2017 StarC Drive-by Download
1 1 2 2 2.1 Drive-by Download.................................... 2 2.2 RIG Exploit Kit......................................... 2 2.3............................................. 3 3 4 3.1 (1) Drive-by Download............................ 4 3.2 (2)........... 6 3.3 (3) RIG Exploit Kit................................ 15 3.4 (4).............................. 16 3.5................................................ 17 4 20 21 22
1 2017 4 Web Web Drive-by Download [1] Drive-by Download Web Web Web Drive-by Download Exploit Kit Exploit Kit Web Exploit Kit Drive-by Download Exploit Kit RIG Exploit Kit [2][3][4] RIG Exploit Kit IP IP URL URL 1 IP RIG Exploit Kit RIG Exploit Kit Drive-by Download Exploit Kit RIG Exploit Kit RIG Exploit Kit IP RIG Exploit Kit RIG Exploit Kit [5] 1
2 Drive-by Download Exploit Kit 2.1 Drive-by Download Drive-by Download 4 (1) Web Web Web Web SNS URL Web Web Web Web Web (2) Web User-Agent (3) Web (4) 4 Exploit Kit 2.2 RIG Exploit Kit RIG Exploit Kit 2.1 5 (1) Web Web (2) RIG Exploit Kit URL (3) URL iframe RIG Exploit Kit (4) RIG Exploit Kit Web JavaScript Web 2
2.1 RIG Exploit Kit (5) RIG Exploit Kit RIG Exploit Kit RIG Exploit Kit URL URL Drive-by Download Exploit Kit as a Service Exploit Kit Exploit Kit as a Service Exploit Kit Exploit Kit Exploit Kit 2.3 Exploit Kit Web Drive-by Download [7] RIG Exploit Kit Web RIG Exploit Kit RIG Exploit Kit [6] NTT RIG Exploit Kit URL IP RIG Exploit Kit [8] 3
3 Drive-by Download 3 1. Drive-by Download Web 2. Web RIG Exploit Kit RIG Exploit Kit IP 2 3. RIG Exploit Kit Seamless 4. RIG Exploit Kit IP RIG Exploit Kit RIG Exploit Kit 3.1 (1) Drive-by Download 2017 2 24 4 10 Alexa Top 1 Million Web Web Exploit Kit Web Exploit Kit 3.1 3.1.1 2 4
3.1.2 pseudo-darkleech pseudo-darkleech 2017 4 pseudo-darkleech 3.1 Exploit Kit html body top span Exploit Kit iframe IP HTTP Status Code 500 IP RIG Exploit Kit RIG Exploit Kit JavaScript JavaScript 3.2 3.1 Afraidgate EITest GoodMan pseudo-darkleech Seamless /position:absolute; top:-([0-9]3,4)px/ /var ([a-za-z]4,8) = iframe / /div style=ẃidth:1px; height:1px; pos ition:absolute; left:-500px; top:-500px;/ /span style= position:absolute; top:-([0-9]3,4)px; width:([0-9]3)px; height:([0-9]3)px; / /iframe width= 0 scrolling= no height= 0 frameborder= 0 src=.+ seamless= seamless / 3.2 Afraidgate 0 0% EITest 164 4.9% GoodMan 19 0% pseudo-darkleech 562 3.9% Seamless 0 0% 5
3.1 pseudo-darkleech 3.2 JavaScript 3.3 eval() eval() 3.4 Base64 Base64 3.5 Web Web User-Agent User-Agent 3.3 CVE-2015-2419 CVE-2016-0189 Microsoft Internet Explorer JScript 3.2 (2) (1) Drive-by Download Web 6
