Conclusion:
The attacker has a good understanding of the relevant encryption algorithms, and chose the rare Rabbit symmetric encryption algorithm; the attacker has a certain front-end development experience, the code has strong fault tolerance and high compatibility; the background is no longer a static file, but uses the Dynamically generate content, and the generated URL is also one-time; all js code has been manipulated by obfuscated variables.
Attackers gradually began to learn the practice of popular foreign Exploitkits, dynamically generated attack pages, and encrypted the exploit code to prevent gateway filtering and traffic packet replay analysis, which increased the difficulty of analysis and helped keep the attack code secret.
For ordinary users, it is recommended to avoid using plug-ins as much as possible, avoid clicking malicious advertisements disguised as pornographic websites, and enable security software for protection.
https://bbs.safewiki.org/thread-141-1-1.html
Through monitoring and tracking, it is found that the automatic pop-up advertisements mainly come from plug-ins and pornographic websites. Users who use such plug-ins to automatically pop up dating advertisements in the same city or browse some pornographic websites may trigger pages with vulnerability attacks. If the victim's machine does not have If the corresponding patch is applied, the corresponding vulnerability will be triggered, and the Trojan will be downloaded and executed:
Main function:
Each time the server will generate a random validate value and put it into the form. The result of this value is different each time it is refreshed. This value is used as the browser's session mark.
In addition, the attacker uses IE's official HTML conditional comments to judge the browser version. This judgment is valid for common front-end designs, but it is wrong for browser exploits, because different browsers will enable different degrees of Compatibility mode results in incorrect compatibility setting results, so it is better to directly judge the browser version.
According to the above results of the browser, construct the final form data that needs to be submitted, and perform GET submission
The address submitted by GET http://174.*.*.42/p/servlet?token=&id=49457&validate=XXXXXXXXXX
has servlet in the parameter, so it is guessed that the background may be java.
This request will be redirected to another page by 302:
http://174.*.*.43/rt/ab06add394fb469b6510973131acb870.html?id=49457
This page will return the encrypted Load code of Rabbit or RC4 according to the ID, the page Two additional js library files (encrypt.min.js, tinyjs.min.js) are loaded to provide related symmetric and asymmetric encryption algorithms.
A RSA public key will be prefabricated in the code, and then a random number generation function will be used to generate a string as the subsequent symmetric encryption key, and the data will be POSTed to the server. In addition, a string will be dynamically generated, and the two will be concatenated as The encryption key for subsequent communications. A POST request will return the key-encrypted exploit code from the server. At this time, according to the received data option, choose to use RC4 or Rabbit algorithm to decrypt and execute.
After the vulnerability is successfully exploited, it will use regsvr32 to call the sct file to execute the corresponding script.
( Regsvr32 is a command of Windows command line utility used to register dynamic link library files, register controls to the system or uninstall controls, and run in command line mode. Foreign netizens Casey Smith@subTee found that a command or .sct is executed by calling the regsrv32 utility. The file has the potential to bypass AppLocker 's scripting rules. Since the utility is officially signed by Microsoft, the benefits are self-evident, and it supports TLS encryption, follows the redirection method, and does not leave traces on disk. In view of this There are many advantages, and those who hang horses will not miss it)
Sct file:
The file contains base64 encoded malicious dll files, which are written to local files using ActiveXObject.
When using scripts to manipulate binary files, errors are often reported because of invisible characters, so the hoaxer usually chooses to first perform binary operations on binary files. The file is base64 encoded and then manipulated, and finally the binary file is restored by decoding;
Conclusion:
The attacker has a good understanding of the relevant encryption algorithms, and chose the rare Rabbit symmetric encryption algorithm; the attacker has a certain front-end development experience, the code has strong fault tolerance and high compatibility; the background is no longer a static file, but uses the Dynamically generate content, and the generated URL is also one-time; all js code has been manipulated by obfuscated variables.
Attackers gradually began to learn the practice of popular foreign Exploitkits, dynamically generated attack pages, and encrypted the exploit code to prevent gateway filtering and traffic packet replay analysis, which increased the difficulty of analysis and helped keep the attack code secret.
For ordinary users, it is recommended to avoid using plug-ins as much as possible, avoid clicking malicious advertisements disguised as pornographic websites, and enable security software for protection.