Rendering the Web Red with Redkit
On June 26, we observed an exploit kit attack on the Segway website. Symantec has notified Segway about the attack and Segway has since taken steps to ensure their website is no longer compromised. This blog will look at the details of an attack using the Redkit exploit kit.
Code is injected into a jQuery script.
Figure 1. jQuery script with code injection
Figure 2. Malicious code in jquery.min.js
The iframe redirects to a Redkit landing page:
- [REMOVED]. [REMOVED].co.uk/abcd.html
The landing page loads the Java Network Launch Protocol (JNLP) to call the malicious JAR files. On successful exploitation, the JAR files use “Open Connection” and receives the URL from “param value=” in an obfuscated manner.
Figure 4. Obfuscated URL received from "param value="
The encoded string resolves to:
- http://[REMOVED]. [REMOVED].co.uk/19.html
The JNLP script is used to deploy malicious JAR files on user’s computer.
Figure 5. JNLP script used to deploy malicious JAR files
The URI for the JAR files:
- http://[REMOVED]. [REMOVED].co.uk/8o.jar
Current JAR file names are two characters long, such as 80.jar, sj.jar, and 7t.jar. These JAR files download an encrypted payload and employ cipher schemes to decrypt it.
The JAR files used in this attack use a Java type confusion vulnerability (CVE-2012-1723)
Figure 6. Java type confusion being exploited
The cipher scheme used to decode the URL, passed as param through JNLP, is a simple character substitution algorithm.
Figure 7. Cipher scheme used to decode URL
Several pieces of malware are dropped in this attack:
Figure 8. Attack scenario
Redkit has been available since early 2012 and still propagates in the same way: Hacked sites with a malicious iframe redirect to the exploit kit landing page, as we have observed in this case, and then plugin detect scripts are used for fingerprinting just like other exploit kits.
Recently, we have observed landing pages with the following URI patterns:
- [REMOVED]. [REMOVED]/hfiv.htm
- [REMOVED]. [REMOVED]/hmtg.htm
Redkit has started deploying JAR files using JNLP script as a plugin to load them. The dropped JAR files have numbered names such as 11.jar or 123.jar. The JAR files are obfuscated and exploit the latest Java vulnerabilities. The payload for these files is encrypted.
Redkit exploits several Java vulnerabilities:
- Oracle Java SE Remote Code Execution Vulnerability (CVE-2012-1723)
- Oracle Java SE Remote Java Runtime Environment Vulnerability(CVE-2013-0431)
- Oracle Java SE Remote Code Execution Vulnerability (CVE-2013-1493)
- Oracle Java Runtime Environment Security Bypass Vulnerability (CVE-2013-2423)
Redkit is known to drop:
Symantec blocked approximately 150,000 Redkit attacks last month.
Figure 9. Geographical distribution of attacks
North American, European, and USSR regions are the most affected geographical areas. The motive for these attacks is generally compromising users for monetary benefits. Recently, these attacks have targeted organizations in order to steal intellectual property.
The good news is that Symantec provides comprehensive protection for Redkit attacks, and customers with updated intrusion prevention and antivirus signatures are protected. Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures, protecting users against the most common Internet attacks.
Symantec has the following protection in place to protect customers from this attack:
- Web Attack: Redkit Exploit Website 2
- Web Attack: Red Exploit Kit Website
- Web Attack: Exploit Toolkit Website 48
- Web Attack: Malicious Java Download 26
- System Infected: Downloader.Ponik Activity
- System Infected: ZeroAccess RootKit Activity 7
- System Infected: ZeroAccess P2P Request
- System Infected: W32 Waledac Activity 9