SpiderLabs Blog

Endless Evasion Racing Game

Written by Rami Kogan | Dec 27, 2015 8:40:00 AM

In the past year we have been exploring the Magnitude Exploit Kit - one of the major actors in the cybercriminal scene. Like most of the modern exploit kits Magnitude is comprised of several layers in order to decrease the chances of getting exposed by security vendors. In this blog we will show a recent development in Magnitude Exploit Kit which adds another layer of evasion.

Figure 1: Magnitude architecture

 

In a previous blog post which dealt with Magnitude, we described the architecture of Magnitude exploit kit. Even though the architecture of the exploit kit is complex and fairly solid, Magnitude didn't put much effort into hiding its landing page, which could be easily detected by most of the security vendors (especially given the unique URL patterns Magnitude uses). Recently, we have noticed that the author of the Magnitude Exploit Kit has added an additional layer of evasion.

Following is a screenshot from the exploitation flow of Magnitude:

Figure 2: Magnitude flow

 

The referrer of the Magnitude exploit kit here was 1deposit[dot]com.

When browsing directly to the website, the user gets to a High-Yield Investment Program (HIYP) Ponzi scheme website.

This is the content you see when browsing directly to the site without a referrer:

Figure 3: Direct access to 1deposit.com

 

At first glance the website looks legit but when we started digging a bit more we found that it's just a mirror of the original HYIP website 9deposit.com. By having a legitimate-looking interface (although the HYIP content), it reduces the chances of being marked as malicious.

When browsing with any random referrer the user is redirected to "bing.com", once more hiding the true nature of this site.

Only when browsing with the original "referer" we are redirected to the landing page of Magnitude: It appears that the "Gateway server" of Magnitude redirects a filtered traffic to the landing page, and accepting traffic only from its malvertising campaigns driven by smytrafficfilter[dot]com

Unlike the previous "Gateway server" of Magnitude, the developer added additional functionality to prevent unnecessary exposure of his landing page servers.

Figure 4: 1deposit.com hidden content

 

After analyzing the obfuscated code above (on "1deposit[dot]com" a.k.a Gateway server) we found the following checks:

Figure 5: De-obfuscated code

 

The code above performs 2 types of checks to ensure that the machine is indeed a potential victim.

The checks are using CVE-2013-7331 in two stages:

The first check uses an Image object to test whether a certain application exists by calling the local path of the application using the "src" attribute. In case the "onload" event fires it means that the path to the file exists and that the application is installed locally, thus the redirection to the landing page will not take place.

The script looks for for the following large number of paths (applications):

res://\Program%20Files\Fiddler2\Fiddler.exe/#3/#32512

res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567

res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567

res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996

res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996

res://\Program%20Files%20(x86)\ESET\ESET Smart Security\mfc120u.dll/#2/#16129

res://\Program%20Files\ESET\ESET Smart Security\mfc120u.dll/#2/#16129

res://\Program%20Files%20(x86)\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110

res://\Program%20Files\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110

res://\Program%20Files%20(x86)\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204

res://\Program%20Files\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204

res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\mbamext.dll/#2/202

res://\Program%20Files\Malwarebytes Anti-Malware\mbamext.dll/#2/202

res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE

res://\Program%20Files\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE

res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/200

res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/200

res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/201

res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/201

res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE

res://\Program%20Files\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE

res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmConfig.dll/#2/#30994

res://\Program%20Files\Trend Micro\Titanium\TmConfig.dll/#2/#30994

res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994

res://\Program%20Files\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567

res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567

res://\Program%20Files\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567

Looking at the list one can clearly see that some of these checks are meant to avoid users with security products that will likely block exploitation attempts, while others are meant to avoid security researchers by looking for virtualization solutions and applications commonly used in their research process.

The second check looks for the existence of various Kaspersky ActiveX's as a sign of a local installation of that AV:

Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi

Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.1

Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.4_5_0.1

This technique is used by most of the exploit kits to keep low profile and avoid detection. However, what makes this variant unique is that unlike other EKs, which integrate the filtering tests inside their landing pages, Magnitude decided to put the tests one step earlier, so that if the target machine fails any of these tests you will never get to any of Magnitude's real servers or exploits.

It's interesting to see the different ways in which exploit kit developers choose to cope with security mechanisms. While most exploit kits are making efforts to look more like legitimate web applications, Magnitude's heavy use of its URL structure is probably at least part of the reason why they chose to take a different approach and try to avoid exposing such URLs when possible.

Looking back at our telemetry we found a few more domains that were similarly leading to Magnitude:

1deposit[dot]info, 1stdeposit[dot]org, 1stdeposit[dot]me

This blog post was co-authored by Daniel Chechik and Rami Kogan.

Trustwave Secure Web Gateway protects customers against the Magnitude Exploit Kit including from this most recent version.