3.3 JavaScript 3.4 eval() 3.2.1 3.6 StarC Drive-by Download StarC VirtualBox 3.4 3.5 StarC URL OpenVPN URL OpenVPN VPN VPN Fiddler Wireshark 7
3.5 CVE-2016-0189 3.6 URL URL Internet Explorer 3 Fiddler Wireshark Windows Downloads temp 8
3.3 User-Agent Windows CVE-2014-6332 CVE-2015-2419 CVE-2016-0189 SWF Vulnerability Internet Explorer 8 XP 32 Bit Internet Explorer 8 XP 64 Bit Internet Explorer 8 Vista 32 Bit Internet Explorer 8 Vista 64 Bit Internet Explorer 8 7 32 Bit Internet Explorer 8 7 64 Bit Internet Explorer 9 7 32 Bit Internet Explorer 9 7 64 Bit Internet Explorer 10 8 32 Bit Internet Explorer 10 8 64 Bit Internet Explorer 11 8.1 32 Bit Internet Explorer 11 8.1 64 Bit Internet Explorer 11 10 32 Bit Internet Explorer 11 10 64 Bit 3.4 StarC OS CentOS 6.9 Software VirtualBox 5.1 PHP 7.1 3.5 StarC OS Windows 7 Professional 32bit Software Internet Explorer 9 Adobe Flash Player 20 Java Runtime Environment 7 Fiddler 4 Wireshark 2.4 Drive-by Download IP VPN IP Fiddler HTTPS Wireshark HTTP/HTTPS 9
3.6 Campaign Count Fobos 43 Ngay 34 Motors 27 Rulan 14 Seamless 2 13 3.7 Exploit Kit Exploit Kit Count RIG 127 KaiXin 4 Terror 2 3.2.2 2017 6 21 12 13 Drive-by Download Web StarC 133 3.6 Exploit Kit 3.7 3.2.3 Fobos Campaign Fobos Campaign 2017 3 Web (Malvertising) RIG Exploit Kit StarC Fobos Campaign 3.7 3.7 StarC Fobos Campaign Fobos Campaign RIG Exploit Kit Decoy Web Gate Web Decoy 10
イトへリダイレクトされると Decoy サイトはアクセス元の IP アドレスが過去に Fobos Campaign へアク セスしたことがあるか判定する アクセスしたことがある場合は 無害な Web サイトが表示されるが そう ではない場合は Gate へ繋がる iframe を含んだ Web サイトを表示する Gate は RIG Exploit Kit へ繋がる iframe を含んだ Web サイトであり Gate へアクセスすることで RIG Exploit Kit で攻撃が行われる Fobos Campaign の Decoy サイトは不規則に変化し 多くがカジノやギャンブルに関する Web サイトと なっていた StarC で観測した Decoy サイトの一例を図 3.8 に示す 図 3.8 Fobos Campaign の Decoy サイトの例 3.2.4 Ngay Campaign Ngay Campaign は 2017 年 8 月頃から観測報告がある攻撃キャンペーンである 8 月頃には Disdain Exploit Kit を用いていたという報告もあるが 現在では Fobos Campaign と同じように RIG Exploit Kit を用いる Malvertising 系の攻撃キャンペーンである StarC で観測した Ngay Campaign のトラフィックを 図 3.9 に示す 図 3.9 StarC で観測した Ngay Campaign 11
3.8 Ngay Campaign ngay18.tk campngay16.tk testcamp20.ga Ngay Campaign Gate RIG Exploit Kit Gate RIG Exploit Kit iframe Ngay Campaign Gate.tk.ml Freenom ngay camp day StarC Ngay Campaign Gate 3.8 3.2.5 Motors Campaign Motors Campaign 2017 10 11 Fobos Campaign Ngay Campaign RIG Exploit Kit Malvertising StarC Fobos Campaign 3.10 3.10 StarC Motors Campaign Motors Campaign Fobos Campaign Decoy Gate Decoy Gate iframe Web Gate HTTP Location RIG Exploit Kit Decoy Gate Motors Campaign Decoy 3.11 3.2.6 Rulan Campaign Rulan Campaign 2017 4 11 Rulan Campaign Exploit Kit Adobe Flash Player StarC Exploit Kit Rulan Campaign 3.12 Rulan Campaign Exploit Kit Rulan Campaign Gate HTTP Location RIG Exploit Kit Gate IP 8 2 12
