Tracking Exploit Kits John Bambenek Manager of Threat Systems Fidelis Cybersecurity Introduction • Manager of Threat Systems with Fidelis Cybersecurity • Part-Time Faculty at University of Illinois in CS • Provider of open-source intelligence feeds • Run several takedown oriented groups and surveil threats • Email: john.bambenek@fidelissecurity.com Why track exploit kits? • After investigating and occasionally getting malware operators prosecuted, new malware always shows up to take its place. • Operation Tovar ended Gameover Zeus and Cryptolocker, now have Vawtrak and Locky. Why track exploit kits? • Law enforcement operations for cybercrime take months or years and only pursue a limited amount of threats. • However, almost all criminal malware comes via two methods, spam botnets or exploit kits. • What if you could smash the entire malware delivery ecosystem instead? Why track exploit kits? • Earlier this year, Russian authorities arrested Lurk group who had direct connections to Angler Exploit Kit (EK) operations. • Angler EK went away overnight. Intelligence Priorities • Priority 1: Ensure current products detect new malware and changes in EKs to protect customers. • Priority 2: Develop intelligence to track EK operators and customers ultimately to disrupt an entire ecosystem instead of one small crime group. What is an Exploit Kit? • Set of tools (prominently web-based) that exploit vulnerabilities in software (browser, Adobe, Java, etc) to spread malware. • Relatively static list of exploits each kit uses and they vary. • Rarely (but sometimes) use 0-days. • They operate as a criminal service and “sell infections” of whatever provided malware. • Primary defense: patch your OS and applications. Exploit Kits • RIG • Nuclear • Neutrino • Magnitude • Angler • Many more… Campaign IDs • Many, but not all, malware operators use multiple means of delivery and they compartmentalize using Campaign IDs. • Sometimes the campaign ID refers to an affiliate. • Sometimes it’s just for a specific run of their malware. • Correlating affiliates across malware delivery mechanisms can provide interesting insights into the marketplace behind the malware delivery. Locky Example Data-mining malware • Taking data derived from malware, you can rip configs and get information. • Spoke about this here last year. • Cross-correlate based on delivery method and now you have insight in who is buying service from whom. • Now you have raw building blocks for an operation similar to what Russia did to the Lurk group that ended Angler. Basic EK Process • Victim clicks on (usually compromised) webpage. • There is validation of suitability. • Geo-blacklisting • Likely vulnerable browser • Blacklisting of suspected sandboxes, security researchers • Victim is directed to actual exploit. • Victim downloads and installs malware. Magnitude to Cerber example From malware-traffic-analysis.net – has great blogs on EK traffic Exploit Kit URLs often have patterns • Some older Nuclear EK URL patterns in PCRE: • \.(su|ru)\/mod\_articles-auth.*\d\/(ajax|jquery)\/\/b\/shoe\/[0-9]{4,10} • ^[^\/\n]{1,99}?\/url\?([\w]+=([\w\.]+)?&){5,10}url=https:\/\/[\w]+\.[az]{2,3}&([\w]+=([\w\.]+)?&){2,6}[\w]+=[\w\.]+$ • ^[^\/\n]{1,99}?\/search\?(?=.*[a-z]+=utf8&)(?=.*ei=.*(\p{Ll}\p{Lu}|\p{Lu}\p{Ll}))(?=.*ei=.{20,})(?!=\/)([a-z_]{1,8}=[\w\+\.\x20]+&?){2,5}$ • ^[^\/\n]{1,99}?\/(?-i)([a-z0-9]+\/){0,3}\d{2,3}(_|-)[a-z]+(_|-)\d+\.[a-z]{3,6}$ • ^[^\/\n]{1,99}?\/(?-i)([a-z0-9]+\/){0,3}[a-z-]+\?(([a-z_-]|[0-9]){3,}=([a-z_-]|[09]){3,}&){1,5}[a-z0-9_-]{2,}=[a-z0-9]{8,}$ Non-Attributable Networks • EKs do have a tendency to block obvious security researchers and security company netblocks. • They don’t do a good job blocking commodity VPN services. • You • can pick what country you want to appear from.  Still limits to what you can retrieve using a VPN. • VPN inside or outside cuckoo VM? Non-Attributable Networks Non-Attributable Network • At present, there is no easy central way to manage multiple cuckoo instances that reach out to multiple geographies from the same instance. • Solution is to run multiple physical cuckoo instances with VPN outside the VM and rotate IPs inside a geo each batch run. Exploit hunting • Each exploit kit has a partially overlapping but unique set of exploits they use. • To get cuckoo to execute the exploit, some care needs to be spent in choosing