RedKit: Lights! Camera! Action --- Part 2

Part 1 covered the analysis of a landing page and a malicious PDF file. Part 2 focuses on RedKit Java code. Roughly, the entire code can be broken into the following parts:

• Exploit
• String conversion code
• Initial payload fetcher
• AES decryption code
• Filename generator
• Storing and Execution code

NOTE: Code obfuscation changes variable, function, class file names as well as code execution flow. Names and code execution flow analyzed in this sample is different from other instances of RedKit, though the basics stay the same.

"I'm a... Splo-o-o-it for you..."

The idea behind any exploit is to elevate the execution privileges. This particular RedKit sample attempts to exploit CVE-2012-1723. Vulnerability exists in some HotSpot bytecode verifier versions that allow a condition called "type confusion". There are two types of variables involved here - 'class variable' (static field) and 'instance variable' (non-static field). It is possible to craft a method that takes a static field and returns a non-static field. JIT will get 'confused' about the field type if this method is called a lot of times. Further, combining this method with 'ClassLoader' class will allow for RCE. Michael 'mihi' Schierl put together an article describing this vulnerability in great details.

Core code of the exploit:

Combining the exploit with ClassLoader:

Once 'strkks' object is called it will load "Lotos.class"

The next step is to instantiate the class

And finally 'drop' the restrictions

These are the key steps involved in the exploit. The best indicator for CVE-2012-1723 is the 'Core code' illustrated above.

epo123roi123eiu123huu kyt123ctr123ire123lew123cwq

There is a small piece of code that is called after a successful exploit. It takes a parameter value(string of characters) from the landing page and converts it into URL. The link leads to the initial payload location. The decoding algorithm is relatively simple. Short list of operations performed on the string:

• The order of the characters is reversed (last --> first, 2nd last --> 2nd, etc.)
• 'Padding pattern' is removed from the string
• Every 3rd character is taken and stored in a new string

Part of the string passed from the landing page

By the time of writing this post, the algorithm for decoding the string has changed. More details can be found here.

Fetch it boy!

The fetcher code is almost as the one you'll find in many Java tutorials. These are the steps it follows:

• Creates ByteArrayOutputStream
• Opens InputStream
• Writes stream data into ByteArrayOutputStream
• Closes ByteArrayOutputStream
• Closes InputStream
• Returns ByteArrayOutputStream as a byte array

The execution flow is not as straight forward as described above though. The obfuscation tool used on the code split it across different methods and class files.

Fetcher's core code:

To be able to grab the initial payload with tools, like, 'wget', certain conditions have to be met. Specific header, referrer and IP are required to get it. Denis Laskov covered this anti-forensic feature in one of his blog posts.

These zeros and ones look familiar...

The byte array received via decoded URL is passed to AES decryptor. Java code used here for working with crypto cipher is quite 'standard' and can be broken into following steps:

• Assigning 'Secret Key' and 'Initialization Vector' values
• Instantiating an AES cipher
• Creating 'Secret Key' and 'IvParameterSpec'
• Creating the cipher
• Decrypting the byte array

'Secret Key' and 'Initialization Vector' values used in RedKit seem to stay the same for quite a long time now. The kit undergone many changes in March 2013, but still using the same values for SK and IV.

The method that decrypts the initial payload also has some 'preparation' code for storing the file. It detects Java Temp folder location and calls a method to generate a random filename.

"Name me, master!..."

5 to 10 character long filename is generated using random capital letters and numbers.

"Let's do some damage..."

Initial payload delivered by this RedKit sample will be stored in the folder specified in 'java.io.tmpdir' system property. However, before decrypted byte array is stored it's checked for the presence of some pattern. The pattern is serving as a splitter for the data in the array. 2 payloads can be delivered in a single encrypted data stream.

The array is splitted if the pattern is found.  Another random filename will be generated for the second payload and both arrays are passed to the method that will save them to the disk and execute.

The very last step

In most of the cases, the initial payload is a 'dropper' that pulls down other malware.

