Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Exploit Kit Roundup: Best of Obfuscation Techniques

The world of exploit kits is an ever-changing one, if you happen to look away even just for one month, you'll come back to find that most everything has changed around you. Because of this, people like us, who work on a secure web gateway product, are continuously immersed in the world of exploit kits. Every once in a while it's a good idea to stop, take a look around us, and review what's changed. We would like to share some of the more interesting obfuscation techniques we're seeing utilized by exploit kits. We'll focus on techniques used to obfuscate exploits for Internet Explorer (since obfuscation methods differ for Java, Flash and other web content.)


Flash Exploits vs. Flash: The New Exploit Delivery Method

Flash exploits reached their peak a few years ago when exploit writers realized that most client machines had Adobe's Flash Player installed and vulnerabilities were still in abundance, but as time progressed Adobe rolled out a few key features such as sandboxing and silent patching, that made writing exploits for Flash Player a bit of a pain (and so exploit writers moved on to Java). This is not to say that Flash exploits have disappeared entirely- we still have the odd exploit such as CVE-2014-0502 and CVE-2014-0497 popping up, not to mention LadyBoyle who's still around. It seems, however, that attackers found a way to use the fact that Adobe Flash Player is installed on pretty much every client machine while avoiding the need to exploit Flash Player itself with all its hurdles: Flash Player is now used as more of a delivery platform to de-obfuscate the shellcode, call JavaScript methods in the original page that are otherwise completely unreferenced in the page itself, issue requests to additional URLs for more data, and other uses that don't involve an actual vulnerability in Flash Player.

Infinity Exploit Kit is a good example of such use of Flash: The Flash file defines a method and exposes it to the external page, then calls a method in the external page that prepares parts of the attack and calls the previously exposed method inside the Flash file, resulting in three transitions, or "hops" between the HTML page and the Flash file. These hops back and forth make it hard to follow the flow of (and thus detect) the attack:

Hop 1 - The HTML page loads the Flash file with "allowScriptAccess" set to "always", which allows the Flash file to, amongst other things, call methods in the HTML page:


Hop 2 - ActionScript code from the aforementioned Flash file. The first marked line shows the Flash file exposing the "wombt" method to the HTML page, and the second method calls a method by the name of "grask2" in the HTML page:


Hop 3 - A quick look at the "grask2" method in the HTML page shows us that this method indeed calls the "wombt" method exposed by the Flash file:


Taunts Us with AJAX

The Neutrino exploit kit took more of a whitehat path to obfuscation and fetches the code, in parts, using AJAX. Not only does it use AJAX requests to pull (and then deobfuscate) some of the shellcode, but it also issues some completely random requests to drown the obfuscated nonsense-looking data in other genuinely nonsensical data. It also uses the (real) JQuery library, as most web developers do:


In the image above you can see that the page issues a request to a page with a seemingly random name. The third argument sent to the get() method is a callback to execute upon success, in our case, the method "z" right below it. This method appends the code to the body of the page, but not before performing additional de-obfuscation with the help of the "i" method, turning the returned data into HTML code which, in turn, loads the exploit that the machine is most likely to be vulnerable to.

In addition to these requests that bring in more code, the page also issues some completely randomized requests in a method called "f_query" that looks like this: 10411_87cda14c-55c6-4c05-b665-5af4952eea65

As you can see, the arguments, as well as the HTTP method to use, are all generated with the help of randomization methods and the responses to these requests are never examined; This means that although the page issues multiple GET and POST requests, only the returned data from the request issued in the "query" method is really used to generate further code for the page to execute.

Mixing unnecessary data into legitimate data is a common approach used by many malware developers in an attempt to evade security products and measures.

Anglers Phish (Even When They're Using Exploits)

Angler Exploit Kit indeed lives up to its name, and though an exploit kit works in a drive-by method, where the user should not even be aware that they are receiving any unwanted content (let alone an exploit), various security engines still look at the static source code of a page to help determine whether a website is legitimate or malicious. Angler attempts to cover its track by hiding the malicious code within code stolen from a legitimate website, so as not to raise suspicion.

It doesn't look like much to the human eye, but the source code could easily pass for a legitimate website:


But behind this innocent-looking code hides our not-at-all-innocent exploit kit:



While some of these tricks are more sophisticated than others, they were all put in place because they work against some technology used by security products. Trustwave's Secure Web Gateway is constantly updated and tested against these types of threats to ensure protection to our customers. It's certainly always interesting!

Think we skipped an interesting obfuscation technique? Tell us about it in the comments!


This blog post was co-authored by Daniel Chechik and Anat Davidi.

Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More