Capesand. The revival of exploit kits.

The use of exploit kits to compromise systems has been on the decline since 2016. However, we still see significant developments in this space. Recently, a new exploit kit called Capesand was identified. It is used to deliver an opensource RAT (njRAT) through malvertising domains such as shophandbag[.]store.

 A detailed analysis of the Capsand exploit kit has already been published by TrendMicro. In this blog we’ll have a brief look at the background of exploit kits, but mainly focus on reversing NJcrypt which is a loader for njRAT.

A brief history of exploit kits.

Exploit kits were first seen in 2006. At that time, they primarily distributed large amounts of malware and tracker operations. Over time they became more sophisticated. Today they are more commonly used in advanced persistent threats, often delivering ransomware and cryptominers.

Exploit kits are known as “full package” because they include multiple automated attacks. This makes them a powerful tool for attackers. They generally target widely used applications like browsers, Adobe Flash, Microsoft Silverlight, Java, VBScript engine, MSOffice and ActiveX, using compromised websites to spread as far as possible.

In 2013, Angler, one of the best known exploit kits, was responsible for more than 80% of exploit kit infections. It took advantage of vulnerabilities in Adobe Flash, Microsoft Silverlight, Java, and ActiveX to deliver ransomware such as TeslaCrypt and HydraCrypt.

By 2017, exploits kits were in decline. This was accelerated by Adobe’s announcement of the end of support of Flash, and the subsequent migration of websites away from it. But the nature of exploit kits meant they never died, and more recently became the platform for crypto-mining attacks.

In 2018, new exploit kits started to appear. Fallout and Lord were used to deliver ransomware such as Gandcrab and Kraken. Similarly, RIG, another famous exploit kit, used code obfuscation to avoid detection and distribute cryptomining malware. It also used zero-day vulnerability code to deliver multiple payloads like Ursnif, and the SmokeLoader dropper.

More recently, exploit kits, like Magnitude, have started to become fileless. A third of active exploit kits have recently found to be fileless, loading the malicious code into computer memory and leaving no trace on the disk.

Reversing NJcrypt

by Saqib Khanzada and Syed Hassan Faizan, specialist threat researchers at Avira Protection Labs

Although it is interesting to reverse the multilayer obfuscation and loaded assemblies to get to njrat, we’ll first take a quick look at the attack flow. The diagram below summarises the entire observed attack chain.

A user visits a malvertising domain i.e shophandbag[.]store . Here there is a Capesand landing page i.e hxxp://198.199.117.77/landing[.]php that will later deliver the Capesand exploit kit. The landing page network traffic is as below:

The script on the landing page will check the Internet Explorer version and load either CVE-2018-8174 exploit for IE 8 or CVE-2019-0752 exploit for IE 8+. The exploit will fail if the IE version is less than 8.

The script traffic is delivered:

Below, you can see the script of the exploit kit landing page that checks the Internet Explorer version.

The landing page (GET /include/PluginDetect.js HTTP/1.1 as show above) leads to the Capesand exploit kit:

The script also loads the exploit module. In our case it was CVE-2018-8174 based on IE 8 version:

After successfully exploitation in this case (CVE-2018-8174) update.exe is download. Update.exe exploits CVE-2018-8120 and finally downloads and run NJcrypt.exe, our prime focus.

The response shows how privileges escalation is done:

Deep dive into NJcrypt

As mentioned above, after successful exploitation, update.exe is dropped which exploits CVE-2018-8120 and runs Njcrypt.exe.

While looking into NJcrypt, we  found a call to the Assembly.Load method, which is a very common method to load an assembly. Tracing the assembly itself, we found that it is loaded from the resource section. It can be seen that after loading bitmap from resource, it is decoded:

What’s interesting about this sample is its multilayer obfuscation and loaded assemblies. To make it more challenging and confuse reversers, it creates a name of next assembly to be loaded by newly loaded assembly. We can see that NJcrypt has two resources, one is “oct” which is first assembly loaded and other is “SxrAaEfspzoXuGDrjnIlaWnavoZKoVREulnocsQNitBQLaGYiZJOAYxaXKgwOcesHYFDhRUy”.

Instead of loading directly by name, it is being sent as parameter to newly created assembly. We can see in the image above that at address 0x02480a04 is the same argument passed as resource name.

Once assembly is loaded, it looks for the second resource (mentioned above) and decodes it to get second assembly which is NvidiaCatalyst.

Similarly, it decodes bitmap and loads another assembly “Cyax_Sharp.dll”. This assembly eventually loads Cyax.dll after checking for AVs. If AVs are installed in the system, it creates some registries and then eventually loads Cyax.dll.

Analysis on Cyax.dll is interesting as we found that there are two arguments being passed from Cyax_Sharp.dll to Cyax.dll, one is path and other is inject:

We can see CyaX.dll seems to be responsible for injection, it takes the path of process and data to be injected. Below image shows the injection routine.

We found that another process of NJcypt is created and injected with njRAT. We analyzed this by extracting with windbg which provides a more detailed view. All commands for unpacking are explained below.

Reverser can also use dnSpy for extracting raw assemblies by directly dumping from dnSpy or by extracting resource and then de-obfuscating it.

Debugging in Windbg:

Before going directly into details, it is important to know that we first need to load some extension/dll for MSIL and to debug managed code. You can get more details about managed code debugging here.

In order to debug managed code with windbg, we need to load SOS extension

.loadby sos clr

In some cases, it might fail because of multiple .net installs. In this case you can manually load the extension by

.load C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

As the target is based on .net version 2, so we are using the same extension. Next, we need to run the binary until clrjit (explained in the Microsoft link above) is loaded

sxe ld clrjit ; g

We can now setup breakpoint on bpmd mscorlib.dll System.Reflection.Assembly.Load. This method is responsible for loading an assembly from coff file format. After setting breakpoint here, we also want to set up breakpoint on CreateProcess or ResumeThread (just after injection)

!bpmd mscorlib.dll System.Reflection.Assembly.Load (1st breakpoint)

bp kernel32!ResumeThread (2nd breakpoint)

We set 1st breakpoint so that we can dump raw assembly and 2nd breakpoint to dump njRAT

74f443fc ff253408f474    jmp     dword ptr [KERNEL32!_imp__ResumeThread (74f40834)] ds:002b:74f40834={KERNELBASE!ResumeThread (76822bbe)}

0:000> !CLRStack -p

OS Thread Id: 0xc18 (0)

ESP       EIP

0046d934 74f443fc [NDirectMethodFrameStandalone: 0046d934] CassaX.Bro.ResumeThread(IntPtr)

0046d944 0047cf63 CassaX.Bro.HandleRun(System.String, System.String, Byte[], Boolean)

PARAMETERS:

path = 0x024d6c54

cmd = 0x02471198

data = 0x024b4620

compatible = 0x00000000

(Injection routine being called from Cyax.dll)

0046db34 0047c529 CassaX.Bro.Run(System.String, Byte[])

PARAMETERS:

path = 0x024d6c54

data = 0x024b4620

 

0046db54 0047c4c7 CassaX.Bro.Kirkuk(System.String, Byte[])

PARAMETERS:

path = 0x024d5a80 (path to njcrypt)

Inject = 0x024b4620 (njrat to inject in njcrypt)

 

0046dddc 5b601b4c [CustomGCFrame: 0046dddc]

0046dda4 5b601b4c [GCFrame: 0046dda4]

0046ddc0 5b601b4c [GCFrame: 0046ddc0]

0046dfa4 5b601b4c [HelperMethodFrame_1OBJ: 0046dfa4] System.RuntimeMethodHandle._InvokeMethodFast(System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)

0046e014 5ac75458 System.RuntimeMethodHandle.InvokeMethodFast(System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)

PARAMETERS:

this = <no data>

target = <no data>

arguments = <no data>

sig = 0x024d5c14

methodAttributes = <no data>

typeOwner = <no data>

 

0046e064 5ac75206 System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)

PARAMETERS:

this = <no data>

obj = <no data>

invokeAttr = <no data>

binder = <no data>

parameters = 0x024d5a50

culture = <no data>

skipVisibilityChecks = <no data>

 

0046e0a0 5ac750ee System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)

PARAMETERS:

this = <no data>

obj = <no data>

invokeAttr = <no data>

binder = <no data>

parameters = <no data>

culture = <no data>

 

0046e0c0 5b13a0d4 System.Reflection.MethodBase.Invoke(System.Object, System.Object[])

PARAMETERS:

this = <no data>

obj = <no data>

parameters = <no data>

 

0046e0cc 0047c0e5 Unknown MethodDesc (Module 001d73f8, mdToken 06000051)

0046e124 0047a909 Unknown MethodDesc (Module 001d73f8, mdToken 0600004e)

0046e43c 5b601b4c [CustomGCFrame: 0046e43c]

0046e404 5b601b4c [GCFrame: 0046e404]

