• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

Catching Exploit Kit Landers

Author avatar of Brad AntoniewiczBrad Antoniewicz
Updated — July 24, 2020 • 5 minute read
View blog >

Exploit Kits play an integral role in many of the attacks we see on a daily basis. In this blog post we show how we use our data in a novel way to uncover new components of the attack infrastructure and protect our customers earlier.

Background

A race unfolds each time a new WordPress, Joomla, or similar web application vulnerability is disclosed. Actors are looking to quickly craft an exploit and search the internet for vulnerable instances. Once compromised, these personal and business websites are turned against their users to become Exploit Kit Landers.
Each visitor is selectively evaluated by the time of day they’re visiting the site, their source IP address, along with the versions of their browser  and various plugins. If they match a specific profile, the Lander injects a single line of HTML or JavaScript code into the page. This line of code makes a call to the Exploit Kit Gate, which serves up a worthy exploit to take advantage of a vulnerability in an often outdated browser or plugin used by the visitor. We use the term ‘Gate’ to describe the attacker-controlled system which may serve the exploit itself or may be an intermediary step where the client is profiled a second time then sent to the exploit. With arbitrary execution achieved on the visitor’s system, the exploit kit has done its job. The shellcode of the exploit downloads a binary and executes the payload of the attacker’s choice which, in many cases, is ransomware.
exploit-kit-redirect

So Many Callbacks

The infection chain is littered with internet callbacks between the attacker and the victim. The victim first goes to the infected Lander, then is redirected to the Gate, then downloads the payload, and then calls back to ransomware command and control (C2) to negotiate keys. We can detect this communication at the network layer and ultimately prevent an infection from succeeding by blocking communication to the hosts involved in any of these callbacks. While we have developed systems to uncover each of these callbacks, one group which is particularly interesting to us are the Landers.

Avoiding Detection

Actors take special care to protect their landers from discovery. These websites can be popular blogs or businesses that may have sizable followings and rank high in search results. If a high traffic lander is uncovered, it could mean a sizable opportunity loss. To avoid detection, actors will only expose functionality for specific hours of the day, exclude certain IP addresses, and refuse to infect a visitor more than a set number of times.

Block Page Referrers

Every time one of our users attempts to visit a malicious website, we notify them by redirecting their browser to our block page.
internet-bad-guys-block
This is helpful to our users, but is also valuable to our researchers as another data source to perform analytics on. We store the full HTTP request every time a user ends up at one of these pages so good news for us: we can also see how they got there.

Hackathon Project: Find New EKs!

As a project during our annual hackathon at the beginning of last month, we decided to use our block page logs to identify new landers. Our end result was a module for our Avalanche System which allows us to stream in new data at near real time and protect our customers right away.

Block Page Logs

The logs from our block pages are just raw HTTP logs. By looking at the Referer HTTP Header data, we can identify how users end up at a Gate. We first parse them into a dictionary that looks like this:

We have a couple things working for us: We already know that this user is doing something risky since they’ve arrived at our blocked page and are in our logs. We’re also streaming in exploit kit gates, so we already know that headers.host is a gate that we’ve uncovered with our other classifiers. The thing we might not have prior knowledge about is the referrer, geiserpharma[.]com.

New Landers

Attackers may set up their imposter websites or they may compromise legitimate websites, so it can be tricky to determine if a referring site is actually malicious. One way to root out false positives is to ensure the referrer is not an extremely popular site. We can use the top 5000 domains in the Cisco Umbrella 1m as a filter and check the popularity within Investigate.
Low popularity
Our suspected lander geiserpharma[.]com has very low popularity. On a scale on 0-100, where 100 is very popular, geiserpharma[.]com is a zero.

Line of Fire

Let’s visit geiserpharma[.]com just to test. The other nice thing we get from the block page logs is the User-Agent. This is useful since many Exploit Kits will profile the user and only launch an exploit if it appears to be vulnerable. By using the User-Agent in the logs, we’re one step closer to having the exploit kit show itself.
ek
Surprise, surprise: Internet Explorer Crashes and we get a very concerning Windows Script Host error! All-in-all there were four major steps to this infection, here they are as Fiddler sessions:
infection chain
If we dig into the HTML source of the page, we see a suspicious iFrame buried in the middle of it:
screen-shot-2017-01-10-at-4-53-29-pm
Now, these landers will very often cycle through a few different gates as you render the page. So if we wait a little time, then request the page again, we get:
oh yeaaa
These iFrames include additional JavaScript to profile the user and ensure they are vulnerable:

With a confirmed wounded duck, the JavaScript posts back to the gate which returns a big nasty page with tons of obfuscated JavaScript. Parts of the JavaScript are encoded just right to make Fiddler hiccup when processing.
narly
By saving the raw bytes using HexView we can see the resulting JavaScript.
rigl1
A few breakpoints later, we reveal three levels of JavaScript obfuscation that result in the inclusion of a Flash object into the original landing page (geiserpharma[.]com).
rigl3
This Flash object contains exploits a vulnerability which achieves code execution in the context of the browser.
flash
The SWF is passed a few hex-encoded items via the FlashVars variable. This supports the modular nature of the exploit kit. Any exploit kit customer can provide a download URL which is passed from JavaScript, through Flash, arriving as an argument to payload which is eventually executed. We can see this by inspecting the ROP Chain that the exploit uses once it achieves control over the instruction pointer.

The payload itself is simply a one liner to create a Windows Script Host temporary file that downloads, deobfuscates, and executes Cerber Ransomware via a DLL using  regsvr32.exe.

But wheres the Arduino?

It can’t be a hackathon project without having something controlled by a small microprocessor, so we bolted on an API to our feed of fresh new landers and set up a Raspberry Pi to query it. Every time a new lander was identified, the Raspberry Pi triggered a PowerSwitch Tail which flipped on the electricity to my Christmas Tree and sent the train below racing around its track.

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella