Recently we managed to get an unusual peek into the content that is used on the servers of the prevalent exploit kit, Magnitude. In this blog post we'll review its most up-to-date administration panel and capabilities, as well as review some infection statistics provided by Magnitude over the course of several weeks. (Check out a second article in this blog series here.)
These days, after the arrest of Paunch, Blackhole exploit kit creator, exploit kit developers and sellers have learned their lesson regarding doing business in the underground. Unlike the "last generation" exploit kits – today's leading exploit kits cost customers much more than before due to an "additional risk fee", plus exploit kit vendors don't tend to advertise in the underground forums like they used to in the past. If one wishes to rent an exploit kit instance, they must know a guy who knows guy who knows someone (etc.) that can connect the buyer with the actual seller. It's all based on trust among these forums.
The Magnitude exploit kit is one of the most prevalent exploit kits these days and holds 31% of the exploit kit market share as described in Trustwave's 2014 Global Security Report. Magnitude is notorious for being used in infections of several high profile websites such as Yahoo Ad Network and the php.net site, both of which were exploited to redirect users to instances of that exploit kit. Several researchers had some greatwrite-ups about Magnitude, yet due to these exploit kits becoming so sneaky, it's hard to find more information about the inner workings of the exploit kit itself.
Magnitude's Administration Panel
Here is a screen shot of Magnitude's admin panel:
Magnitude's admin panel is written almost entirely in Russian. We included translation to the main parts below. This admin panel is quite minimalistic in terms of design but make no mistake about it, this panel contains every bit of information and statistics a campaign manager needs to keep track of: Infection rates, exploits' AV detection rates , domain blacklisting etc.
By its nature, Magnitude cannot be rented for a weekly or monthly use. Instead, every potential customer can redirect traffic to the exploit kit and enjoy the robust infrastructure of new and unknown rotating domains, exploits that bypass many leading AV products, a statistics' panel etc. In return, 5-20% of the victims are allocated to the exploit kit's writer who infects those victims with his own malware of choice. Customers who generate more traffic have to allocate lower percentage of victims. You can call that "a volume discount".
This model may not sound very profitable for the Magnitude author but in reality it is. For example, over the course of a few weeks the author distributed Cryptowall Defense, a well-known Ransomware to these victim's computers. This malware encrypts files and forces the user to pay the attacker a decent price, normally around $500 USD, for decrypting them. Users had to pay in Bitcoins to a virtual wallet that was specified in the malware. We found that in a single week BitCoins worth of $60,000 USD were deposited to the cybercriminal's wallet, making this model more profitable than the traditional rental business. In addition it makes it easier for new customers to start working with him, since they don't need to pay money upfront in order to use the system and instead just "donate" part of their own traffic.
Admin Panel in Detail
Let's have a look now at each section of the admin panel. Infection statistics from the past few days show in the expanding view on the top left corner:
What can we learn from the statistics above?
The Magnitude Admin panel also allows campaign managers to upload an executable as the payload for infection or alternately provide a URL for the executable. Executables are pulled by the exploit kit every couple of hours.
Let's have a look at the daily update board. See the translation below for each section.
The Magnitude administration keeps its users updated on the latest news about the exploit kit. Since most of our blog readers aren't fluent in Russian, we provide below the translation and some commentary:
1. 11.05.2014: For security reasons, it was decided to reset the statistics every Monday and Thursday at 00:00.
"Security" in the criminal context is obviously the opposite of the normal meaning: The cybercriminals are concerned about the Info-security community and industry blacklisting Magnitude domains, payloads, etc.
2. 10.01.2014: Statistics' data were reset and the delivery mechanism was improved. Exploit rate is expected to increase.
This means the author has improved the exploits' stability. It is not an easy task to make sure the exploits work successfully on a variety of systems (various browsers, plugins, operating systems, etc.)
3. 06.12.2013: We added the possibility to refresh the executable file automatically without contacting tech support.
This shows how the service has evolved with automation similar to legitimate software products.
4. 22.11.2013: Increased infection rates by 30% due to the cardinal change in the way we serve the payloads, hurry up and send your traffic!