0046e420 5b601b4c [GCFrame: 0046e420]

0046e604 5b601b4c [HelperMethodFrame_1OBJ: 0046e604] System.RuntimeMethodHandle._InvokeMethodFast(System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)

0046e674 5ac75458 System.RuntimeMethodHandle.InvokeMethodFast(System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)

PARAMETERS:

this = <no data>

target = <no data>

arguments = <no data>

sig = 0x02480c68

methodAttributes = <no data>

typeOwner = <no data>

 

0046e6c4 5ac7525f System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)

PARAMETERS:

this = <no data>

obj = <no data>

invokeAttr = <no data>

binder = <no data>

parameters = <no data>

culture = <no data>

skipVisibilityChecks = <no data>

 

0046e700 5ac750ee System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)

PARAMETERS:

this = <no data>

obj = <no data>

invokeAttr = <no data>

binder = <no data>

parameters = <no data>

culture = <no data>

 

0046e720 5b13a0d4 System.Reflection.MethodBase.Invoke(System.Object, System.Object[])

PARAMETERS:

this = <no data>

obj = <no data>

parameters = <no data>

 

0046e72c 00470fe5 NvidiaCatalysts.GraphicsCard.رۆژ(System.String)

PARAMETERS:

wqewq = 0x02480a04

 

0046e768 00470f15 NvidiaCatalysts.GraphicsCard..ctor(System.String)

PARAMETERS:

this = 0x02480af4

wqewq = 0x02480a04

 

0046e9c0 5b601b4c [GCFrame: 0046e9c0]

0046e9f8 5b601b4c [CustomGCFrame: 0046e9f8]

0046e9dc 5b601b4c [GCFrame: 0046e9dc]

0046eba4 5b601b4c [HelperMethodFrame_1OBJ: 0046eba4] System.RuntimeMethodHandle._InvokeConstructor(System.Object[], System.SignatureStruct ByRef, IntPtr)

0046ec08 5ac8f8f0 System.RuntimeMethodHandle.InvokeConstructor(System.Object[], System.SignatureStruct, System.RuntimeTypeHandle)

PARAMETERS:

this = <no data>

args = <no data>

signature = <no data>

declaringType = <no data>

 

0046ec3c 5ac8f68a System.Reflection.RuntimeConstructorInfo.Invoke(System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)

PARAMETERS:

this = <no data>

invokeAttr = <no data>

binder = <no data>

parameters = 0x024809f0

culture = <no data>

 

0046eccc 5ac28d86 System.RuntimeType.CreateInstanceImpl(System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, System.Object[])

PARAMETERS:

this = 0x02480848

bindingAttr = <no data>

binder = 0x0247ff84

args = 0x024809f0

culture = <no data>

activationAttributes = 0x00000000

 

0046ed2c 5ac20e00 System.Activator.CreateInstance(System.Type, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, System.Object[])

PARAMETERS:

type = <no data>

bindingAttr = <no data>

binder = <no data>

args = <no data>

culture = <no data>

activationAttributes = <no data>

 

0046ed50 5ac20e21 System.Activator.CreateInstance(System.Type, System.Object[])

PARAMETERS:

type = <no data>

args = <no data>

 

0046ed54 00470340 Text.Clustering.yuhbVLwRpjvAcbJceKXWqDFuWfGirabYNgvX.iNGzkQUGuFbeGORkNqkozboycvEroGaSfXG()

PARAMETERS:

this = 0x02475c70

 

0046edc8 004701d8 Text.Clustering.ELSDeGYXUSifsWvvgonthWvagSlDpLJYVEF.PREEvBxkjgXFFbnjbblwgotPmuFGvCqgv()

PARAMETERS:

this = 0x024728ec

 

0046edec 00470102 Text.Clustering.ELSDeGYXUSifsWvvgonthWvagSlDpLJYVEF..ctor()

PARAMETERS:

this = 0x024728ec

0046edf8 004700ab Text.Clustering.lRwFbLIyFnFKrTlgfxYfAUkVOCfmhYhway.oJnzrQlYNrAqNPKjYNIlYAdryQTiHooDI(System.String[])

PARAMETERS:

VvQGZjyXtIfdOVRINNhzKmbTxgWXaHHZVkwf = 0x02471e94

0046f028 5b601b4c [GCFrame: 0046f028]

Conclusion

Despite a decline in activity, exploit kits remain a threat to users who run older versions of software. It remains important to ensure that browsers are fully updated in order to protect from such attacks.

Indicators of Compromise

Similar sample on VT: