Capesand. The revival of exploit kits.

Avira Protection Labs, 5 months ago 7 min read

The use of exploit kits to compromise systems has been on the decline since 2016. However, we still see significant developments in this space. Recently, a new exploit kit called Capesand was identified. It is used to deliver an opensource RAT (njRAT) through malvertising domains such as shophandbag[.]store.

 A detailed analysis of the Capsand exploit kit has already been published by TrendMicro. In this blog we’ll have a brief look at the background of exploit kits, but mainly focus on reversing NJcrypt which is a loader for njRAT.

A brief history of exploit kits.

Exploit kits were first seen in 2006. At that time, they primarily distributed large amounts of malware and tracker operations. Over time they became more sophisticated. Today they are more commonly used in advanced persistent threats, often delivering ransomware and cryptominers.

Exploit kits are known as “full package” because they include multiple automated attacks. This makes them a powerful tool for attackers. They generally target widely used applications like browsers, Adobe Flash, Microsoft Silverlight, Java, VBScript engine, MSOffice and ActiveX, using compromised websites to spread as far as possible.

In 2013, Angler, one of the best known exploit kits, was responsible for more than 80% of exploit kit infections. It took advantage of vulnerabilities in Adobe Flash, Microsoft Silverlight, Java, and ActiveX to deliver ransomware such as TeslaCrypt and HydraCrypt.

By 2017, exploits kits were in decline. This was accelerated by Adobe’s announcement of the end of support of Flash, and the subsequent migration of websites away from it. But the nature of exploit kits meant they never died, and more recently became the platform for crypto-mining attacks.

In 2018, new exploit kits started to appear. Fallout and Lord were used to deliver ransomware such as Gandcrab and Kraken. Similarly, RIG, another famous exploit kit, used code obfuscation to avoid detection and distribute cryptomining malware. It also used zero-day vulnerability code to deliver multiple payloads like Ursnif, and the SmokeLoader dropper.

More recently, exploit kits, like Magnitude, have started to become fileless. A third of active exploit kits have recently found to be fileless, loading the malicious code into computer memory and leaving no trace on the disk.

Reversing NJcrypt

by Saqib Khanzada and Syed Hassan Faizan, specialist threat researchers at Avira Protection Labs

Although it is interesting to reverse the multilayer obfuscation and loaded assemblies to get to njrat, we’ll first take a quick look at the attack flow. The diagram below summarises the entire observed attack chain.

A user visits a malvertising domain i.e shophandbag[.]store . Here there is a Capesand landing page i.e hxxp://198.199.117.77/landing[.]php that will later deliver the Capesand exploit kit. The landing page network traffic is as below:

 

Capesand expoit

Capesand Picture 2

The script on the landing page will check the Internet Explorer version and load either CVE-2018-8174 exploit for IE 8 or CVE-2019-0752 exploit for IE 8+. The exploit will fail if the IE version is less than 8.

The script traffic is delivered:

Below, you can see the script of the exploit kit landing page that checks the Internet Explorer version.

The landing page (GET /include/PluginDetect.js HTTP/1.1 as show above) leads to the Capesand exploit kit:

The script also loads the exploit module. In our case it was CVE-2018-8174 based on IE 8 version:

After successfully exploitation in this case (CVE-2018-8174) update.exe is download. Update.exe exploits CVE-2018-8120 and finally downloads and run NJcrypt.exe, our prime focus.

The response shows how privileges escalation is done:

Deep dive into NJcrypt

As mentioned above, after successful exploitation, update.exe is dropped which exploits CVE-2018-8120 and runs Njcrypt.exe.

While looking into NJcrypt, we  found a call to the Assembly.Load method, which is a very common method to load an assembly. Tracing the assembly itself, we found that it is loaded from the resource section. It can be seen that after loading bitmap from resource, it is decoded:

What’s interesting about this sample is its multilayer obfuscation and loaded assemblies. To make it more challenging and confuse reversers, it creates a name of next assembly to be loaded by newly loaded assembly. We can see that NJcrypt has two resources, one is “oct” which is first assembly loaded and other is “SxrAaEfspzoXuGDrjnIlaWnavoZKoVREulnocsQNitBQLaGYiZJOAYxaXKgwOcesHYFDhRUy”.