3.11 Motors Campaign Decoy 3.12 StarC Exploit Kit Rulan Campaign red.ru Adobe Flash Player Rulan Campaign 3.13 3.13 StarC Adobe Flash Player Rulan Campaign Adobe Flash Player Rulan Campaign Gate 3.14 Adobe Flash Player ZIP ZIP JavaScript Gate flash.ru 13
3.14 Adobe Flash Player 3.2.7 Seamless Campaign Seamless Campaign 2017 3 RIG Exploit Kit Malvertising StarC Seamless Campaign 3.15 3.15 StarC Seamless Campaign Seamless Campaign Pre-Gate Gate Pre-Gate 3.16 JavaScript Web Gate RIG Exploit Kit iframe Web Pre-Gate Gate Pre-Gate /japan Pre-Gate Pre-Gate Gate 1 Pre-Gate Gate 14
3.16 Seamless Campaign JavaScript 3.3 (3) RIG Exploit Kit RIG Exploit Kit IP RIG Exploit Kit 2 HTTP Location Web RIG Exploit Kit Exploit Kit RIG Exploit Kit 3.17 RIG Exploit Kit HTTP 3.18 2 2 Location 3.17 1 HTTP IP 2 RIG Exploit Kit 15
3.18 2 HTTP 3.9 Seamless URL http://194.58.38.31/signup1.php http://194.58.38.50/signup1.php http://194.58.38.51/signup1.php http://194.58.39.179/signup1.php http://194.58.46.209/signup1.php http://194.58.47.235/signup1.php http://194.58.58.70/signup1.php 2017 7 20 8 19 RIG Exploit Kit 10 RIG Exploit Kit URL Seamless Seamless URL 3.9 3.3.1 3.19 3.20 2 UTC 6 18 RIG Exploit Kit 9 UTC 6 18 5 0 12 3.4 (4) RIG Exploit Kit IP RIG Exploit Kit IP Web RIG Exploit Kit 16
3.19 RIG Exploit Kit 2017 7 29 8 3 1 RIG Exploit Kit IP xx.xx.34.231 xx.xx.35.135 2 RIG Exploit Kit URL Seamless 3.4.1 xx.xx.34.231 xx.xx.35.135 RIG Exploit Kit RIG Exploit Kit RIG Exploit Kit 3.21 3.22 RIG Exploit Kit JavaScript Drive-by Download xx.xx.35.135 xx.xx.35.137 xx.xx.35.147 RIG Exploit Kit xx.xx.35.135 RIG Exploit Kit IP RIG Exploit Kit 3.5 RIG Exploit Kit Drive-by Download IP RIG Exploit Kit 17
3.20 3.21 RIG Exploit Kit 18
3.22 RIG Exploit Kit 19
4 RIG Exploit Kit RIG Exploit Kit 1 IP 12 RIG Exploit Kit IP RIG Exploit Kit RIG Exploit Kit IP RIG Exploit Kit Exploit Kit 20
21
[1] NTT (https://www.nttsecurity.com/docs/librariesprovider3/default-documentlibrary/jp 20170815 v1 2018 1 ) [2] RIG-EK (https://www.jc3.or.jp/topics/op rigek.html 2018 1 ) [3] (https://www.npa.go.jp/cyber/policy/pdf/rig.pdf 2018 1 ) [4] LAC CYBER GRID VIEW Vol.3 RIG Exploit Kit (https://www.lac.co.jp/lacwatch/pdf/20170202 cgview vol3 f001t.pdf 2018 1 ) [5] RSA SHADOWFALL (https://www.rsa.com/en-us/blog/2017-06/shadowfall 2018 1 ) [6] RIG Exploit Kit 78 2017 [7] Exploit Kit Web 2013 pp. 603-610 2010 [8] NTT RIG (https://www.nttsecurity.com/-/media/nttsecurity/files/resource-center/what-we-think/rigekanalysis-report.pdf 2018 1 ) 22