Rendering the Web Red with Redkit

On June 26, we observed an exploit kit attack on the Segway website. Symantec has notified Segway about the attack and Segway has since taken steps to ensure their website is no longer compromised. This blog will look at the details of an attack using the Redkit exploit kit.

Attack details

Code is injected into a jQuery script.

Redkit 1 edit_0.png

Figure 1. jQuery script with code injection

The malicious code is present in the jquery.min.js JavaScript.

Redkit 2 edit.png

Figure 2. Malicious code in jquery.min.js

The injected JavaScript decodes to a malicious iframe, which redirects to a landing page. This also sets up a cookie after the redirection so that users are not compromised more than once.

Redkit 3-1 edit.png

Decodes to:

Redkit 3-2 edit.png

Figure 3. JavaScript decodes to a malicious iframe

The iframe redirects to a Redkit landing page:

  • [REMOVED]. [REMOVED].co.uk/abcd.html

The landing page loads the Java Network Launch Protocol (JNLP) to call the malicious JAR files. On successful exploitation, the JAR files use “Open Connection” and receives the URL from “param value=” in an obfuscated manner.

Redkit 4 edit.png

Figure 4. Obfuscated URL received from "param value="

The encoded string resolves to:

  • http://[REMOVED]. [REMOVED].co.uk/19.html

The JNLP script is used to deploy malicious JAR files on user’s computer.

Redkit 5 edit.png

Figure 5. JNLP script used to deploy malicious JAR files

The URI for the JAR files:

  • http://[REMOVED]. [REMOVED].co.uk/8o.jar

Current JAR file names are two characters long, such as 80.jar, sj.jar, and 7t.jar. These JAR files download an encrypted payload and employ cipher schemes to decrypt it.

The JAR files used in this attack use a Java type confusion vulnerability (CVE-2012-1723)

Redkit 6 edit.png_0.png

Figure 6. Java type confusion being exploited

The cipher scheme used to decode the URL, passed as param through JNLP, is a simple character substitution algorithm.

Redkit 7 edit_0.png

Figure 7. Cipher scheme used to decode URL

Several pieces of malware are dropped in this attack:

Redkit 8 edit_0.png

Figure 8. Attack scenario

Conclusion

Redkit has been available since early 2012 and still propagates in the same way: Hacked sites with a malicious iframe redirect to the exploit kit landing page, as we have observed in this case, and then plugin detect scripts are used for fingerprinting just like other exploit kits.

Recently, we have observed landing pages with the following URI patterns:

  • [REMOVED]. [REMOVED]/hfiv.htm
  • [REMOVED]. [REMOVED]/hmtg.htm
  • [REMOVED].[REMOVED]/hmtg.htm

Redkit has started deploying JAR files using JNLP script as a plugin to load them. The dropped JAR files have numbered names such as 11.jar or 123.jar. The JAR files are obfuscated and exploit the latest Java vulnerabilities. The payload for these files is encrypted.

Redkit exploits several Java vulnerabilities:

Redkit is known to drop:                                                  



Symantec blocked approximately 150,000 Redkit attacks last month.

Redkit_HeatMap_0.png

Figure 9. Geographical distribution of attacks

North American, European, and USSR regions are the most affected geographical areas. The motive for these attacks is generally compromising users for monetary benefits. Recently, these attacks have targeted organizations in order to steal intellectual property.

Protection

The good news is that Symantec provides comprehensive protection for Redkit attacks, and customers with updated intrusion prevention and antivirus signatures are protected. Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures, protecting users against the most common Internet attacks.

Symantec has the following protection in place to protect customers from this attack:

Intrusion prevention:

Antivirus: