Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware.
Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016
RIG += internal TDS :
Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me)
Picture2: Blackhole - 2012 - Internal TDS illustration
but disappeared from the market with the end of Nuclear Pack
Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustration
and Angler EK
Picture 4 : Angler EK - Internal TDS illustration
This is a key feature for load seller. It is making their day to day work with traffic provider far easier .
It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.
Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country).
Picture 5: A Sutra TDS in action in 2012 - cf The path to infection
RIG += RC4 encryption, dll drop and CVE-2016-0189:
Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189
Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo
Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.
Neutrino waves goodbye ?
On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :This explains a lot. Here are some of my last Neutrino pass for past month.“we are closed. no new rents, no extends more”
Picture 8: Some Neutrino passes for past month and associated taxonomy tags in Misp
As you can see several actors were still using it…Now here is what i get for the past days :
Picture 9: Past days in DriveBy land
Not shown here, Magnitude is still around, mostly striking in Asia
Day after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground.
Picture 10: Last banner for Neutrino as of 2016-09-16
Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.
Side reminder : Neutrino disappeared from march 2014 till november 2014
A Neutrino Variant
Several weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino.Picture 11: Neutrino-v pass on the 2016-09-21
Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits
Picture 12: Neutrino-v flash ran into Maciej‘s Neutrino decoder
Note the pnw26 with no associated binary data, the rubbish and additionalInfo
A Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523
Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api
functionk2(k) {
var y = a(e + "." + e + "Request.5.1");
y.setProxy(n);
y.open("GET", k(1), n);
y.Option(n) = k(2);
y.send();
if (200 == y.status) return Rf(y.responseText, k(n))
};
Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it)
Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079x
The actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.
Empire Pack:
Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised.Picture 15: King of Loads - Empire Pack Panel
Some might feel this interface quite familiar…A look a the favicon will give you a hint
Picture 16: RIG EK favicon on Empire Pack panel
Picture 17: RIG Panel
It seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.
[Speculation]RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping,
I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections.
[/Speculation]
- api.php : historical RIG
- api3.php : RIG with internal TDS [ 2016-10-08 : This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]
- remote_api.php : RIG-v
By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there. :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing)
Conclusion
Let’s just conclude this post with statistics pages of two Neutrino threadsPicture 18: Neutrino stats - Aus focused thread - 2016-07-15
Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09
“We will be known forever by the tracks we leave”
Santee Sioux Tribe
Some IOCs
Date | Domain | IP | Comment |
---|---|---|---|
2016-10-01 | szsiul.bluekill[.]top | 137.74.55.6 | Neutrino-v |
2016-10-01 | twqivrisa.pinkargue[.]top | 137.74.55.7 | Neutrino-v |
2016-10-01 | u0e1.wzpub4q7q[.]top | 185.117.73.80 | RIG-E (Empire Pack) |
2016-10-01 | adspixel[.]site | 45.63.100.224 | NeutrAds Redirector |
2016-09-30 | re.flighteducationfinancecompany[.]com | 109.234.37.218 | RIG-v |
2016-09-28 | add.alislameyah[.]org | 193.124.117.13 | RIG-v |
2016-09-28 | lovesdeals[.]ml | 198.199.124.116 | RIG-v |
2016-09-27 | dns.helicopterdog[.]com | 195.133.201.23 | RIG |
2016-09-26 | sv.flickscoop[.]net | 195.133.201.41 | RIG |
2016-09-26 | red.truewestcarpetcare[.]com | 195.133.201.11 | RIG-v |
2016-09-26 | oitutn.yellowcarry[.]top | 78.46.167.130 | Neutrino |
Acknowledgements
Thanks Malc0de, Joseph C Chen(Trendmicro), Will Metcalf( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.Edits
2016-10-03 :Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.
Added explanation about the IP whitelisting on RIG API (it was not clear)
2016-10-08 :
Updated with gained information on Empire Pack
2016-11-01 :
RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.
https://twitter.com/kafeine/status/790482708870864896
RIG panel |
2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)
RIG-E Behavioral |
Read More
RIG’s Facelift - 2016-09-30 - SpiderLabsIs it the End of Angler ? - 2016-06-11
Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01
Hello Neutrino ! - 2013-06-07
The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05