LAS VEGAS (Black Hat USA) - Researchers at Trustwave have provided CSO with an inside look at the Magnitude Exploit Kit's infrastructure.
Linked to attacks against PHP.net and Yahoo, this kit has gone from obscurity to a certified threat in a short amount of time, while generating more than $60,000 USD per week in income.
Crime Kits are a way for Web-based criminals to automate their business. Some kits focus on malware alone, enabling total control over delivery and management. Others focus on controlling traffic, making them perfect for advertising fraud and Black Hat SEO operations, but they can also be used to drive traffic to the third type of kit – exploit kits.
Exploit kits exist to initiate drive-by-download attacks. Sometimes these kits will find their way into a watering-hole attack, but that's the exception and not the rule. The process is straightforward: One part of the kit targets vulnerable software with a previously determined list of exploits, while the other (assuming the exploit was successful) will infect the recently compromised system with malware.
Exploit kits, "are one of the primary methods today for distributing malware and infecting users all around the world," explained Trustwave's Director of Research, Ziv Mador, in an interview with CSO.
One of the most notorious exploit kits in recent times was called Blackhole. The Blackhole Exploit Kit was first released in 2010, and during the three years it was active, it became the most used exploit kit on the Web. At one point, nearly 30 percent of the drive-by-download attacks on the Internet could be linked to Blackhole.
However, the giant came crashing down once the person behind its development - known as Paunch - was arrested in October of 2013. In a bind, criminals needed a new kit to turn to, and the Magnitude Exploit Kit (Magnitude / a.k.a. PopAds) seemed fit the bill.
One of the first criminal enterprises to move to Magnitude was the Cutwail botnet. When Blackhole went offline, the Cutwail botnet suffered a slight setback in URL and attachment spam levels.
At the time, the operators of Cutwail were mainly focused on distributing the GameOver Zeus malware via Pinterest-based Phishing campaigns. So by moving to Magnitude, with an established infrastructure and solid list of exploit options, Cutwail's operators were able to recover quickly.
But in the grand scheme of things, exploit kits are themselves, an up and coming business model, explains RSA-FirstWatch Senior Manager, Alex Cox.
"The bad guys can charge less for the service and work with more scale, and it's appealing to the buyer because they don't have to setup their own infrastructure. It was really successful for the operator of the Blackhole Exploit Kit in the past, but the downside for the criminal is that it focuses takedown and law enforcement attention on them."
But what is it about crime kits that makes them so popular? Until a few years ago, crime kits were essentially unheard of, but now they're a primary part of most criminal operations online. This trend, Cox told CSO, is driven by the lower technical sophistication of the threat actors.
"The skill set required to get into cybercrime at this time is low, and the availability of exploit kits, botnet kits, etc reflect this," Cox added.
Magnitude makes itself known:
In October 2013, Magnitude made headlines when the kit was used in an attack on visitors to PHP.net. At first, when Google flagged the development platform's homepage as malicious, there was speculation that the warnings were little more than a false positive.
Earlier this year, Magnitude gained additional public attention after the kit was used in an advertising attack on Yahoo. Criminals purchased ad space on Yahoo, and used the ads to redirect visitors to domains hosting the Magnitude landing page. From there, the kit would attempt to exploit vulnerabilities in Java in order to deliver malware.
Investigations into the attack revealed that the criminals were delivering various malicious payloads including Zeus, Andromeda, Necurs, Zusy, and Ngrbot. However, the most common infection seemed to be malware that focused on generating ad clicks. While the attack was caught in early 2014, there was evidence that the campaign itself had been active since December of 2013.
Researchers at Cisco concluded that the Yahoo incident was a small segment in a much larger campaign ran by the same group of criminals. Following the trail outlined by Fox-IT, Cisco discovered a large cache of 21,871 host names from 393 different domains [full list] that matched the pattern used by the domains delivering malicious ads to Yahoo. In addition to Fox-IT and Cisco, FireEye also posted a technical analysis of the attack, reaching many of the same conclusions.
Soon after, in February, researchers at Webroot noticed an uptick in the number of infected WordPress websites being used as steppingstones to Magnitude-based infections. The websites were compromised at scale; levering the legitimate nature of the website itself as a way to develop trust, and visitors were directed to Magnitude after a somewhat complex chain of redirects.
In hindsight, each of these incidents offered a small glimpse into how Magnitude works, but they were only puzzle pieces at the time.
Magnitude's Malware-as-a-Service offering:
In order to offer such a detailed glimpse into Magnitude, researchers at Trustwave needed to gain access to the servers that control some of the kit's infrastructure.
The exact details as to how this access was obtained could not be publicly disclosed. However, CSO can report that law enforcement was informed of their findings, and that the eight servers examined for this report were all located in the United Kingdom. Exactly what law enforcement plans to do about the situation wasn't disclosed.
As things currently stand, Magnitude commands 31 percent of the exploit kit market. However, the only way to gain access to Magnitude for use in a campaign is to know someone. This level of introduction, or the friend-of-a-friend barrier, protects Magnitude's operator (believed to be a single person in Russia), while creating a unique business model.
Unlike most exploit kits, where access is based on a pay-per-campaign model, the person behind Magnitude only requires a percentage of the campaign's traffic. The percentage amount depends on the campaign itself and the overall traffic volume, but the typical access fee for Magnitude is anywhere from 5-20 percent.
