Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Endless Evasion Racing Game

In the past year we have been exploring the Magnitude Exploit Kit - one of the major actors in the cybercriminal scene. Like most of the modern exploit kits Magnitude is comprised of several layers in order to decrease the chances of getting exposed by security vendors. In this blog we will show a recent development in Magnitude Exploit Kit which adds another layer of evasion.

11568_bf8566da-2f8b-4a38-8aee-c855e62ad966
Figure 1: Magnitude architecture

 

In a previous blog post which dealt with Magnitude, we described the architecture of Magnitude exploit kit. Even though the architecture of the exploit kit is complex and fairly solid, Magnitude didn't put much effort into hiding its landing page, which could be easily detected by most of the security vendors (especially given the unique URL patterns Magnitude uses). Recently, we have noticed that the author of the Magnitude Exploit Kit has added an additional layer of evasion.

Following is a screenshot from the exploitation flow of Magnitude:

11961_d2432b42-5465-403a-96ab-de2dd2fcc400
Figure 2: Magnitude flow

 

The referrer of the Magnitude exploit kit here was 1deposit[dot]com.

When browsing directly to the website, the user gets to a High-Yield Investment Program (HIYP) Ponzi scheme website.

This is the content you see when browsing directly to the site without a referrer:

10803_9a687e8b-b4ee-44c4-8fc4-e77bc9e65065
Figure 3: Direct access to 1deposit.com

 

At first glance the website looks legit but when we started digging a bit more we found that it's just a mirror of the original HYIP website 9deposit.com. By having a legitimate-looking interface (although the HYIP content), it reduces the chances of being marked as malicious.

When browsing with any random referrer the user is redirected to "bing.com", once more hiding the true nature of this site.

Only when browsing with the original "referer" we are redirected to the landing page of Magnitude: It appears that the "Gateway server" of Magnitude redirects a filtered traffic to the landing page, and accepting traffic only from its malvertising campaigns driven by smytrafficfilter[dot]com

Unlike the previous "Gateway server" of Magnitude, the developer added additional functionality to prevent unnecessary exposure of his landing page servers.

11814_cad121b9-c508-4b87-8278-737f96cf4ca0
Figure 4: 1deposit.com hidden content

 

After analyzing the obfuscated code above (on "1deposit[dot]com" a.k.a Gateway server) we found the following checks:

8265_1f9f2a07-004e-4a0b-9e01-3d1b8d950a53
Figure 5: De-obfuscated code

 

The code above performs 2 types of checks to ensure that the machine is indeed a potential victim.

The checks are using CVE-2013-7331 in two stages:

The first check uses an Image object to test whether a certain application exists by calling the local path of the application using the "src" attribute. In case the "onload" event fires it means that the path to the file exists and that the application is installed locally, thus the redirection to the landing page will not take place.

The script looks for for the following large number of paths (applications):

res://\Program%20Files\Fiddler2\Fiddler.exe/#3/#32512

res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567

res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567

res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996

res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996

res://\Program%20Files%20(x86)\ESET\ESET Smart Security\mfc120u.dll/#2/#16129

res://\Program%20Files\ESET\ESET Smart Security\mfc120u.dll/#2/#16129

res://\Program%20Files%20(x86)\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110

res://\Program%20Files\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110

res://\Program%20Files%20(x86)\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204

res://\Program%20Files\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204

res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\mbamext.dll/#2/202

res://\Program%20Files\Malwarebytes Anti-Malware\mbamext.dll/#2/202

res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE

res://\Program%20Files\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE

res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/200

res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/200

res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/201

res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/201

res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE

res://\Program%20Files\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE

res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmConfig.dll/#2/#30994

res://\Program%20Files\Trend Micro\Titanium\TmConfig.dll/#2/#30994

res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994

res://\Program%20Files\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567

Looking at the list one can clearly see that some of these checks are meant to avoid users with security products that will likely block exploitation attempts, while others are meant to avoid security researchers by looking for virtualization solutions and applications commonly used in their research process.

The second check looks for the existence of various Kaspersky ActiveX's as a sign of a local installation of that AV:

Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi

Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.1

Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.4_5_0.1

This technique is used by most of the exploit kits to keep low profile and avoid detection. However, what makes this variant unique is that unlike other EKs, which integrate the filtering tests inside their landing pages, Magnitude decided to put the tests one step earlier, so that if the target machine fails any of these tests you will never get to any of Magnitude's real servers or exploits.

It's interesting to see the different ways in which exploit kit developers choose to cope with security mechanisms. While most exploit kits are making efforts to look more like legitimate web applications, Magnitude's heavy use of its URL structure is probably at least part of the reason why they chose to take a different approach and try to avoid exposing such URLs when possible.

Looking back at our telemetry we found a few more domains that were similarly leading to Magnitude:

1deposit[dot]info, 1stdeposit[dot]org, 1stdeposit[dot]me

This blog post was co-authored by Daniel Chechik and Rami Kogan.

Trustwave Secure Web Gateway protects customers against the Magnitude Exploit Kit including from this most recent version.

 

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More