February 18, 2014

Cyber Criminals Ramp Up Use of Exploit Kits in Fake Skype, Evernote Themed Attacks

Ran Mosessco Principal Security Researcher

Data from Websense® ThreatSeeker® Intelligence Cloud indicates that over the last few weeks, cyber criminals leveraging the "Angler" and "Goon" Exploit Kits to deliver malware via email borne attacks, have ramped-up their efforts.

These recent campaigns were themed around fake Skype voicemail notifications (Feb 19, 2014), and fake Evernote image notifications (Feb 7, 17-18, 2014).

The emails try to lure the victim to click a link that will redirect through an intermediate site into pages that host the Angler Exploit Kit (later switched to "Goon" Exploit kit). The kits will exploit Java, Flash or Silverlight vulnerabilities and try to load an encrypted executable, to help evade detection.

Although the attacks are large scale (Websense Cloud Email Security have detected and blocked a few hundreds of thousands of these messages per campaign burst), our telemetry shows a heavier focus on UK targets in the lure stage.

These campaigns might be attributed to the "ru:8080" a.k.a "/news/" gang which have been prominent users of BlackHole Exploit Kit, then Magnitude Exploit Kit, as described in our previous blog.

The related campaigns we have observed so far start with these lures:

Fake Skype messages

with subjects such as:

You received a new message from Skype voicemail service


Fake Evernote Messages

With subjects such as:

"Image has been sent"

"Image has been sent <user@domain.tld>"


They carry URLs such as:

hxxp://itsrobinhoodd .com/1.html

These have a simple JavaScript to redirect to the next stage


The next stage is where the switch from Angler Exploit Kit to Goon Exploit Kit can be seen

hxxp://merdekapalace .com/1.txt

Redirected to the Angler Exploit Kit page, with the typical .ru:8080 hosts:

Angler Exploit Kit

hxxp://opheevipshoopsimemu .ru:8080/dp2w4dvhe2

Contains obfuscated code that checks for browser and plug-in versions, serves a corresponding exploit, then loads an executable encrypted using 64 bit Xor key encryption.


On the other hand, an attack leading to Goon Exploit Kit shows a different code in the redirect stage:

The same URL as before:

hxxp://merdekapalace .com/1.txt

Exploit Kit

hxxp://nedapardaz .com/theme/it/browser/_lzf_.php?source_pid=38896815737B1F0316DB020740&swap_src=7D&theme-lid=1

Loads Java or SilverLight exploits

Goon EK Loader

This ultimately downloads an encrypted executable disguised as an mp3, such as:

hxxp://nedapardaz .com/9536.mp3

A Visual Basic script (named papa.vbs) is downloaded into the browser's temporary file directory. When executed, the VB script decrypts the "mp3" file to an executable:

Visual Basic script

The executable decrypted from the "mp3" file has the following details (the name and hash are likely different upon each attack)


SHA1: 577156efc37ef50cefa72db31e7c94a7e6d415db


Checking in Virus Total to provide context about AV coverage for this malware, we can see detection when first seen is7/50, and it looks like a Zeus variant.

For analysis of a similar SilverLight exploit, see our previous blog post

We have seen evidence and reports of the "ru:8080" gang switching to Angler Exploit Kit as far back as December 2013, as independent researcher "Kafeine" mentioned in this post, but we have not noticed any large scale email attacks until recently (we have seen some web based attacks, in somewhat small scale). The "ru:8080" criminal gang typically pushes trojans such as Cridex, Zeus GameOver, Click-Fraud trojans like ZeroAccess, and we have seen instances in the past of Ransomware such as RansomLock and worms like Andromeda.

It looks like after a period of relatively little use of exploit kits, cyber criminals resume use of different exploit kits to deliver malware in email based attacks. However, the switch from one exploit kit to the other indicates several possibilities, one being that continuing to use a single Malware-as-a-Service for a long period is deemed too risky to maintain a profitable operation. Alternatively, the attackers are evaluating multiple exploit kits to determine which works the best, or multiple attackers may be leveraging the same bot-net and redirect structures.

Another somewhat interesting detail - according to Websense email telemetry, we see a relatively heavy bias from the attackers towards targets located in the UK, followed by US and Germany

Fake Malware

Websense Protection

Websense customers are protected with ACE™, our Advanced Classification Engine in these stages of the attacks:

  • Stage 2 (Lure) - Websense Cloud Email Security and Email Security Gateway had proactive detection against the lure emails. In addition, ACE has real-time analytics that block the lure URLs.
  • Stage 3 (Redirect) - ACE blocks the redirection code using real-time analytics.
  • Stage 4 (Exploit Kit) - ACE has real-time protection against Angler and Goon Exploit Kit pages.
  • Stage 5 (Dropper) - ThreatScope behavioral analysis characterized the dropped malware as "Malicious"

What is more important is that the attackers need to change ALL their techniques to try to slip by Websense Triton protection, since it's enough to disrupt the attack in one stage to prevent infection.

Contributors: Ran Mosessco, Tamas Rudnai, Jose Barajas - Websense Security Labs

Editor’s note: All published links found to be broken, obsolete or otherwise inactive are subsequently removed from existing entries.


Ran Mosessco

Principal Security Researcher

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.