When it comes to their percentage of the traffic, Magnitude's operator will install their own malware, which usually different from what their customers are using. In previous campaigns, the payload delivered to the commissioned traffic is typically Ransomware (e.g. CryptoLocker or CryptoDefense), a pattern that remains to this day.
Examining the logs of a campaign that recently finished, and tracking the Bitcoin transactions referenced within them, Trustwave's research team determined that Magnitude's operator was generating a weekly income of $60,000 to $100,000 USD.
This income came from Ransomware infections, where the victim was asked to pay between $300 - $500 USD in order to get their files back. However, this financial data is based only on the Bitcoin wallets that Trustwave was able to track, it does not account for wallets that remain unknown.
Still, acting as a clearinghouse for campaign traffic, whoever is behind Magnitude stands to make nearly $3 million per year simply by maintaining infrastructure.
Magnitude's customers are responsible for generating traffic to the kit's landing pages. Again, this traffic is what sets the commissioned percentage curve, so the larger the volume, the less the operator takes for their cut.
So, while the customer is given a customized URL for Magnitude's landing page, the rest of the campaign's operation is in their hands. In order to drive as much traffic as possible to the landing pages, criminals will initiate spam campaigns, Black Hat SEO operations, website compromises, and anything else that will help them get traffic. This is why the attacks on Yahoo, WordPress, and PHP.net were important. They were signs of traffic creation campaigns, initiated to gather as much traffic possible with the least amount of effort.
A successful traffic campaign will be richly rewarded, because those who are able to leverage Magnitude in their campaigns get a feature-packed, scalable infrastructure that provides proven exploits, asset tracking and analytics, in addition to a constant rotation of malware and landing pages in order to help their campaign remain undetected for as long as possible. If done correctly, a given campaign can last weeks, if not months, undetected.
Controlling and managing the chaos:
Magnitude's core administration panel is minimal when it comes to design, but the lack of dazzle is offset by the analytical details collected for each campaign. In addition to raw traffic numbers, the panel offers infection rates, AV detection rates for payloads and exploits (provided by Check4You), the ability to blacklist domains, and more.
Another feature in the admin panel is the ability for campaign managers to upload their own custom executable payloads, or provide a URL for a payload that Magnitude will pull down once every three hours.
There's also a FAQ, explaining some essentials when it comes to campaign management and security, including a note that campaign operators are responsible for updating their landing page URL in order to keep it form being blacklisted. In addition, customers are told that the malware being delivered is checked once every thirty minutes against commercial AV for detection rates, and rotated as needed.
However, as of October 2013, several small countries in Asia, as well as East Africa, South America, and the former USSR, are automatically blocked by the kit. There are a couple of reasons for the country filter, Trustwave's Mador explained, such as the fact that many of those listed have extradition policies with Russia, and since Magnitude's author is believed to reside there, it's pure protection on their part.
However, there's also the fact that some countries provide better ROI for malware distributors, and so the focus is to limit infections unless the victim meets pre-defined criteria including geo-location, OS, and browser.
When it comes to victims, the FAQ explains that Magnitude "will only exploit Internet Explorer" and that if the customer believes other browsers can be exploited, they should first talk to support.
For traffic exchanges, criminals run the risk of exposing the fact that the traffic they've purchased is heading towards a malicious source. In order to address this, Magnitude allows the campaign manager to define a fake website that will pass the standard checks.
"...the content that will be served from the malicious domain will be a replica of some legitimate site – effectively impersonating our malicious site with the content of a legitimate website. Once the traffic exchange admin has verified the legitimacy of our 'fake website' the customer of Magnitude can turn off that option and from that point on his domain will serve Magnitude’s landing page. Simple, yet very effective," the FAQ explains.
Finally, one of the more interesting aspects to the FAQ is the note that before any API automation can take place, the customer must first provide the origin IP. Such an act mirrors legitimate commercial ventures, proving that even criminals know to restrict API access in order to protect the infrastructure.
Targeted infections on a global scale:
Every Magnitude victim stands to get up to seven different types of malware installed on their system. Sometimes, the count is less, but for most campaign managers the goal is to maximize on their investment.
In a single month, Trustwave researchers observed Magnitude attempting to exploit 1.1 million systems, resulting in 210,000 successful infections. Most of the victims were regular home users; however there were corporate systems, as well as government systems in the U.S. and Canada, included in the victim profile.
There are three main exploits used by Magnitude, so as victims are delivered to the landing page, they are targeted with each of the following until one of them works:
- CVE-2013-2551 (VML vulnerability in Internet Explorer 6-10)
- CVE-2013-2643 (Java <= 7.21 and <= 6.45 w/ JNLP click-to-play bypass)
- CVE-2012-0507 (Java <= 7.2 and <= 6.30)
Overall, the Internet Explorer vulnerability has yielded the most success, with 85 percent of the kit's victims being snared by it.
However, another part of the kit's success comes from the victim profile. While the U.S. was the top location for victims (32,041), it was Iran (30,436) and Vietnam (19,304), followed by Argentina (13,657), India (12,367), and Turkey (11,939), that accounted for a majority of the victim pool.
Many of the locations targeted have Internet users on old systems, which rarely (if at all) see software updates. This is especially true of systems located within Internet cafes or other public locations.