Threat Research

Exploring a Recent Magnitude Exploit Kit Sample

By Jessie Leung | October 09, 2019

A FortiGuard Labs Threat Analysi


As Internet Explorer's share of the browser pie continues to shrink, exploit kits — frameworks hosted by malicious actors to target browser vulnerabilities, particularly for IE — are much less active than before. However, some of them now target geographic regions where IE owns a more sizable part of the market.

Magnitude Exploit Kit is one that continues to target South Korea. At FortiGuard Labs, we discovered a sample that was using a specific technique with VBScript to load the .NET assembly from memory.

The flow for this sample was as follows:

  1. Ad network 302 redirection
  2. Magnitude EK 'gate' containing obfuscated JS
  3. Redirection to a second domain with a VBScript exploit (CVE-2018-8174) and .NET payload

The intermediate page just contains base64 encoded JavaScript. 

After decoding, we found a function – ymyepydl() – that was used to deobfuscate the rest of the code:

The function ymyepydl() uses the URL of the page, taken from the window.location string, as a source of characters to build the rest of the strings in the script. This method of indexing into the URL adds some entropy into the function calls and prevents reconstruction if the original URL is not known.

Another obfuscation method used by Magnitude is the inclusion of many overloaded toString() function calls, such as (77, 145004625437 < 43, 585540998951).toString(33, 530297), in the script.

Due to how JavaScript handles overloading (i.e. not at all), any extra parameters passed in are ignored.

The above example is really just an equivalent to (585540998951).toString(33) => "location".

The JS on the page is decoded to the following:

The scripted redirection transfers page execution to the second Magnitude controlled domain. This next page contains obfuscated VBScript that builds an array of characters and similarly indexes into it to decode the rest of the script.

A snippet of the deobfuscated version:

The VBScript is a modified PoC of CVE-2018-8174. Aside from the function and variable renaming, the section with the shellcode we reviewed included a scriptlet that we have not seen in Magnitude's previous exploits.

The usual approach to exploiting CVE-2018-8174, as seen in the publicly released PoCs, is to execute shellcode after the chain with VirtualProtect. Here, Magnitude EK seems to be experimenting with alternative payload generation techniques. This fileless technique, from a tool named DotNetToJScript, is used to embed C# payloads in JavaScript (or one of the other supported scripting languages, such as VBScript used in this sample).

Given a compiled C# payload, the DotNetToJScript executable will output a script that loads the .NET assembly from memory. The technique is characterized by deserializing the memory stream with the System.Runtime.Serialization.Formatters.Binary.BinaryFormatter's Deserialize_2 method and creating an instance of the deserialized class.

This lesser-known technique is arguably stealthier than invoking PowerShell in a similar fileless payload delivery stage. Magnitude's implementation of this technique in its latest variant was an interesting discovery. Exploit kits may be less rampant compared to their heyday, but they prove to be actively maintained and ever-evolving.

Solution

FortiGuard Labs continues to monitor exploit kits for new developments in obfuscation and exploit methods.

The Magnitude EK landing page explored in this sample is detected by IPS signature "Magnitude.Exploit.Kit".

References

DotNetToJScript by James Forshaw: https://github.com/tyranid/DotNetToJScript

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.