Tired of playing exploit kit whack-a-mole? Let's automate

TIRED OF PLAYING EXPLOIT KIT WHACK-A-MOLE? LET’S AUTOMATE

BSidesSF 2017

SYN

Anjum Ahuja (@jack8daniels2) Threat Researcher at Endgame Background in network security and large-scale data analysis

BSidesSF 2017

ACK

Joe Desimone (https://github.com/endgameinc/Maxwell) Chris Donaher & Chan Kim Brad (@malware_traffic) Kafeine (@kafeine)

BSidesSF 2017

ATTACK STAGES

INFECTEXPLOITREDIRECT

Malvertising

Compromised

Discover & exploit

vulnerabilities

Drop payload

BSidesSF 2017

ATTACK CHAIN

Malvertising

Compromised

One or more Gates

EK landing page

BSidesSF 2017

EXISTING APPROACHES

Sandbox based solution• Cost of VM management

JavaScript debugging & DOM inspection• Manual

Can we do better?

BSidesSF 2017

AUTOMATE THE BREAKPOINTS(?)

Headless browsers• PhantomJS (Webkit Qt 5.5)• SlimerJS (Firefox 50)

page.injectJs(filename) page.onResourceRequested(requestData, networkRequest) page.onResourceReceived(response) page.settings.userAgent = ”whatever"

BSidesSF 2017

JS FUNCTION HOOKING

BSidesSF 2017

REDIRECT

• Injected iframe• 302 redirect• window.location redirect

Malicious Ad

Compromised

BSidesSF 2017

GATE

Filter out unwanted traffic Hosted at throw away domains - link shortener, dynamic DNS Client side checks – browser/OS fingerprint, detect AV, sandbox, headless

browsers(!) Server side checks – Geo, IP, cookies Obfuscated and/or encrypted code

One or more Gates

BSidesSF 2017

GATE

BSidesSF 2017

BROWSER FINGERPRINTING

BSidesSF 2017

DECRYPTION

BSidesSF 2017

BROWSER FINGERPRINTING (RIG-V)

BSidesSF 2017

DON’T PANIC

Replicate IE’s window object• Expand function hooking to Function prototype, DOM Manipulation, String

manipulation, Event handlers• Override the navigator, navigator.plugins & navigator.mime_types

BSidesSF 2017

ATTRIBUTE ACCESS HOOKS

BSidesSF 2017

CALLSTACK

BSidesSF 2017

PLUGINS

CVE-2013-7331The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes

BSidesSF 2017

PROXY OBJECTS

The Proxy object is used to define custom behavior for fundamental operations (e.g. property lookup, assignment, enumeration, function invocation, etc.).

target = new Proxy(target, handler);

BSidesSF 2017

ACTIVEX USING PROXY OBJECTS

BSidesSF 2017

FOR GOOD MEASURE

Inject Mouse eventspage.sendEvent(mouseEventType[, mouseX, mouseY, button='left'])

Inject Keyboard events page.sendEvent(keyboardEventType, keyOrKeys, [null, null, modifier])

BSidesSF 2017

FINAL OUTPUT

Call stack with function calls with arguments and responses Attribute access Plugins and ActiveX interaction Cookies Contents of DOM (iframes, objects) Navigations requests

BSidesSF 2017

POST PROCESSING Signatures

• Navigation requests• DOM objects• Arguments to document.write and function prototypes• Decryption keys (?)

But we can do better

BSidesSF 2017

POST PROCESSING

Invisible/off-screen text blocks with weird entropy data Alternate calls to string.charCodeAt() and string.fromCharCode() Function constructors! ActiveX objects looking for AVs XMLDOM ActiveX objects looking for file paths Bigram analysis on JS code to detect obfuscation

• Convolutional neural nets should work even better

BSidesSF 2017

SUMMARY

Fast Low interaction honeypot Ability to spoof its way through gates Understand Exploit Kit TTP Gather exploit artifacts Match signatures for known EKs

BSidesSF 2017

FIN/RST

Questions?