Moving Away From Exploit Kits: The State Of Drive-By Downloads by Krishnan Subramanian

thank you everyone uh for joining this talk uh moving away from exploit kids the current state of drive-by download my name is krishnan subramanian and i am a security research engineer at a startup called menlo security so a little bit uh introduction about myself before we delve into the content um you have been for a rough year roughly eight years in the field of cyber security uh doing security research uh threat intelligence and a little bit of experience doing incident response as well in the past and i was able to embark into the journey of cyber security through a master's degree in computer forensics from george mason university and bulk of my cyber security career i have spent

on building security products at startups and uh currently focused on researching threats and attacks that actually originate from the web and email vectors and uh my handle uh in twitter is chris203 please feel free to you know hit me up on twitter so for today's talk we're going to be starting off by talking about what is the drive-by download what is an exploit kit and give a brief breakdown of how they function and typical you know infection chain involved with an exploit kit uh next we will talk about decline in exploited activity over the years and provide a perspective on why this is the case you know followed by you know the core content of the talk uh

where we delve into the current techniques and mechanisms that are being used by attackers to carry out uh drive-by download attacks and uh conclude this talk with some insight into how to gain visibility and defend against these techniques from a a soft team standpoint so what are drive by download you know going by the definition um they are essentially downloads that are triggered by scripts or some sort of an automated mechanism like redirection and the user doesn't visibly notice the download and sometimes it is you know authorized by the user but actually doesn't understand the consequences and you know this point is key because we will see that user interaction is required to execute the download

on the endpoint so revisiting exploit kids exploit kids have been around for quite some time now and they actually date back to 2006 and you know they had a highly successful run um you know in the in the years from 2006 to 2012 i believe and i think the reason for that was because of the sheer number of plug-ins um you know browsers used to natively support um those days and these plugins were often marred with you know severe vulnerabilities one point in time i think in 2012 when black hole exploit kit was quite prominent the infection rates were alarming and you know exploit kids usually use um you know achieve mass infection rates um by using um you know techniques like

watering hole or web website compromise to actually infect endpoints and the key differentiator for exploit kits was once the exploit was you know successful there was no further user interaction required to execute the final payload on the end point and traditionally exploit kids are known to drop commodity malware like you know ransomwares um you know banking trojans and crypto miner families to name a few so next uh let's just quickly talk about the typical you know exploit kit kill chain

so first victims visit an infected site through you know either like a watering hole attack or a compromised website or through a malvertising channel and the next step would be you know a gate url which acts as a filter uh where you know checks like ip checks or geo fences or you know time zone based uh checks are are carried out and next the users are taken to a landing page where um you know the browser is analyzed to determine active plugins and their versions and if there are any vulnerable plugins that can be exploited and the next step is to actually trigger the exploit and you know upon successful exploitation a malicious payload is

delivered to the end point and executed within the context of the browser process itself lastly most exploit kits usually come with a an administration or a management interface which lets um you know exploit get authors track statistics like you know number of exploit kits that have been successfully infected ip blacklisting and you know also managing the different exploit payloads uh that will be delivered after a successful exploitation so why are we seeing a decline in exploitativity firstly back in the days internet explorer was shipped along with the windows operating system and you know did not have security features like process separation or sandboxing meaning any successful exploitation of vulnerabilities in plug-ins that the browser used to support

back in those days could give access to you know execute malicious code within the context of the browser process itself fast forward today um you know google chrome and other modern browsers have security features like uh you know process separation and and sandboxing secondly i think signaling end of life for some of the old browser plug-ins um like you know silverlight and java applets are no longer supported and more recently adobe flash was end of life i believe either end of december 2020 or january 2021 and i think that's another contributing factor for uh decline and exploited activity the other angle is why not expert kit authors uh you know take advantage of zero-day browser exploits

i think it's mainly because of the complexity and it's very expensive for um you know expert kids to drop commodity malware using you know browser zero days uh for example if there is a cloud chrome zero day uh that that that is exploited on a windows endpoint it allows them to break out of the process sandbox but uh the exploit needs to be you know chained with another os vulnerability uh to be able to carry out you know remote code execution and and two examples uh you know that said uh there is evidence of browser zero days being used by more sophisticated actors like apt and um the nation state groups a couple of um you know examples there

was an of the record talk by the coinbase incident response team uh in b sites sf 2020 where they spoke about responding to you know firefox zero days in the wild and more recently there was another campaign that was targeting the security researcher community by leveraging um ie and you know chrome exploit uh chain with some other windows vulnerabilities so lastly you know drawing some references from the security community uh there there is a pretty prominent author called brad or malware traffic who maintains a website malware traffic analysis known for its you know exploit kit related posts over the years and here from the table you can you can clearly see there's there's been a steep decline in the number of

