As Internet Explorer's (IE) share of the browser pie continues to shrink, exploit kits — frameworks hosted by malicious actors to target browser vulnerabilities, particularly for IE — are much less active than before. However, some of them now target geographic regions where IE owns a more sizable part of the market. Magnitude Exploit Kit is one that continues to target South Korea.
At FortiGuard Labs, we discovered a sample of the Magnitude Exploit Kit that was using a specific technique with VBScript to load the .NET assembly from memory.
The flow for this sample was as follows:
After decoding, we found a function – ymyepydl() – that was used to deobfuscate the rest of the code:
The function ymyepydl() uses the URL of the page, taken from the window.location string, as a source of characters to build the rest of the strings in the script. This method of indexing into the URL adds some entropy into the function calls and prevents reconstruction if the original URL is not known.
Another obfuscation method used by Magnitude is the inclusion of many overloaded toString() function calls, such as (77, 145004625437 < 43, 585540998951).toString(33, 530297), in the script.
The above example is really just an equivalent to (585540998951).toString(33) => "location".
The JS on the page is decoded to the following:
The scripted redirection transfers page execution to the second Magnitude-controlled domain. This next page contains obfuscated VBScript that builds an array of characters and similarly indexes into it to decode the rest of the script.
A snippet of the deobfuscated version:
The VBScript is a modified PoC of CVE-2018-8174. Aside from the function and variable renaming, the section with the shellcode we reviewed included a scriptlet that we have not seen in Magnitude's previous exploits.
Given a compiled C# payload, the DotNetToJScript executable will output a script that loads the .NET assembly from memory. The technique is characterized by deserializing the memory stream with the System.Runtime.Serialization.Formatters.Binary.BinaryFormatter's Deserialize_2 method and creating an instance of the deserialized class.
This lesser-known technique is arguably stealthier than invoking PowerShell in a similar fileless payload delivery stage. Magnitude's implementation of this technique in its latest variant was an interesting discovery. Exploit kits may be less rampant compared to their heyday, but they prove to be actively maintained and ever-evolving.
FortiGuard Labs continues to monitor exploit kits for new developments in obfuscation and exploit methods.
The Magnitude EK landing page explored in this sample is detected by IPS signature "Magnitude.Exploit.Kit".
DotNetToJScript by James Forshaw: https://github.com/tyranid/DotNetToJScript
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.