Web-based malware has increased over the last few years due to an abrupt spike in new exploit kits. These kits target vulnerabilities in popular applications and provide an effective way for cybercriminals to distribute malware. We have already discussed Red Kit, a common exploit kit. Recently McAfee Labs has observed an increase in the prevalence of the Styx exploit kit.
The next graph shows the prevalence of this exploit kit in the wild.
Overview of an attack
Like other exploit kits, Styx covertly redirects users as they visit a legitimate website to a malicious landing page that hosts the exploit files targeting various vulnerabilities. The redirector link may arrive via email as part of a spam campaign.
Redirector
Once users reach the landing page the malware searches for vulnerable applications installed in the system. This occurs via browser plug-in detection code (Plugin Detect Version 0.8.0).
Plugin Detect Version 0.8.0
The landing page has an iframe that contains a malicious link with obfuscated code.
Malicious iframe
The JavaScript used on the landing page references the iframe using a unique ID, deobfuscates the malicious code, and loads the following malicious web pages hosted on the compromised server.
- Jorg.html
- Jlnp.html
- Pdfx.html
Malicious JavaScript
The page jorg.html downloads a JAR file that targets the vulnerability CVE-2013-0422.
Jlnp.html uses the Java Network Launch Protocol, which allows the user to download a malicious JAR file that targets the vulnerability CVE-2013-2423. The attackers bypass the Java security check by setting the parameter “__applet_ssv_validated” value to True.
Jlnp.html
Pdfx.html loads two web pages, fnts.html and jovf.html, which download an eot (web-based font file) and a JAR file. These files target the vulnerability “CVE-2011-3402” and CVE-2013-1493, respectively. Finally, pdfx.html downloads a PDF that targets the vulnerability CVE-2010-0188.
Payload
The final payload of this exploit kit is a downloader that delivers additional malware from the remote server. Depending upon the attacker, the payloads are custom made and delivered to the compromised machine.
URL Patterns
The Styx exploit kit uses different URL patterns for its landing pages.
- hxxp://[domain name]/6YcinO0Sseq0fDBV0T3aT0lJAg0EkbA04FxQ0n5Ql06rpn/
- hxxp:// [domain name]/txjtJC07tCh0umHs0NZTL0OYgb0zOvl0JZ2V06bOd0xKmb/
- http:// [domain name]/8iVsog0IrKi09gpk0lpTv0DPpd0vjHb0UHWZ0Rq2P13ZsU/
- hxxp:// [domain name]/VgsHRk0dg8z0eREo0a8IG0DW9f04Ovg08zLs0VzuY0EqiG/
- hxxp:// [domain name]/YONmPa0VeqA14XYe13zsL081Lc09i7W0e4gM/
This exploit kit also uses unique URL patterns for downloading the exploit files.
- hxxp://[domain name]/[Random characters and numbers]/jorg.html
- hxxp://[domain name]/[Random characters and numbers]/jlnp.html
- hxxp://[domain name]/[Random characters and numbers]/pdfx.html
- hxxp://[domain name]/[Random characters and numbers]/fnts.html
- hxxp://[domain name]/[Random characters and numbers]/jovf.html
How to prevent this attack
- Blocking the URL patterns we have noted is one efficient way to prevent this attack. However, the landing page URL patterns are constantly changing. Nonetheless, the payload URL patterns have remained the same for all malicious domains we have seen.
- In spite of the availability of patches for known vulnerabilities such as CVE2013-0422, CVE-2010-0188, etc., this exploit kit still targets these vulnerabilities. McAfee recommends that you install the latest patches for Java and Adobe Reader.
- We advise our customers to pay extra caution when opening unsolicited emails and unknown links.
- McAfee products detect these exploits as JS/Exploit-Stykit.
Special thanks to our colleague Bharath M. Narayan for his assistance with this blog.