posts on that website related to you know exploit kids so i think these are some of the uh reasons um we are seeing um you know the decline in expected activity uh over the years so then what are the current um drive by download mechanisms we are seeing then since exploit kits are becoming increasingly difficult to target uh you know modern browsers because the security mechanisms that are in place attackers are trying to keep it simple by making use of existing features that are offered within the realm of the hdb protocol you know to draw an analogy in the windows environment over the years i think fireless attacks with living off the land binaries has become

quite prominent i think there was a great talk just a few hours back uh introduction to fileless malware by juwan araya aria in the track one series so drawing that analogy of using you know lol bins uh you can think of html5 and javascript features as long bins on the browser where they are using something that is available within the http protocol and the browser environment uh to you know carry out attacks um these are things like you know our features like the data urls or blobs which is defined in the rfc 2397 and you know using javascript to generate blobs that that you know trigger downloads on on endpoints and lastly um the other techniques is

you know using simple technique of iframe plus redirection um which are all again within within the browser environment itself one thing to note is there is no client-side exploitation here so the first techniques that we want to talk about is called html smuggling this is a pretty straightforward technique which makes use of html5 and javascript features to actually um construct a payload entirely on the browser side or the client side um so as you can see from the screenshot here like uh there is a javascript variable that has a a there is a base64 encoded variable that is dynamically converted into a blob using javascript and you can see the appropriate mime type the octet stream

mime type that is set which then you know instructs the browser to trigger download on the client side and in regards to the browser in regards to the end user experience the user will you know usually see a save or open dialog prompt for the download or you know see the download in the folder location that has been set to download files i think uh this depends on how the download settings are configured on the browser and we just gave this campaign the name durie because of the because it uses the data uri scheme the second technique is just a slight variation of the of html smuggling where instead of instead of constructing the payload on

the client side and including the base64 payload within the http response an additional um jquery xhr get method is being used to fetch the basics for encoded payload from a remote url i think this uh the reason behind using this technique is the remote url was acting like a gate which filters access to the the malicious base64 encoded payload so if if someone were to you know just visit the lincoln standalone um then you know it would it would return a 404 um or you know redirect uh redirect the user to um you know some penang sites like downloads.microsoft.com [Music] so the last one is uh you know blending um the two previous techniques with

the iframe redirection mechanism this uh this technique is pretty similar to what exploit kits uh use because exploit kits are known to use iframes for redirecting victims so uh this table sort of shows the comparison between uh a traditional exploit kit iframe redirection mechanism versus what we are seeing with the current drive by download mechanism so both of them start with a gate where they have some sort of filter um that let's um that determines if if the if the browser can be can be you know proceed to the next step of the attack chain or not and the next step in an expert kit infection chain would be to redirect the user to a landing page

but in in the current mechanism we don't have a landing page because there was there is no exploitation involved so the landing page is replaced with a redirection chain which is which is often hosted on you know trusted cloud services like amazon s3 or bitbucket or you know microsoft azure cloudflare and you know services like that and the next step in the exploit kit chain would be to trigger the exploit um but but in the current redirection i mean in the current driveway download um attack chain would be to trigger the automatic download using like a blob or or html smuggling and uh the last step which is a key differentiator is there is no user interaction involved

in case of an exploit kit but the current drive by downloading mechanism requires user interaction to execute the download and this is where the whole social engineering tactics come into play where the attackers are you know using um fake updates where legitimate software application updates are masqueraded or coming up with themes like a fake google drive share and you know these are some of the example themes that we are seeing seeing with these campaigns um one note around you know browser security improvements around iframes that happened i believe last year sometime in july the chromium and firefox team has come up with some security controls over uh sandboxed iframes so essentially the sandbox attribute allows web developers to control what

actions an iframe can perform like you know allowing downloads or running scripts etc so the security enhancements that were implemented by the chrome and firefox development team mainly protects um you know users against malvertising campaigns that can trigger automatic downloads from sandboxed iframes so we are seeing that attackers are working around this by not by avoiding or not using them advertising channel instead you know picking a watering hole scenario or common cloud services to plan the iframes which gives them the flexibility of defining the iframe attributes that they want and for example you know in a specific the drive by download campaign we observed a sandbox iframe that was posted on sites.google.com but the allowed downloads directive was

