TIRED OF PLAYING EXPLOIT KIT WHACK-A-MOLE? LET’S AUTOMATE
TIRED OF PLAYING EXPLOIT KIT WHACK-A-MOLE? LET’S AUTOMATE
BSidesSF 2017
SYN
Anjum Ahuja (@jack8daniels2) Threat Researcher at Endgame Background in network security and large-scale data analysis
BSidesSF 2017
ACK
Joe Desimone (https://github.com/endgameinc/Maxwell) Chris Donaher & Chan Kim Brad (@malware_traffic) Kafeine (@kafeine)
BSidesSF 2017
ATTACK STAGES
INFECTEXPLOITREDIRECT
Malvertising
Compromised
Discover & exploit
vulnerabilities
Drop payload
BSidesSF 2017
ATTACK CHAIN
Malvertising
Compromised
One or more Gates
EK landing page
BSidesSF 2017
EXISTING APPROACHES
Sandbox based solution• Cost of VM management
JavaScript debugging & DOM inspection• Manual
Can we do better?
BSidesSF 2017
AUTOMATE THE BREAKPOINTS(?)
Headless browsers• PhantomJS (Webkit Qt 5.5)• SlimerJS (Firefox 50)
page.injectJs(filename) page.onResourceRequested(requestData, networkRequest) page.onResourceReceived(response) page.settings.userAgent = ”whatever"
BSidesSF 2017
JS FUNCTION HOOKING
BSidesSF 2017
REDIRECT
• Injected iframe• 302 redirect• window.location redirect
Malicious Ad
Compromised
BSidesSF 2017
GATE
Filter out unwanted traffic Hosted at throw away domains - link shortener, dynamic DNS Client side checks – browser/OS fingerprint, detect AV, sandbox, headless
browsers(!) Server side checks – Geo, IP, cookies Obfuscated and/or encrypted code
One or more Gates
BSidesSF 2017
GATE
BSidesSF 2017
BROWSER FINGERPRINTING
BSidesSF 2017
DECRYPTION
BSidesSF 2017
BROWSER FINGERPRINTING (RIG-V)
BSidesSF 2017
DON’T PANIC
Replicate IE’s window object• Expand function hooking to Function prototype, DOM Manipulation, String
manipulation, Event handlers• Override the navigator, navigator.plugins & navigator.mime_types
BSidesSF 2017
ATTRIBUTE ACCESS HOOKS
BSidesSF 2017
CALLSTACK
BSidesSF 2017
PLUGINS
CVE-2013-7331The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes
BSidesSF 2017
PROXY OBJECTS
The Proxy object is used to define custom behavior for fundamental operations (e.g. property lookup, assignment, enumeration, function invocation, etc.).
target = new Proxy(target, handler);
BSidesSF 2017
ACTIVEX USING PROXY OBJECTS
BSidesSF 2017
FOR GOOD MEASURE
Inject Mouse eventspage.sendEvent(mouseEventType[, mouseX, mouseY, button='left'])
Inject Keyboard events page.sendEvent(keyboardEventType, keyOrKeys, [null, null, modifier])
BSidesSF 2017
FINAL OUTPUT
Call stack with function calls with arguments and responses Attribute access Plugins and ActiveX interaction Cookies Contents of DOM (iframes, objects) Navigations requests
BSidesSF 2017
POST PROCESSING Signatures
• Navigation requests• DOM objects• Arguments to document.write and function prototypes• Decryption keys (?)
But we can do better
BSidesSF 2017
POST PROCESSING
Invisible/off-screen text blocks with weird entropy data Alternate calls to string.charCodeAt() and string.fromCharCode() Function constructors! ActiveX objects looking for AVs XMLDOM ActiveX objects looking for file paths Bigram analysis on JS code to detect obfuscation
• Convolutional neural nets should work even better
BSidesSF 2017
SUMMARY
Fast Low interaction honeypot Ability to spoof its way through gates Understand Exploit Kit TTP Gather exploit artifacts Match signatures for known EKs
BSidesSF 2017
FIN/RST
Questions?