RedKit Exploit Kit made its public appearance in the
beginning of 2012. The discovery was reported by Arseny Levin - a specialist at Trustwave SpiderLabs. I couldn't find any solid information pointing at the origins of the exploit kit, but i strongly believe it was more likely developed by Russian cyber criminals or at least Russian speaking ones. This assumption is based on the fact that RedKit Customer Control Panel and its FAQ are written in Russian.
Original RedKit was armed only with CVE-2010-0188 and CVE-2012-0507, but it didn't prevent the exploit kit to become a popular choice among cyber crooks. Addition of CVE-2012-4681 and CVE-2012-1723 in August 2012 further boosted its popularity.
Further exploit additions:
RedKit is no different to the majority of Exploit Kits in regards to distribution mechanism. It has a landing page, exploit files (JAR/PDF) and an initial payload. The way these components stick together has been changing since the original release of the exploit pack and more likely will continue to do so. As an example, RedKit used to use a very popular technique of applying JavaScript obfuscation for its landing page to 'hide' GET requests for the JAR files and the script for checking version of Adobe Reader or Acrobat installed on a machine. Now, most of the time the GET requests and the script are plain text. Similar change happened to the Java byte-code files, where original Java class files were protected by a commercial product called Allatori and now they are obfuscated by something else that in my opinion is easier to reverse-engineer. It is not clear from the original report if RedKit used TDS(Traffic Distribution System) at the time. Samples I have come across of were all utilizing some sort of TDS.
In September 2012, authors introduced a new payment option - 5% of the traffic. 'Customers' willing to use this option required to have traffic from US, CA, GB or AU though. Some treated this move as an indication of the project loosing revs and opened speculations of its end. Further lack of activity from the authors strengthened the speculations, but in November 2012 RedKit made a new big entry. The event was premeditated and well planned. Denis Laskov described it in details in his blog.
The below are known indicators of RedKit components. The list is not comprehensive.
TDS:
Number of different TDS were seen paired with RedKit. The most 'popular' ones are SimpleTDS and SutraTDS.
Landing page:
September 2012 - http://website_name/8digits_number.html
November 2012 - http://website_name/4random_letters.htm
Malicious JAR file requests:
April 2012 - http://website_name/images.php?t=6digits_number
May 2012 - http://website_name/24824.jar
June 2012 - http://website_name/55993.jar
September 2012 - http://website_name/88770.jar
September 2012 - http://website_name/33256.jar
November 2012 - http://website_name/887.jar
November 2012 - http://website_name/332.jar
March 2013 - http://website_name/3random_characters.jar
Malicious JNLP file requests:
April 2013 - http://website_name/3random_characters.jnlp
Malicious PDF file requests:
September 2012 - http://website_name/58765.pdf
September 2012 - http://website_name/98765.pdf
November 2012 - http://website_name/987.pdf
Initial payload URL and filename:
May 2012 - http://website_name/1.html
September 2012 - http://website_name/4.html
November 2012 - http://website_name/33.html - (setup.exe)
November 2012 - http://website_name/41.html - (setup.exe)
November 2012 - http://website_name/62.html - (setup.exe)
Original RedKit was armed only with CVE-2010-0188 and CVE-2012-0507, but it didn't prevent the exploit kit to become a popular choice among cyber crooks. Addition of CVE-2012-4681 and CVE-2012-1723 in August 2012 further boosted its popularity.
Further exploit additions:
- CVE-2012-5076 - added November 2012
- CVE2013-0422 - added January 2013
- CVE-2013-2423 - added April 2013
RedKit is no different to the majority of Exploit Kits in regards to distribution mechanism. It has a landing page, exploit files (JAR/PDF) and an initial payload. The way these components stick together has been changing since the original release of the exploit pack and more likely will continue to do so. As an example, RedKit used to use a very popular technique of applying JavaScript obfuscation for its landing page to 'hide' GET requests for the JAR files and the script for checking version of Adobe Reader or Acrobat installed on a machine. Now, most of the time the GET requests and the script are plain text. Similar change happened to the Java byte-code files, where original Java class files were protected by a commercial product called Allatori and now they are obfuscated by something else that in my opinion is easier to reverse-engineer. It is not clear from the original report if RedKit used TDS(Traffic Distribution System) at the time. Samples I have come across of were all utilizing some sort of TDS.
In September 2012, authors introduced a new payment option - 5% of the traffic. 'Customers' willing to use this option required to have traffic from US, CA, GB or AU though. Some treated this move as an indication of the project loosing revs and opened speculations of its end. Further lack of activity from the authors strengthened the speculations, but in November 2012 RedKit made a new big entry. The event was premeditated and well planned. Denis Laskov described it in details in his blog.
The below are known indicators of RedKit components. The list is not comprehensive.
TDS:
Number of different TDS were seen paired with RedKit. The most 'popular' ones are SimpleTDS and SutraTDS.
Landing page:
September 2012 - http://website_name/8digits_number.html
November 2012 - http://website_name/4random_letters.htm
Malicious JAR file requests:
April 2012 - http://website_name/images.php?t=6digits_number
May 2012 - http://website_name/24824.jar
June 2012 - http://website_name/55993.jar
September 2012 - http://website_name/88770.jar
September 2012 - http://website_name/33256.jar
November 2012 - http://website_name/887.jar
November 2012 - http://website_name/332.jar
March 2013 - http://website_name/3random_characters.jar
Malicious JNLP file requests:
April 2013 - http://website_name/3random_characters.jnlp
Malicious PDF file requests:
September 2012 - http://website_name/58765.pdf
September 2012 - http://website_name/98765.pdf
November 2012 - http://website_name/987.pdf
Initial payload URL and filename:
May 2012 - http://website_name/1.html
September 2012 - http://website_name/4.html
November 2012 - http://website_name/33.html - (setup.exe)
November 2012 - http://website_name/41.html - (setup.exe)
November 2012 - http://website_name/62.html - (setup.exe)
No comments:
Post a Comment