After the vanishing of Angler Exploit Kit(EK) from the underground exploit market, Neutrino EK has gained a lot of attention and is now one of the most popular exploit kit among cybercriminals. In this blog, we will try to reverse engineer the latest sample that we received and try to identify the exploits this sample incorporates.
The samples file we received is a single flash(.swf) file with the SHA256: f345ec4a0d8c8b1d4f583f3c06a5f0e86cf552d69f0f5bc488a989d418daf187
Analysis of the Flash File:
Fig1: Showing encrypted data stored in SWF file
As we can see that the Fig:1, the swf file is heavily obfuscated and does not provide us with any identifiable information. The code spreads along in 17 binary data sections and has many actionscript files.
As we go over the actionsripts one-by-one, it appears that the binary data is encrypted using RC4. The data in all the binary sections are combined, decrypted and the bytes are then loaded in the memory as showing in Fig 2. This takes us to the second stage of the exploit. The bytes loaded in the memory is nothing but yet another SWF file.
Fig 2: RC4 decryption and Loading Next Stage of Exploit
Analysis of the Second Stage SWF File:
Fig 3. Second stage SWF files structure
As we can see in the Fig 3, the second stage flash file follows the same structure of the first swf file and consists of 6 binary data sections along with many actions scripts.
Fig 5: Anti Debugging/Virtualization Checks
Once the pre-conditions for the exploits have been satisfied, only then the flash file decrypts additional exploits and then load them in memory one by one. While the Flash file under observation has multiple exploits, for this post we will concentrate on the latest exploit added to the kit i.e. CVE-2016-0189. CVE-2016-0189 refers to the VBScript memory corruption vulnerability affecting Internet Explorer. Microsoft fixed this vulnerability with patch MS16-051.
Fig 6. Exploit for CVE-2016-0189 part of EK
Once the exploit is successful, the exploit tries to download additional payload from its control sever as seen in the Fig 7.
Fig. 7 Command used to connect and download payload.
Depending on the exploit that was successful on the target, the URL to the command server changes. This information is stored in the binary data section of the SWF and in JSON format. Fig 7 shows the configuration json file for our sample.
Fig. 7 JSON Configuration File.
As we can see, the exploit kits use highly sophisticated mechanism to exploit and evade anti-virus and anti-debugging mechanisms. QualysGuard detects CVE-2016-0189 with QID: 91220 and encourage customers to patch this as soon as possible.