Summary

The key points of this particular RedKit sample:

• Initial payload location is stored encoded on the landing page
• Exploits CVE-2012-1723 and CVE-2010-0188
• Anti-forensic measures prevent direct payload download
• Initial payload is delivered as a data-stream and encrypted with AES
• 2 payloads can be delivered in a single data-stream
• Initial payload is stored in the folder specified in 'java.io.tmpdir'

RedKit is updated regularly. Some of the information in this analysis might not be valid for RedKit strains roaming in the wild after January 2013.

Update May 2013

Fraser Howard put together similar article:
http://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/

RedKit: Lights! Camera! Action! --- Part 1

I got my hands on a RedKit sample that was roaming around in January 2013. For the ease of referencing different samples I tag them based on the name of the class file specified in the <applet> tag of the kit's landing page. I have a suspicion the names might have some relation to RedKit code updates or campaigns as I've seen the class names being pretty consistent over some period of time. So far, I've seen the following names used: Ini, Runs, Gobon, Vlast and Application. So, the sample i was working on goes under a tag - 'Gobon'.

Where does it all begin?

It all starts with a landing page that has an injected <applet> tag with a location for the malicious JAR file, name of the .class file to start the execution with and a parameter that holds what looks like a set of random letters at first, but is actually an encoded URL for the initial payload.

Here is the break down:

'archive' - location of malicious JAR file
'code' - name of the class file to start the execution with
'name' - parameter name that will be passed with the JAR file to JVM
'value' - the value of the parameter passed

There were two <applet> sections in this particular sample and each of them had a set of individual items. The number of malicious <applet> tags on a landing page may vary. Possibly depends on the number of times the website has been compromised.

As seen in the snapshot above, the landing page has references to two JAR files - '332.jar' and '887.jar'. The names of the files have been changing since the first appearance of RedKit, but what seems to be consistent is that 1 of them carries exploits for Java 6 and the other for Java 7. In this particular case '332.jar' exploits Java 6 and '887.jar' Java 7 respectively. I've only encountered it once when both JAR files would be available on a compromised website. Generally, GET request for one of them receives 404 response.

Right after the malicious applet tags goes PluginDetect JavaScript(called 'Ganni' in this sample).

The script is not malicious, but it's wrapped up by the code that uses it to detect the version of Adobe Reader and depending on the result will pull a malicious PDF down.

So, there are two attack vectors on the landing page targeted at Java and Adobe Reader.

Update May 2013

Good inside look into RedKit server side operations covered by Fraser Howard / Sofos Labs.

Even more detailed analysis of RedKit server infrastructure by Kahu Security http://www.kahusecurity.com/2013/digging-deeper-into-redkit/


2010!? Seriously!?

Some exploits have a really long life span. For example, CVE-2006-0003 is still being used in Cool, BH, SweetOrange and CritXPack exploit kits. Keeping this in mind, appearance of CVE-2010-0188 in RedKit doesn't come as a big surprise. Specially crafted PDF file contains a JavaScript code that downloads an initial payload and execute it. For a better understanding on how JS fits into a PDF file and how PDFs are structured in general I'd recommend this article written by Didier Stevens.

The sample I used for this analysis was not the part of the RedKit instance mentioned above. This PDF file was a part of another RedKit captured in February 2013.

As with the JAR files, the names of the malicious PDFs have been changing too. This particular file is called '987.pdf'. Full analysis of it is available here. Object 2.0 contains a script that assembles and executes the exploit.

Variable/function names, 'padding' code and the way the code is being assembled changes from sample to sample. This particular code uses 'Title' field of the PDF document to build a JS expression. I used pdf-parser.py script to safely check the the 'Title' of the malicious document.

Function called 'ciiirsa' deletes every occurrence of 'XteTYS' in the 'Title' and returns what's left of it back. The result of this execution is the following code:

(eval(unescape(maallo.replace(/syt3tuir4 /g, gicyw.charAt(2))));)

When this expression is executed it will replace every occurrence of 'syt3tuir4' in 'maallo' string with a '%' sign. The end result is a string of characters that assemble the exploit code. Using 'Data Converter' tool from Kahu Security the string can be saved into a file. The resulting file is another JavaScript that contains some strings with hex code.