Instead of loading directly by name, it is being sent as parameter to newly created assembly. We can see in the image above that at address 0x02480a04 is the same argument passed as resource name.

Once assembly is loaded, it looks for the second resource (mentioned above) and decodes it to get second assembly which is NvidiaCatalyst.

Similarly, it decodes bitmap and loads another assembly “Cyax_Sharp.dll”. This assembly eventually loads Cyax.dll after checking for AVs. If AVs are installed in the system, it creates some registries and then eventually loads Cyax.dll.

Analysis on Cyax.dll is interesting as we found that there are two arguments being passed from Cyax_Sharp.dll to Cyax.dll, one is path and other is inject:

We can see CyaX.dll seems to be responsible for injection, it takes the path of process and data to be injected. Below image shows the injection routine.

We found that another process of NJcypt is created and injected with njRAT. We analyzed this by extracting with windbg which provides a more detailed view. All commands for unpacking are explained below.

Reverser can also use dnSpy for extracting raw assemblies by directly dumping from dnSpy or by extracting resource and then de-obfuscating it.

Debugging in Windbg:

Before going directly into details, it is important to know that we first need to load some extension/dll for MSIL and to debug managed code. You can get more details about managed code debugging here.

In order to debug managed code with windbg, we need to load SOS extension

.loadby sos clr

In some cases, it might fail because of multiple .net installs. In this case you can manually load the extension by

.load C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

As the target is based on .net version 2, so we are using the same extension. Next, we need to run the binary until clrjit (explained in the Microsoft link above) is loaded

sxe ld clrjit ; g

We can now setup breakpoint on bpmd mscorlib.dll System.Reflection.Assembly.Load. This method is responsible for loading an assembly from coff file format. After setting breakpoint here, we also want to set up breakpoint on CreateProcess or ResumeThread (just after injection)

!bpmd mscorlib.dll System.Reflection.Assembly.Load (1st breakpoint)

bp kernel32!ResumeThread (2nd breakpoint)

We set 1st breakpoint so that we can dump raw assembly and 2nd breakpoint to dump njRAT

74f443fc ff253408f474    jmp     dword ptr [KERNEL32!_imp__ResumeThread (74f40834)] ds:002b:74f40834={KERNELBASE!ResumeThread (76822bbe)}

0:000> !CLRStack -p

OS Thread Id: 0xc18 (0)

ESP       EIP

0046d934 74f443fc [NDirectMethodFrameStandalone: 0046d934] CassaX.Bro.ResumeThread(IntPtr)

0046d944 0047cf63 CassaX.Bro.HandleRun(System.String, System.String, Byte[], Boolean)

PARAMETERS:

path = 0x024d6c54

cmd = 0x02471198

data = 0x024b4620

compatible = 0x00000000

(Injection routine being called from Cyax.dll)

0046db34 0047c529 CassaX.Bro.Run(System.String, Byte[])

PARAMETERS:

path = 0x024d6c54

data = 0x024b4620

 

0046db54 0047c4c7 CassaX.Bro.Kirkuk(System.String, Byte[])

PARAMETERS:

path = 0x024d5a80 (path to njcrypt)

Inject = 0x024b4620 (njrat to inject in njcrypt)

 

0046dddc 5b601b4c [CustomGCFrame: 0046dddc]

0046dda4 5b601b4c [GCFrame: 0046dda4]

0046ddc0 5b601b4c [GCFrame: 0046ddc0]

0046dfa4 5b601b4c [HelperMethodFrame_1OBJ: 0046dfa4] System.RuntimeMethodHandle._InvokeMethodFast(System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)

0046e014 5ac75458 System.RuntimeMethodHandle.InvokeMethodFast(System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)

