In the past year we have been exploring the Magnitude Exploit Kit - one of the major actors in the cybercriminal scene. Like most of the modern exploit kits Magnitude is comprised of several layers in order to decrease the chances of getting exposed by security vendors. In this blog we will show a recent development in Magnitude Exploit Kit which adds another layer of evasion.
In a previous blog post which dealt with Magnitude, we described the architecture of Magnitude exploit kit. Even though the architecture of the exploit kit is complex and fairly solid, Magnitude didn't put much effort into hiding its landing page, which could be easily detected by most of the security vendors (especially given the unique URL patterns Magnitude uses). Recently, we have noticed that the author of the Magnitude Exploit Kit has added an additional layer of evasion.
Following is a screenshot from the exploitation flow of Magnitude:
The referrer of the Magnitude exploit kit here was 1deposit[dot]com.
When browsing directly to the website, the user gets to a High-Yield Investment Program (HIYP) Ponzi scheme website.
This is the content you see when browsing directly to the site without a referrer:
At first glance the website looks legit but when we started digging a bit more we found that it's just a mirror of the original HYIP website 9deposit.com. By having a legitimate-looking interface (although the HYIP content), it reduces the chances of being marked as malicious.
When browsing with any random referrer the user is redirected to "bing.com", once more hiding the true nature of this site.
Only when browsing with the original "referer" we are redirected to the landing page of Magnitude: It appears that the "Gateway server" of Magnitude redirects a filtered traffic to the landing page, and accepting traffic only from its malvertising campaigns driven by smytrafficfilter[dot]com
Unlike the previous "Gateway server" of Magnitude, the developer added additional functionality to prevent unnecessary exposure of his landing page servers.
After analyzing the obfuscated code above (on "1deposit[dot]com" a.k.a Gateway server) we found the following checks:
The code above performs 2 types of checks to ensure that the machine is indeed a potential victim.
The checks are using CVE-2013-7331 in two stages:
The first check uses an Image object to test whether a certain application exists by calling the local path of the application using the "src" attribute. In case the "onload" event fires it means that the path to the file exists and that the application is installed locally, thus the redirection to the landing page will not take place.
The script looks for for the following large number of paths (applications):
res://\Program%20Files\Fiddler2\Fiddler.exe/#3/#32512 res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567 res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567 res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996 res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996 res://\Program%20Files%20(x86)\ESET\ESET Smart Security\mfc120u.dll/#2/#16129 res://\Program%20Files\ESET\ESET Smart Security\mfc120u.dll/#2/#16129 res://\Program%20Files%20(x86)\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110 res://\Program%20Files\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110 res://\Program%20Files%20(x86)\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204 res://\Program%20Files\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204 res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\mbamext.dll/#2/202 res://\Program%20Files\Malwarebytes Anti-Malware\mbamext.dll/#2/202 res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE res://\Program%20Files\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/200 res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/200 res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/201 res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/201 res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE res://\Program%20Files\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmConfig.dll/#2/#30994 res://\Program%20Files\Trend Micro\Titanium\TmConfig.dll/#2/#30994 res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994 res://\Program%20Files\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567 |
Looking at the list one can clearly see that some of these checks are meant to avoid users with security products that will likely block exploitation attempts, while others are meant to avoid security researchers by looking for virtualization solutions and applications commonly used in their research process.
The second check looks for the existence of various Kaspersky ActiveX's as a sign of a local installation of that AV:
Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.1 Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.4_5_0.1 |
This technique is used by most of the exploit kits to keep low profile and avoid detection. However, what makes this variant unique is that unlike other EKs, which integrate the filtering tests inside their landing pages, Magnitude decided to put the tests one step earlier, so that if the target machine fails any of these tests you will never get to any of Magnitude's real servers or exploits.
It's interesting to see the different ways in which exploit kit developers choose to cope with security mechanisms. While most exploit kits are making efforts to look more like legitimate web applications, Magnitude's heavy use of its URL structure is probably at least part of the reason why they chose to take a different approach and try to avoid exposing such URLs when possible.
Looking back at our telemetry we found a few more domains that were similarly leading to Magnitude:
1deposit[dot]info, 1stdeposit[dot]org, 1stdeposit[dot]me
This blog post was co-authored by Daniel Chechik and Rami Kogan.
Trustwave Secure Web Gateway protects customers against the Magnitude Exploit Kit including from this most recent version.