APT sample analysis using NB Exploit Kit attacks

Source: Internet
Author: User

APT sample analysis using NB Exploit Kit attacks

1. Cause

Recently, an Heng engineer found a high-risk alarm in an APT threat analysis device deployed on a network, which contains many suspicious behaviors, this includes adding self-starting content, creating network socket connections, reading network files, collecting disk information, and obtaining the current user name in the sandbox running environment, the original packet analysis shows that the download link of the sample is highly suspicious. After preliminary analysis of the alarm content, it can be inferred that it may be a Web page overflow attack (also called a trojan attack ).

2. Analysis:

Infection analysis process

Then, we can use the tool to download the warning webpage and analyze javasindex.htm to find that it uses the RES protocol ("res: //") for local file detection.

The probe targets include:
360
Kingsoft
Kaspersky

When the above software is not installed on the user's computer, the browser will load a page named "win.html"

Analyze "win.html"

After the download, I found that all its code was obfuscated and encrypted, which looked a headache.

The code is formatted and analyzed to prevent crawlers from crawling the page, and the userAgent is judged and processed. To prevent multiple infections, the cookie value is specified.

This is a common method in the classic Exploit kit (overflow Toolkit), and the suspicious "nb vip" string is found in the code, which is probably NB or CK Exploit kit.

Further analysis showed that it contained attacks against different versions of java. In a jar call, it found the famous pinyin "woyouyizhixiaomaol" and "conglaiyebuqi ". That is, "I never ride a donkey"

The decompiled jar package also contains similar information:

In addition, there are different Payload attacks for Flash, Silverligh, and IE versions, but the link is invalid during the download and cannot be downloaded normally.

After analyzing the entire code process, the author makes a flowchart:

Once successful, the system downloads and runs a malicious file named "“calc.exe.
In a virtual machine, you can use a browser to open a malicious page and use a packet capture tool to capture packets. The whole process is reproduced:

However, the packet capture result shows that it also downloads other exe programs, so the author analyzes the Downloaded Programs.

Malicious program calc.exe Analysis

Analysis found that calc.exe is mainly used to collect user computer information and send remote server statistics.

Attackers can read remote configuration files, download and run malicious programs in the configuration files.

 

This process is the same as what we see during packet capture.

Analysis of iexplore.exe

After the trojan is run, it decrypts an encrypted url in the memory. In fact, the ip address is the ip address resolved by the malicious domain name.

Note: After the URL "<|>", it is an exe program, and each of them exists on the server.

Next, it will retrieve the process every second to determine whether there is the same program as the decryption data. If so, it will splice the url and download the program and run it. That is:

The programs in the url are all Trojans of various games. There are many classes in total. There are more than 40, basically all of which are shelled and the files will be released after each malicious program runs.

Examples of malicious qq.exe simple programs.

Fake qq.exe will shut down the running qq after running, and download a disguised QQ login from Baidu Image

Create fake qq login programs for spoofing attacks

Finally, the user's entered QQ number and password are sent to the following malicious address: http: // 14. ***. ***. 227:8 ***/xx/fen/ly01/lin. asp

Analyze smss.exe

It is a vb program. After running the program, it collects user computer information, links a mssql database, reads remote server data (url) using SQL statements, and downloads and runs the program.

Due to the hard-coded username and password of the program, the author successfully logged on to the database server using the tool:

The data stored in the database is malicious URLs and statistical URLs, which are consistent with our analysis results.

0x03 Summary

The anheng research team found that a large number of Chinese codes exist in all samples, which must have been done by a group in China. As APT attacks become increasingly popular today, the current network is facing a large number of complex security threats, such as some new malicious code overflow, these threats are difficult to effectively identify traditional firewalls and anti-virus software. Therefore, a dedicated APT Threat Analysis product must be used to compensate for the defects of traditional security products, promptly detects and analyzes various new threats on the current network.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.