2014-01-14 - MAGNITUDE EK

ASSOCIATED FILES:

 

NOTES:

The Magnitude exploit kit (EK) was discovered last year.  EmergingThreats started releasing signatures on this EK as early as September of 2013:

Two articles do a good job explaining this EK:

I finally ran across the Magnitude EK and recorded the traffic.  Let's take a closer look...

 

SNORT EVENTS

For this infection, Security Onion was used to monitor a physical host running an unpatched, 64-bit version of Windows 7 with Java 7 update 4 running IE 10.  The infection traffic generated the following events in Sguil:


Screen shot of Sguil events for this infection.

 

INFECTION CHAIN OF EVENTS

Looking through this traffic, I noticed two separate infection chains.  First was the Magnitude EK infection chain.  The other chain was an aborted redirect that matches what I've seen lately for Redkit v2.0 (Goon EK).  A simple flow chart looks like this:

 

ASSOCIATED DOMAINS:

INFECTION CHAIN (post-infection callback appears near the end):

 

INFECTION TRAFFIC HIGHLIGHTS

The infected web page:

 

Aborted redirect to Redkit v2.0 (Goon EK):

 

Successful redirect to Magnitude EK domain:

 

An IE exploit from the Magnitude EK domain:

 

A Java exploit from the Magnitude EK domain:

 

I noticed at least 3 different EXE payloads, and all were XOR-ed with the ASCII character ")" (without the quotation marks).

 

Registry entries in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run created by the malware:

 

FINAL NOTES

Once again, here is the associated file:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.