PARAMETERS:

this = <no data>

target = <no data>

arguments = <no data>

sig = 0x024d5c14

methodAttributes = <no data>

typeOwner = <no data>

 

0046e064 5ac75206 System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)

PARAMETERS:

this = <no data>

obj = <no data>

invokeAttr = <no data>

binder = <no data>

parameters = 0x024d5a50

culture = <no data>

skipVisibilityChecks = <no data>

 

0046e0a0 5ac750ee System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)

PARAMETERS:

this = <no data>

obj = <no data>

invokeAttr = <no data>

binder = <no data>

parameters = <no data>

culture = <no data>

 

0046e0c0 5b13a0d4 System.Reflection.MethodBase.Invoke(System.Object, System.Object[])

PARAMETERS:

this = <no data>

obj = <no data>

parameters = <no data>

 

0046e0cc 0047c0e5 Unknown MethodDesc (Module 001d73f8, mdToken 06000051)

0046e124 0047a909 Unknown MethodDesc (Module 001d73f8, mdToken 0600004e)

0046e43c 5b601b4c [CustomGCFrame: 0046e43c]

0046e404 5b601b4c [GCFrame: 0046e404]

0046e420 5b601b4c [GCFrame: 0046e420]

0046e604 5b601b4c [HelperMethodFrame_1OBJ: 0046e604] System.RuntimeMethodHandle._InvokeMethodFast(System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)

0046e674 5ac75458 System.RuntimeMethodHandle.InvokeMethodFast(System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)

PARAMETERS:

this = <no data>

target = <no data>

arguments = <no data>

sig = 0x02480c68

methodAttributes = <no data>

typeOwner = <no data>

 

0046e6c4 5ac7525f System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)

PARAMETERS:

this = <no data>

obj = <no data>

invokeAttr = <no data>

binder = <no data>

parameters = <no data>

culture = <no data>

skipVisibilityChecks = <no data>

 

0046e700 5ac750ee System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)

PARAMETERS:

this = <no data>

obj = <no data>

invokeAttr = <no data>

binder = <no data>

parameters = <no data>

culture = <no data>

 

0046e720 5b13a0d4 System.Reflection.MethodBase.Invoke(System.Object, System.Object[])

PARAMETERS:

this = <no data>

obj = <no data>

parameters = <no data>

 

0046e72c 00470fe5 NvidiaCatalysts.GraphicsCard.رۆژ(System.String)

PARAMETERS:

wqewq = 0x02480a04

 

0046e768 00470f15 NvidiaCatalysts.GraphicsCard..ctor(System.String)

PARAMETERS:

this = 0x02480af4

wqewq = 0x02480a04

 

0046e9c0 5b601b4c [GCFrame: 0046e9c0]

0046e9f8 5b601b4c [CustomGCFrame: 0046e9f8]

0046e9dc 5b601b4c [GCFrame: 0046e9dc]

0046eba4 5b601b4c [HelperMethodFrame_1OBJ: 0046eba4] System.RuntimeMethodHandle._InvokeConstructor(System.Object[], System.SignatureStruct ByRef, IntPtr)

0046ec08 5ac8f8f0 System.RuntimeMethodHandle.InvokeConstructor(System.Object[], System.SignatureStruct, System.RuntimeTypeHandle)

PARAMETERS:

this = <no data>

args = <no data>

signature = <no data>

declaringType = <no data>

 

0046ec3c 5ac8f68a System.Reflection.RuntimeConstructorInfo.Invoke(System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)

PARAMETERS:

this = <no data>

invokeAttr = <no data>

binder = <no data>

parameters = 0x024809f0

culture = <no data>

 

0046eccc 5ac28d86 System.RuntimeType.CreateInstanceImpl(System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, System.Object[])

PARAMETERS:

this = 0x02480848

bindingAttr = <no data>

binder = 0x0247ff84

args = 0x024809f0

culture = <no data>

activationAttributes = 0x00000000

 

0046ed2c 5ac20e00 System.Activator.CreateInstance(System.Type, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, System.Object[])