actually set which allowed the attackers to trigger the download from the context of the iframe so uh next we want to talk about the sock golish framework um the sock in the sock garlic stands for social engineering and this this framework primarily targets um you know windows users and um this framework leverages all the aforementioned techniques and and you know it is used to trigger and deliver drive-by downloads to the endpoint usually this framework is used to drop you know ransomware remote access trojans that end up triggering ransomware infection chain using like standard uh living off the land binaries and and the downloaded file is usually a zip file that contains like an embedded lnk file or or a windows script

file

so we saw on the previous slide it is known to drop you know remote access trojans that can download additional malware like ransomware um in in a specific campaign uh sawgullish uh framework campaign we observed it was being used to drop uh you know drydex which is a well-known remote access trojan and um the drydex then uses tools like powershell empire to actually load doppel payment which is a ransomware family i think it was also used in the recent kia attacks where they had to pay like around 20 million dollars to remediate the attack um just just to give you an example of what are the themes that that saw garlic framework uses like you can

see a fake google drive share or masquerading of a legitimate uh firefox browser update or you know fake microsoft teams update these are some of the common themes that we are seeing used by this framework so what are some of the challenges in um detecting this particular class of attacks right the first bucket is uh you know the technique of html smuggling and blogs where the payload is constructed on the client side this makes it quite difficult for network-based solutions that actually rely on http instructional headers to determine file downloads second bucket is the usage of social engineering tactics i think attackers are using wise social engineering tactics in an attempt to defeat uh detection systems and you know hiding

behind trusted or known crowd service providers or masquerading legitimate application updates like microsoft teams for example the third bucket is the logging um visibly visibility aspect of it right so currently the log events on an endpoint for uh on a windows endpoint for you know blob downloads or downloads that originate from the iframes is quite inconsistent and probably even inaccurate and we will uh see an example of that in the later slide and since network solutions have poor visibility into blob based downloads there is heavy reliance on you know endpoint logs which means the download was probably already executed by the user on the endpoint at that stage [Music] um so the mitre attack perspective

um the specific techniques that we spoke about to deliver drive-by downloads uh have been focused on the initial access phase of the miter attack uh corporate attack matrix and um you know there could be a specific sub technique defined for this specific class of private attacks but this technique 1189 drive by compromise does not have any uh sub techniques defined on the attack portal and these are some of the suggested uh logging telemetry that we could collect with specific to this attack web proxy logs um you know endpoint logs like uh the ones that mentioned which mostly applies to the post download execution phase so we briefly spoke about the discrepancy in in logging uh so i

i just took a simple example of a sysmon event log that gets generated when a blob based file download happens on a browser in a windows endpoint in the first case you can see that uh the legacy edge is actually um does a good job at populating the right uh you know referrer url uh value uh where the domain from which the blob was served is is known and also the host url indicates that it was a blob but surprisingly more modern browsers like the chromium based edge and any chromium-based browsers are not reporting the referral url and the post url values correctly you can see it's like about client and about internet which is kind of a little vague when uh

uh you know we somebody is trying to kind of connect the dots uh in a drive by download attack so how can we enhance logging visibility one approach would be to use you know extensions to detect drive by downloads i think this is a debatable topic because there has been a lot of security and privacy concerns around browser extension again there was a great talk in reset sf 2020 by um i think the security team at lyft where they talk about chrome extension risks and extensions are not browser agnostic there is no like you know single extensions that can that can work on across different browsers so i think the solution would be to have a

consistent download event log reporting across different browsers which can then be leveraged by standard endpoint um you know logging tools like sysmon or osquery where the additional context or the metadata around the download is reported accurately uh with that i think we have reached to the conclusion some of the key takeaways are you know using a a very a layered security approach is uh probably helpful um um you know having logging telemetry across the different layers where each time user visits a website from the time the drive by download gets to the end point um that is before the execution secondly creating social engineering awareness of you know watering whole attacks and the common themes that are being used

by these campaigns i think go fish is a is a great open source tool that could be uh that could potentially be customized to used for creating awareness about uh such class of attacks and lastly you know for red team and blue teams it might be useful for red teaming's uh red team to include this these specific techniques in their tool arsenal and you know blue teams can probably come up with a playbook on defending and getting more visibility into the specific attack chain with that you know that brings us to the end of the presentation and would be happy to take any questions so thank you very much for that christian and it was very insightful

very informative and i don't think we have any questions and i just want to check now and no there's no questions there um okay so um yeah i think we will wrap it up then if that's okay and so thank you very much for taking the time and to talk today it's greatly appreciated it's very interesting talk as well and so thank you very much again for that thank you thank you everyone for the time um you know it's truly been an honor uh speaking at this besides dublin event and i would like to thank you know the besides dublin team for giving me this opportunity to present uh please do hit me up on twitter or

linkedin if there are any questions please take care and stay safe thank you