Using the same 'Data Converter' tool this hex code can be saved. The resulting file is the code that is executed upon successful vulnerability exploit. At the very bottom of the code is the URL where initial payload is fetched from.

Summary

This RedKit sample targets Oracle Java and Adobe Reader products. Exploits are delivered through a compromised website hosting pages with injected code. Attempt to exploit Java will be performed regardless of its version. Malicious PDF will be downloaded only after Adobe Reader version check is performed using PluginDetect script. JS exploit embedded into PDF file is obfuscated to avoid signature based detection.

RedKit: General information

RedKit Exploit Kit made its public appearance in the beginning of 2012. The discovery was reported by Arseny Levin - a specialist at Trustwave SpiderLabs. I couldn't find any solid information pointing at the origins of the exploit kit, but i strongly believe it was more likely developed by Russian cyber criminals or at least Russian speaking ones. This assumption is based on the fact that RedKit Customer Control Panel and its FAQ are written in Russian.

Original RedKit was armed only with CVE-2010-0188 and CVE-2012-0507, but it didn't prevent the exploit kit to become a popular choice among cyber crooks. Addition of CVE-2012-4681 and CVE-2012-1723 in August 2012 further boosted its popularity.

Further exploit additions:

• CVE-2012-5076 - added November 2012
• CVE2013-0422 - added January 2013
• CVE-2013-2423 - added April 2013

RedKit is no different to the majority of Exploit Kits in regards to distribution mechanism. It has a landing page, exploit files (JAR/PDF) and an initial payload. The way these components stick together has been changing since the original release of the exploit pack and more likely will continue to do so. As an example, RedKit used to use a very popular technique of applying JavaScript obfuscation for its landing page to 'hide' GET requests for the JAR files and the script for checking version of Adobe Reader or Acrobat installed on a machine. Now, most of the time the GET requests and the script are plain text. Similar change happened to the Java byte-code files, where original Java class files were protected by a commercial product called Allatori and now they are obfuscated by something else that in my opinion is easier to reverse-engineer. It is not clear from the original report if RedKit used TDS(Traffic Distribution System) at the time. Samples I have come across of were all utilizing some sort of TDS.

In September 2012, authors introduced a new payment option - 5% of the traffic. 'Customers' willing to use this option required to have traffic from US, CA, GB or AU though. Some treated this move as an indication of the project loosing revs and opened speculations of its end. Further lack of activity from the authors strengthened the speculations, but in November 2012 RedKit made a new big entry. The event was premeditated and well planned. Denis Laskov described it in details in his blog.

The below are known indicators of RedKit components. The list is not comprehensive.

TDS:

Number of different TDS were seen paired with RedKit. The most 'popular' ones are SimpleTDS and SutraTDS.

Landing page:

September 2012 - http://website_name/8digits_number.html
November 2012 - http://website_name/4random_letters.htm

Malicious JAR file requests:

April 2012 - http://website_name/images.php?t=6digits_number
May 2012 - http://website_name/24824.jar
June 2012 - http://website_name/55993.jar
September 2012 - http://website_name/88770.jar
September 2012 - http://website_name/33256.jar
November 2012 - http://website_name/887.jar
November 2012 - http://website_name/332.jar
March 2013 - http://website_name/3random_characters.jar

Malicious JNLP file requests:

April 2013 - http://website_name/3random_characters.jnlp

Malicious PDF file requests:

September 2012 - http://website_name/58765.pdf
September 2012 - http://website_name/98765.pdf
November 2012 - http://website_name/987.pdf

Initial payload URL and filename:

May 2012 - http://website_name/1.html
September 2012 - http://website_name/4.html
November 2012 - http://website_name/33.html - (setup.exe)
November 2012 - http://website_name/41.html - (setup.exe)
November 2012 - http://website_name/62.html - (setup.exe)