PARAMETERS:

type = <no data>

bindingAttr = <no data>

binder = <no data>

args = <no data>

culture = <no data>

activationAttributes = <no data>

 

0046ed50 5ac20e21 System.Activator.CreateInstance(System.Type, System.Object[])

PARAMETERS:

type = <no data>

args = <no data>

 

0046ed54 00470340 Text.Clustering.yuhbVLwRpjvAcbJceKXWqDFuWfGirabYNgvX.iNGzkQUGuFbeGORkNqkozboycvEroGaSfXG()

PARAMETERS:

this = 0x02475c70

 

0046edc8 004701d8 Text.Clustering.ELSDeGYXUSifsWvvgonthWvagSlDpLJYVEF.PREEvBxkjgXFFbnjbblwgotPmuFGvCqgv()

PARAMETERS:

this = 0x024728ec

 

0046edec 00470102 Text.Clustering.ELSDeGYXUSifsWvvgonthWvagSlDpLJYVEF..ctor()

PARAMETERS:

this = 0x024728ec

0046edf8 004700ab Text.Clustering.lRwFbLIyFnFKrTlgfxYfAUkVOCfmhYhway.oJnzrQlYNrAqNPKjYNIlYAdryQTiHooDI(System.String[])

PARAMETERS:

VvQGZjyXtIfdOVRINNhzKmbTxgWXaHHZVkwf = 0x02471e94

0046f028 5b601b4c [GCFrame: 0046f028]

Conclusion

Despite a decline in activity, exploit kits remain a threat to users who run older versions of software. It remains important to ensure that browsers are fully updated in order to protect from such attacks.

 

Indicators of Compromise

Malvertising Domain shophandbag[.]store
Capesand Landing Pages hxxp://198.199.117.77/landing[.]php

hxxp://198.199.117.77/include/PluginDetect.js

Capesand Exploit Kit hxxp://198.199.117.77/add_visitor[.]php?referrer=http://shophandbag[.]store/
Exploit Modules loaded based on IE version hxxp://198[.]199.117.77/load_module[.]php?e=CVE-2018-8174 (IE8)

hxxp://198[.]199.117.77/load_module[.]php?e=CVE-2019-0752 (IE8+)

First stage payload download URL hxxp://198.199.117.77/download_file[.]php?e=18_8174
Njrat loader download URL hxxp://198[.]199.117.77/njcrypt[.]exe
oct22.png 72f8e2b42f3d5c554814072c5a770744ea369db8ddb380503401b951e94c7458
SxrAaEfspzoXuGDrjnIlaWnavoZKoVREulnocsQNitBQLaGYiZJOAYxaXKgwOcesHYFDhRUy.png 406d011d086db4f8fb1d01a7637cdc3dae80b97d26da178512eaff14217a5445
NvidiaCatalysts.dll 15b6da929041382c1f43d89927fd27d78a8f0ba27c129a33584f440b5c528657
CyaX_Sharp.dll 18bb00b79364985f1dbfb2722fa0a38a8fd71df70578a4e32246f349b99f1e89
Cyax.dll 73bc7cd60355dde3e8385b2450b9964e4365fe7c642bd2d20027a1699106ebfd
njrat_injected.exe (Final payload) cbf8d1978e05c535e5efbce47126f1c50e167ed3b8bd8ddd974e1cb036020ad3

Similar sample on VT:

