Thursday, 18. May 2017

Will Astrum Fill the Vacuum in the Exploit Kit Landscape?

The decline of exploit kit activity—particularly from well-known exploit kits like Magnitude, Nuclear, Neutrino, and Rig during the latter half of 2016—doesn’t mean exploit kits are throwing in the towel just yet. This is the case with Astrum (also known as Stegano), an old and seemingly reticent exploit kit we observed to have been updated multiple times as of late.

Astrum was known to be have been exclusively used by the AdGholas malvertising campaign that delivered a plethora of threats including banking Trojans Dreambot/Gozi (also known as Ursnif, and detected by Trend Micro as BKDR_URSNIF) and RAMNIT (TROJ_RAMNIT, PE_RAMNIT). We’re also seeing Astrum redirected by the Seamless malvertising campaign, which is known for using the Rig exploit kit.

Astrum’s recent activities feature several upgrades and show how it’s starting to move away from the more established malware mentioned above. It appears these changes were done to lay the groundwork for future campaigns, and possibly to broaden its use. With a modus operandi that deters analysis and forensics by abusing the Diffie-Hellman key exchange, it appears Astrum is throwing down the gauntlet.

Astrum’s Attack Flow

On March 23rd, our colleague Kafeine found Astrum starting to exploit CVE-2017-0022, an information disclosure vulnerability in Windows systems (patched last March 14, 2017 via MS17-022). The exploit was used to determine if certain antivirus (AV) products were installed in the affected computer in order to evade their detection and analysis.

By the end of April, we saw Astrum updated yet again—this time to prevent security researchers from replaying their malicious network traffic. We found that this anti-replay feature was designed to abuse the Diffie-Hellman key exchange—a widely used algorithm for encrypting and securing network protocols. Angler was first observed doing this back in 2015.

Implementing the Diffie-Hellman key exchange prevents malware analysts and security researchers from getting a hold of the secret key Astrum uses to encrypt and decrypt their payloads. Consequently, obtaining the original payload by solely capturing its network traffic can be very difficult.

Figure 1: Diffie-Hellman key exchange flow implemented by Astrum exploit kit

How does Astrum implement the Diffie-Hellman key exchange? As detailed by the figure above, a precomputed value, A, is first embedded on the exploit kit’s landing page, which it then passes as a parameter into the first loaded Flash (SWF) file. The script inside the SWF file will generate a random value b, which is saved only in the victim side’s memory.

A secret key K could be calculated at the victim side with value A, shared value p, and the generated random value b. Then, a value B will also be calculated by shared value g, p, and random value b. The value will be sent to the exploit kit server in the query string of the next HTTP request. Astrum can then calculate based on value B to have the same secret key K based on the Diffie-Hellman theory. This secret key can then be used to encrypt the real exploit payload by RC4 encryption.

Consequently, each time we replay Astrum’s attacks, the value b is randomly generated and would be different each time. The calculated secret key K will also differ from the original key the exploit kit used to encrypt the payload, causing the replayed attack to fail decrypting the encrypted payload. If the secret key cannot correctly decrypt the payload, Astrum sends an error call to the server.

Figure 2: The normal Astrum exploit kit traffic pattern (above) and failed replay (below)

Figure 3: The code in Astrum exploit kit that generates random value and calculates the secret key

Apart from leveraging CVE-2017-0022, we found Astrum using exploits for vulnerabilities in Adobe Flash:

•  CVE-2015-8651, a code execution vulnerability patched December 28, 2015
•  CVE-2016-1019, a remote code execution flaw patched April 7, 2016
•  CVE-2016-4117, an out-of-bound read bug in Flash patched May 10, 2016

Testing the Waters

Our analysis indicates the payloads currently delivered by Astrum are not established malware. Likewise, Astrum itself is maintaining very low traffic. These activities can be construed as dry runs for their future attacks.

So what else can we expect from Astrum? It wouldn’t be a surprise if its operators turn it into an exclusive tool of the trade—like Magnitude and Neutrino did—or go beyond leveraging security flaws in Adobe Flash. Emulating capabilities from its predecessors such as fileless infections that can fingerprint its targets and deliver encrypted payloads shouldn’t be far off.


Indeed, exploit kits expose end users to theft of personal information and even unauthorized encryption of personal files. For organizations, exploit kits can entail crippled operations, damaged business reputation, and bigger downtime expenses. Unpatched vulnerabilities are the bread and butter of any exploit kit, so regularly patching and keeping the system updated play critical roles in thwarting it and even the malicious payloads that come with it.

Information security and IT/system administrators can further secure their enterprise’s networks and endpoints by deploying firewalls and employing intrusion detection and prevention systems to better scan and validate traffic traveling the network. Virtual patching and a stronger patch management policy for the workplace also help mitigate attacks that leverage vulnerabilities.

Trend Micro Solutions

Exploit kits such as Astrum rely on system and software vulnerabilities, and thwarting them is like a race against time. A proactive, multilayered approach to security is key— from the gateway, endpoints, networks, and servers.

Trend MicroOfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro’s endpoint solutions such as Trend MicroSmart Protection Suites, and Worry-FreeBusiness Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.

Indicators of Compromise (IoCs):

IP Address and domain related to Astrum exploit kit:

•  141[.]255[.]161[.]68
•  hxxp://define[.]predatorhuntingusa[.]com

Hashes of dropped payloads (SHA256):

•  39b1e99034338d7f5b0cbff9fb9bd93d9e4dd8f4c77b543da435bb2d2259b0b5
•  ccf89a7c8005948b9548cdde12cbd060f618234fd00dfd434c52ea5027353be8

IP Addresses related to Seamless Malvertising Campaign:

•  193[.]124[.]200[.]194
•  193[.]124[.]200[.]212
•  194[.]58 [.]40 [.]46

With additional insights/analysis from Michael Du

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Will Astrum Fill the Vacuum in the Exploit Kit Landscape?