5. 10.10.2013: We are no longer accepting traffic from the following countries (Former USSR countries, small countries from Asia, the Middle East, Africa and South America):
A1 A2 O1 SU RU UA BY UZ KZ GE AZ LT MD LV KG TJ AM TM JP JA CN TH VN ID MY TZ PH RO SG TT YE LK PK SA BG UY RS OM IQ KW DO SV TN KE EU NP BD MN SK CR JO LU BB MU NI AP BS MQ NG CY BO AO PY MK GU BH SI NA LB BA BN GD LA BZ PG ZM SY LY SD HT MO PS UG GF RE AF SN LR NC KH GP BW HN AW PF CW VI IS KN AG BM GY DM MT BT MZ EE GL CI MG MV MC GA CD LI GQ ZW CM SR JE DJ CV SZ ME FJ LC KY GH SB VU ET RW MW ER LS EG AE TW ZA
This illustrates a common practice among malware distributers. There are several reasons why they use this geographical blacklisting:
6. FAQ:
6.1. The link in "UPDATE URL FROM" is valid for 5 minutes after the update.
A common practice to avoid detection by products that blacklist URLs is to frequently change the domain. The "link" mentioned above is an API for retrieving the URL for the landing page of the Magnitude exploit kit. Customers are expected to automate the retrieval of the new URL in order to update their traffic redirection schemes.
6.2. Automatically checks files and domains once every 30 minutes, starting from 00:00.
"Checks" here means scanning the malware with various AV/security products in order to make sure that the malware sample distributed by Magnitude will go undetected.
6.3. Stats will be reset at 00:00 Moscow Time.
6.3. Clicking the domain on the right side displays a detailed list of unique hits, OS , referrals , etc.
6.3. Accounts inactive for more than 2 days are removed :)
6.4. In order to use the API that provides the landing page URL, you must first provide the support team with the origin IP for your automation.
The bad guys restrict access to their API similar to what legitimate cloud service provider do.
6.5. Our exploit kit will exploit only Internet Explorer – all other browsers will be automatically filtered out. If you believe that some other browser can be exploited – talk to support.
7. Advertising from partners ("Реклама от партнеров")
Magnitude advertises the Podmena2014 [a.k.a Simda] affiliation. You can read more about it here. We can also notice the Cashalot affiliation, a new affiliation that aims to infect victims with malware that covertly clicks on advertisements, replacing advertisements on the fly. This malware helps generate revenues through both ad networks and SEO schemes. Moreover this malware is conveniently integrated with a crypto currency miner.
The next section provides detailed statistics:
Do you even infect, bro??
Now let's talk numbers and see some of Magnitude's overall statistics:
Note: Countries with less than 5,000 attempted infections are not shown in the chart.
Successful exploit statistics (a complete list is available here):
Note: Countries with less than 500 infections are not shown in the chart.
Although the number of infected machines is highest in the US, the infection rate in the US (as well as France and other European countries) is much lower than it was in other countries such as Iran, Vietnam and India. This likely reflects the difference in level of security awareness and security product deployment between these groups of countries.
Let's talk Malware
One of the most important steps in configuring any malicious campaign is choosing the malware which will be distributed to victims. Let's have a look at the malware variants that were selected by Magnitude customers:
The following is a breakdown of malware used in the recent Magnitude campaign:
Alureon - Info stealer family. These Trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information from your computer such as user names, passwords, and credit card data.
CryptoWall - Ransomware that encrypts files using RSA-2048. Requires victims to pay the attacker via BitCoin for the decryption key.
Necurs - Backdoor. Necurs is a Trojan that opens a backdoor on the compromised machine. The Trojan may also disable antivirus products as well as download and install additional malware.
Nymaim – Essentially a backdoor: It injects into a running process and connects to a remote web server to receive commands.
Simda - A backdoor. Injects into a common running process. Attempts to kill security/reversing/analysis software. Hooks common Windows API calls. Accesses a remote C&C server.
Tepfer - An info stealer. Grabs usernames/passwords from common applications on the victim machine.
Vawtrak - Another backdoor family. Injects into a browser executable or explorer.exe. It provides control to a remote attacker, and may steal credentials to popular banking sites.
Trustwave contacted legal enforcement agencies with the details of this research prior to posting this blog.
Customers of Trustwave Secure Web Gateway (SWG) are protected against Magnitude and other exploit kits without any further updates.