By Elliot Cao, Joseph C. Chen, William Gamazo Sanchez
We discovered a new exploit kit named Capesand in October 2019. Capesand attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE). Based on our investigation, it also exploits a 2015 vulnerability for IE. It seems the cybercriminals behind the exploit kit are continuously developing it and are reusing source code from a publicly shared exploit kit code.
Discovery and details
In the middle of October, we found a malvertising campaign using the Rig exploit kit and delivering DarkRAT and njRAT malware. By the end of October, however, we noticed a change in the malvertisement and the redirection was no longer to the Rig exploit kit. The cybercriminals shifted to loading an exploit kit we were unfamiliar with. Investigating further led us to a panel provided for this unknown exploit kit to customers. The panel has the name Capesand on it and directly provides the source code of the exploit kit.
The Capesand exploit kit’s code is quite simple compared with other kits. Almost all of Capesand‘s functions reuse open-source code, including the exploits, obfuscation, and packing techniques. Further monitoring revealed that its users are actively using it despite its seemingly unfinished state.
Analysis of the malvertisement
The malvertisement we observed was delivered from the ad network straight to the victim’s browser and was presented as a blog talking about blockchain. A close check of the source code of the page showed that it was a disguise, as it proved to be a page copied using the website copying tool HTTrack. The copied page contains a hidden iframe used to load the exploit kit.
In our observations on the mid-October attack, the hidden iframe had loaded the Rig exploit kit. By the end of October, the iframe changed to load landing.php, which led to another unknown exploit kit hosted on the same server. We were able to to identify the cybercriminals’ second-tier server, which has the Capesand web panel.
Analysis of the Capesand exploit kit
The Capesand panel is used to check the status of exploit kit usage. Any threat actors using this exploit kit can also download frontend source code which they can deploy on their server. In the case we identified, the campaign deployed it with their fake blockchain malvertisement. While we checked the frontend source code, we found that it looks similar to a very old exploit kit called Demon Hunter, leading us to believe that Capesand is probably derived from it.
As the source code is descripted, the exploit kit appears to be upgraded to exploit newer vulnerabilities compared to its parent exploit kit like CVE-2018-4878 (affects Adobe Flash) and CVE-2018-8174 and CVE-2019-0752 (both affecting Microsoft Internet Explorer). CVE-2019-0752 is a vulnerability discovered by Trend Micro ZDI this year. We also found the same vulnerability being used in a watering-hole attack that delivered SLUB malware.
Another thing to note is that the frontend exploit kit source code package does not include its exploits. Typically, some exploit kits already have the exploits inside the source code. In the case of Capesand, each time the exploit kit wants to deliver an exploit, it needs to send a request to the API of the Capesand server to receive the requested exploit payload. Perhaps this is a way to ensure that the exploits are not shared easily.
The API request is composed of the following information on the victims:
- Requested exploit name
- Exploit URL in configuration
- Victim’s IP address
- Victim’s browser user-agent
- Victim’s HTTP referrer
All information mentioned above will be encrypted using AES encryption with a pre-generated API key inside a configuration file. When the Capesand server receives the request, it verifies if a valid API key encrypts the request. It also gets information on the usage of the exploit kit by users and collects the information of victims for stats. Then, it returns the exploit payload to the frontend exploit kit and then delivers it to the victim.
As we progressed in our investigation, we observed a Capesand exploit kit in the wild that uses the old IE exploit for CVE-2015-2419. We also identified two exploits for the Adobe Flash vulnerabilities CVE-2018-4878 and CVE-2018-15982 and an exploit for the IE vulnerability CVE-2018-8174 on their server. But we did not see the exploit for the newer IE vulnerability CVE-2019-0752 indicated in their source code. This leads us to believe that the kit is still under development and has yet to fully integrate the exploits the cybercriminals planned to use.
Figure 9. The weaponized shellcode as executed in the victim machine
In-the-wild Capesand attack chain
After successful exploitation via Capesand, the first stage will download mess.exe and attempt to exploit CVE-2018-8120 to escalate privileges and then execute njcrypt.exe. The njcrypt binary is a multilayer obfuscated .NET application where the obfuscation is done using publicly known tools. The sample execution delivers the payload njRAT version 0.7d. The following diagram shows the complete attack flow with the de-obfuscation layers simplified.
The image SV VORWARTRS WIEN 2016 is the actual image present inside NvidiaCatalysts.dll. Note that njRAT 0.7d is a known njRAT open source and can be found in GitHub. The sample we captured resembles the open-source payload exactly.
The module CyaX_Sharp.dll generates a configuration file to track configuration of the infected machine, during creation of the configuration file it checks for the presence of the ESET.
As of this writing, the Capesand exploit kit is being actively developed and is being used for compromising users even during its development stage. Although it is using known vulnerabilities, its creators ensure that the deployed samples have very low detection rates. In fact, our investigation also showed that it is checking for installed antimalware products. Moreover, the architecture is evolving in the direction of distributing the malicious landing pages via mirrored versions of legitimate websites under domain names similar to the originals’. In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms. We are continuously monitoring this exploit kit’s activity and will report any significant developments in the future.
Trend Micro Solutions
Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free™ Business Security detect and block the exploit kit and the malicious domains it connects to. Trend Micro™ Deep Security™ solution customers are protected by the following rules:
- 1009067 – Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174)
- 1009655 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)
- 1008854 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2018-4878)
- 1009405 – Adobe Flash Player Use After Free Vulnerability (CVE-2018-15982)
- 1006868 – Microsoft Internet Explorer JScript9 Memory Corruption Vulnerability (CVE-2015-2419)
Indicators of Compromise
|Indicator||Attribution||Trend Micro Predictive Machine Learning Detection||Trend Micro Pattern Detection|
|6288de662d6dd1a57e99cf8b9259eef467c461e378d431fc53243ecede155b38||CAPESAND exploit CVE-2015-2419||Trojan.JS.CVE20152419.AA|
|a8391b08478ba333bfc7f377d5ee7b0a697b638e9987a6db614c7f192b22a384||CAPESAND exploit CVE-2018-4878||Trojan.SWF.CVE20184878.THJCOAIA|
|79f2250d10ebf83352b7715c30b60cecea14c7edd94fb164afb9353f4f91b038||CAPESAND exploit CVE-2018-15982||Trojan.SWF.CVE201815982.THJCOAIA|
|1f1bb98b7e4e23913ff25b50d1ffd44e6ef447053188eca255d9bd0378602625||CAPESAND exploit CVE-2018-8174||Trojan.HTML.CVE20188174.AB|
|eb1be3f00e93a7dfcca563e564ab7d7319676161b56039f4968ceddf791d110a||CAPESAND exploit CVE-2018-8120||Troj.Win32.TRX.XXPE50FFF032||Trojan.Win64.CVE20188120.D|
|138[.]68[.]15[.]227||DarkRAT C&C IP address|
|107[.]167[.]244[.]67||njRAT C&C IP address|
Updated as of 7:00 PM Eastern Standard Time to remove one included image.