0129bcbb9613e3283ed0d908c55f176acdbb772db87cf01268776684e80d8bca
048dfc33f7c134d3b5b96b92ab7247c2bd7b2ef9d00d4d43831c291fb0c47411
097d5dc33936aa44875732c633f6c8df688a4751a42d560d50afd96427e840f6
0ca5ec6952721ff77b65c02ca0e1c1d6b22c88fc6314d983251b19ea3ce20da2
10232920a568b4f379b5060dd7c77b55d28200140ec8bb547e6877e4fe2613dd
13676df617c6d4a6f686085813ee2bf6b175ac3b06b8f50c1a13faa0e11e80bf
13a2438fb020bd1c333599c711f5ff5d13b7eb2ed84ed244763498b2ae0fd219
172a42174c3a09c1d96ee81ba03f749d0bd5776562408719b2990ec9e64ebd98
1cae79d4e28c4f9d2a749995aace924beedb58329754649caaebb18770d55116
1d220ba9886d3c519a7aa1242cb28b60c80a35d2b31e81113c3250f2c1e657c2
20731eccc3527aeaa182f7a711bf312e707ef7f1bd543fbf8cabdcba8acc13cd
27fbba93f9546bb96b8d7de6fe91caf29e5355f0aff2648d8e47455fc455402a
289a2e18a34d1824b73110f08a7a4b919a875ff18a003a0ac4fbe41625d22dcc
2e4bdcf15c3621efe6beb379bc6a34bf56264ecb8e12a7960c72dd88b5f3f5a4
32d7eec15ae8547861c9f6c5447c16c7ddd7a85cc68ded70e7b8e790ecee6a11
339883889046c707a07f94737904ae26e0fd83771194b615a7e004df62d0f0d6
3602831cd0fed4d63300ba321e19501fd49815d4b2a5eb2f81a665252409f80c
366654256d85857b3b38ad0f062fddd7217b3c78dbd1fb8e4e85eb8993b0f5c5
3edcafd4482a12c25b9414ad7f9b3a19939d5655a9492d5b9b4bd54fecece81c
3f7f3871134432b6565c7e95a17a3480c1dcdd1ce575a3d10ad5003a889c933f
3fdee428bd9c0402a672b1b81694e1228a4a3409295d8ac5678810acadeca46c
42ddf0be451de210d1ba65c78ceac8e93af5109100a73971bb47e7516bbb1f13
435ecb127a1706cc730c2045be88f2543160d93ac33f2746528fcbf6c843bfff
490ba1cd58e3c5fa3845920704b74fbeabf9cfb0969a3abfbae4fc12293e06af
49885d087529585c9dd3d582ade72f43f3b21e69f94ba129d66adc8a0b8a5079
528e0f0f8661568219635b202af081a065b35f5200bf4a2d4c43a083b561534c
534848fd9f2f17f4e7bbf1aebf8d7d156a5c7c767961f56c1dd1f3c4ad9a7197
69d27c1f234213db3210c0dc4580428941286b75fbb83efcf95b6061405fd3dd
6d53e45302f389ba8cbb44185b9aeb8afab0823bc8f04a8267236a14c08bf64e
6f4880991618fb2454e04a002172b8b346a9c40d7b23de5444c5b3cff3a399aa
6fe342e20f2014cdbe9d5f4356d4d3a3d934f7b0c74ffdb1a76287383163c93f
6fe5f5b07cbda21f742f57c44344307cda4e6f9b4f2599d90a0e5470e910a8fa
708867bb399807daa550ff8d32d109da9f5e95d3fcefdbef631f8f78bd988df0
78fee5a5c6c19096ddaf8dbf4152df287309cf8cdf2f7410e033e3284cdc8f46
82e3f1d2e0d08ae4093c99ef4b56ccbab6d4adb4ef8b8ac4ded58bda81f14d61
83f58b430b4d97dda6db9fa6c12003896bb0663e0c037a273c36bad0ab3414f8
89f1df6284b53b9bf3687c5c15b8723e4c3d41a53850ccb0ba91673d2f6f5a2c
8c584bc23b8b507fde507918933063b99ddf17c8452a1af69c1958b34c1967e4
8d91aeab181e185774aac5b2c0060ed58a46e0fe5bc16c2b6229245489e8f04f
8ef1cbf3e1e4a8bde866b42d3643b524320e04821e4929c820b457fb7e922662
905adce2336b8b16441ecb61e8c3629d15df8bb180c760d5c02f4c5b0af5c9ab
926a82c4d22d2fd6df17c018143d2f1a04279190258421d65a10700346709b7e
93787ab289e766132184fb6b2ff2bc12b774c7f3f26d613b61e844bbe92af3f9
93da5d070ec2bdb4da6059b1e686a1d5cd4c897b3b434e16b8e131dc8e53ab70
998f13448bca25db6c2c2f42be4466b8e7e5b7da499290baf2cb4842fba37f05
ae06937e72baa79fcb4ee4e3cb8033d6d1c01e0038c33e9459e11058d00ddee6
afa617699140bbce7cd7eb5ca49437825c1eedb755c60c0bed50c08bccd61d85
ba2708ac1e49dbfa6a7f3bbaf01dac8f67c5a324ff7a8e76f6e3751b58710711
bae1ed3440de38183d0afe59b7c0795e1dad4e26ecfd3d0b617bea495c73fd11
bbe013eedc854d187d47e4afb42b15da618213a01cf5650ea1e122cf1d46a8f8
bdf89b5798ece942e96199ebced4a490ca61c87825b361f501deb5cbb0e00b09
be5c81ab9cbf365c67ce08ff2893b68737f8946ba2747ba2bf13739f1fbaaeaa
c060ff2ded921b58b083ce20ef6d47e6c5bbbde7a292167baa5c0af2194bc6c5
c5a4a046d83c06eaea03c3ba38244cecadf7bdaae860c84897058b97c162a996
c6e3ac61121451cc32481f0d4247c62cfbca4906a28e691951321ce592e59bd0
c710064fbe121162176dc30ace62f02351e39697de3dac9a67eb8dfbeab2a4a7
c7cca5b71de45833ca13ba185cd45b2640ee56676b6cb100f34cbcae8ccfb455
c9166140d9286924cdf98d7b70101a3a6dd2b26e36313b5f1dbb2f9af5a75a99
c97a61381fbe8e30a113371a8f7d4dbbd89cb08064410bd7448658c0bf828770
c9a1b329f5c1793df3211d0ff54bca5dfeb61514be161932f1ce366f032231ea
cce6742ba6df3b6655941d6f855bd0547473cc637b143995a5437606adf00dbc
cf419534c1fe00f3f01219649eff775b19bde1d3480b0e70486eaff2adb6239c
d2f0c4278b205ceafd1812cfe6640697e93e43d14e51e0fe09bbebbb90880b44
d8690e44bc78c02ac4d0e7c47d36d3044bc57260385c8a80f342980defda86d1
dcb921e7d8c425db302a90818739c96d463bb0437d1e653197830de1aabb4d4f
ddce452b7196bec1461fc5c84b0ed999b410347be4b76579cfe34f39150d4ae5
de09ff676ac5f7c8f739a6ec9b4f75c91fca2748dfe7263878fd8bd93f209bd5
df2949335334e6d5c5dbcf790799f981635ae601585a559e5d0ba5b25813013a
e073ce255f7d45339993c61a106e37465667e75b88d19666510ec1357e0059ff
e1c04ad89815cc9ceed4b0c1e4d62d3d71d06f248fab0d359b1661171cf12689
eb636038781721230a9dc457df42482ac5967902dd1fa1a2ed0c69ab5152a3d8
f0159f36573e8cf359a1508a6f046c63c96e0d41958f5a1df1c007f9af704909
f0848a64a02fe1ddaa00a20df658abd481ae6d153b95c9639d784aa3af99f623
f378f88a79d0b80d409242d19493945165296befceeb226c118821dae5c3ea49
fa2bc3a43d02e3f7706b05747228416a88a4473caa3e7e956d96c1e319cf36c5
fd0b3e490016e0ea49da7ed19ac3b2a6f5f6be1135cc23fb100f60770ec372d1

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
Capesand. The revival of exploit kits.

Avira Protection Labs

Protection Lab is the heart of Avira’s threat detection and protection unit. The researchers at work in the Labs are some of the most qualified and skilled anti-malware researchers in the security industry. They conduct highly advance research to provide the best detection and protection to nearly a billion people world-wide.

You might like