" to the domain name.
Further investigation of this IP revealed older traces that we followed back to an IP (18.104.22.168) which was once tied to a domain by the name: terrorexploitkit[.]hopto[.]org. Are we witnessing the formation of a new exploit kit - "Terror Exploit Kit"?
When we first encountered the kit the landing page URL was:
However, this page doesn't exist anymore.
The current landing page URL is:
Even more surprising, is the fact we have found that there are two URL's that redirect to Sundown landing page:
empowernetworkpackage[.]com/test/test.php & empowernetworkpackage[.]com/test2/test.php
Figure 2: PHP page redirecting to Sundown
We don't know why the author did this. However, we can speculate that they might have used that as a "backup" mechanism for victims they couldn't exploit successfully. Sort of "I'll try on my own first, and if not successful I'll hand it off to more experienced criminals" approach.
As for the payloads, the payload that we observed from the kit in the first encounter was a dropper that would download ccminer. ccminer gets its configuration from pastebin & github.
The payload from Sundown was another dropper with a different md5, perhaps crypted to avoid detection, but the end results was the same - the dropper would connect to either github/pastebin to get the url of the miner to download and execute it.
Side note: the droppers and the miners are 64bit only executables.
Figure 3: URL info stored on pastebin for the dropper to download
Figure 4: Miner configuration hosted on GitHub
Figure 5: Miner configuration hosted on PasteBin
Figure 6: Miners hosted on 22.214.171.124
The miner is set to mine the "Monero" cryptocurrency, which recently increased in value due to its adoption in several underground black markets.
The IP address of kitempowernetwork[.]com is 126.96.36.199, we have noticed more domains being registered under this IP. Daily changes in GitHub suggest that this kit or whatever it is, is under continuous development, so it is likely will see some more changes in the near future.
Figure 7: Domains registered under the same IP
Figure 8: Near daily commits to configuration on GitHub
But wait, there's more! Just as we were about to publish the blog we noticed some new changes in Terror EK. A New Year's resolution to improve, perhaps?
The landing page has been totally rewritten and it is sort of an un-obfuscated Sundown, an observation also made by several other researchers who have thus far been calling it a Sundown variant:
Figure 9: A tweet from @HenriNurmi about un-obfuscated Sundown (Terror EK)
Malwarebytes has also written a nice blog about the payload being dropped by this latest variant of Terror EK. However the payload request from Sundown (hnt[.]e27[.]biz/z[.]php?id=215), which caused some of the confusion about this kit, appears to be simply bad copy & paste work from the Terror EK author. It fails to fetch the payload from the Sundown server. The actual payload of Terror EK is "oq2.data" as seen in Malwarebytes fiddler image.
This new landing page has all the exploits in it, instead of making iframes to individual exploits, however the number of exploits is much more limited:
Figure 10: Terror Landing page from 04-Jan-2017
In fact, it looks like the author stole Sundown exploits after trying out the kit for a few weeks. This can be seen by the "style" of the exploit code and the fact that the exploit for CVE-2016-4117 is exactly the same one we described in our post about Sundown a while back. The only difference is that the exploit in Terror EK had another layer of obfuscation added by dcomsoft SWF Protector.
After tracking this kit for over a month, we strongly suspect that this is a one-man operation. Crypto mining is not that profitable, however for a one-man operation this is a good solution. Once the host is infected and as long as it keeps running the miner, you profit. No hassle whatsoever.
At the moment the attacker's subscription to Sundown has ended and they haven't made changes in github for the last two weeks, though they do continue to register new domains. Given that there is a lot of chatter in the underground from people looking to buy client side exploits and the creation of new exploit kits, there is clearly high demand and scarce supply for these in the market. Given this, we might see this kit continue to evolve or similar DIY kits popping up at any time.
Figure 11: A tweet about a new DIY EK
Trustwave customers are protected against the Terror Exploit Kit and other exploit kits.
This blog post was co-authored by Simon Kenin and Arseny Levin.
Thanks to Rami Kogan and Anat Davidi for their contribution to the research described in this post.
300f81780c1b583014092cba8ea765bb (from Sundown)