New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse

By Elliot Cao, Joseph C. Chen, William Gamazo Sanchez

We discovered a new exploit kit named Capesand in October 2019. Capesand attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE). Based on our investigation, it also exploits a 2015 vulnerability for IE. It seems the cybercriminals behind the exploit kit are continuously developing it and are reusing source code from a publicly shared exploit kit code.

Discovery and details

In the middle of October, we found a malvertising campaign using the Rig exploit kit and delivering DarkRAT and njRAT malware. By the end of October, however, we noticed a change in the malvertisement and the redirection was no longer to the Rig exploit kit. The cybercriminals shifted to loading an exploit kit we were unfamiliar with. Investigating further led us to a panel provided for this unknown exploit kit to customers. The panel has the name Capesand on it and directly provides the source code of the exploit kit.

Figure 1. Capesand exploit kit panel

Figure 2. Capesand exploit kit traffic pattern

The Capesand exploit kit’s code is quite simple compared with other kits. Almost all of Capesand‘s functions reuse open-source code, including the exploits, obfuscation, and packing techniques. Further monitoring revealed that its users are actively using it despite its seemingly unfinished state.

Analysis of the malvertisement

The malvertisement we observed was delivered from the ad network straight to the victim’s browser and was presented as a blog talking about blockchain. A close check of the source code of the page showed that it was a disguise, as it proved to be a page copied using the website copying tool HTTrack. The copied page contains a hidden iframe used to load the exploit kit.

Figure 3. The malvertisement with a copied Blockchain Blog page

In our observations on the mid-October attack, the hidden iframe had loaded the Rig exploit kit. By the end of October, the iframe changed to load landing.php, which led to another unknown exploit kit hosted on the same server. We were able to to identify the cybercriminals’ second-tier server, which has the Capesand web panel.

Figure 4. The hidden iframe redirected to the Rig exploit kit (top) and the Capesand exploit kit (bottom)

Analysis of the Capesand exploit kit

The Capesand panel is used to check the status of exploit kit usage. Any threat actors using this exploit kit can also  download frontend source code which they can deploy on their server. In the case we identified, the campaign deployed it with their fake blockchain malvertisement. While we checked the frontend source code, we found that it looks similar to a very old exploit kit called Demon Hunter, leading us to believe that Capesand is probably derived from it.

As the source code is descripted, the exploit kit appears to be upgraded to exploit newer vulnerabilities compared to its parent exploit kit like CVE-2018-4878 (affects Adobe Flash) and CVE-2018-8174 and CVE-2019-0752 (both affecting Microsoft Internet Explorer). CVE-2019-0752 is a vulnerability discovered by Trend Micro ZDI this year. We also found the same vulnerability being used in a watering-hole attack that delivered SLUB malware.

Figure 5. The script of the Capesand landing page checks the Internet Explorer version and loads either a CVE-2018-8174 exploit or CVE-2019-0752 exploit

Figure 6. The script of the Capesand landing page checks Flash version and loads a CVE-2018-4878 exploit

Another thing to note is that the frontend exploit kit source code package does not include its exploits. Typically, some exploit kits already have the exploits inside the source code.  In the case of Capesand, each time the exploit kit wants to deliver an exploit, it needs to send a request to the API of the Capesand server to receive the requested exploit payload. Perhaps this is a way to ensure that the exploits are not shared easily.

The API request is composed of the following information on the victims:

  • Requested exploit name
  • Exploit URL in configuration
  • Victim’s IP address
  • Victim’s browser user-agent

All information mentioned above will be encrypted using AES encryption with a pre-generated API key inside a configuration file. When the Capesand server receives the request, it verifies if a valid API key encrypts the request. It also gets information on the usage of the exploit kit by users and collects the information of victims for stats. Then, it returns the exploit payload to the frontend exploit kit and then delivers it to the victim.

Figure 7. Part of the Capesand exploit kit source code that requests exploit payload to the API server

As we progressed in our investigation, we observed a Capesand exploit kit in the wild that uses the old IE exploit for CVE-2015-2419. We also identified two exploits for the Adobe Flash vulnerabilities CVE-2018-4878 and CVE-2018-15982 and an exploit for the IE vulnerability CVE-2018-8174 on their server. But we did not see the exploit for the newer IE vulnerability CVE-2019-0752 indicated in their source code. This leads us to believe that the kit is still under development and has yet to fully integrate the exploits the cybercriminals planned to use.

Figure 8. The CVE-2015-2419 exploit with a weaponized shellcode

Figure 9. The weaponized shellcode as executed in the victim machine

In-the-wild Capesand attack chain

After successful exploitation via Capesand, the first stage will download mess.exe and attempt to exploit CVE-2018-8120 to escalate privileges and then execute njcrypt.exe. The njcrypt binary is a multilayer obfuscated .NET application where the obfuscation is done using publicly known tools. The sample execution delivers the payload njRAT version 0.7d. The following diagram shows the complete attack flow with the de-obfuscation layers simplified.

Figure 10. Attack chain of Capesand exploiting CVE-2015-2419

The image SV VORWARTRS WIEN 2016 is the actual image present inside NvidiaCatalysts.dll. Note that njRAT 0.7d is a known njRAT open source and can be found in GitHub. The sample we captured resembles the open-source payload exactly.

Figure 11. nJRAT panel

The module CyaX_Sharp.dll generates a configuration file to track configuration of the infected machine, during creation of the configuration file it checks for the presence of the ESET.

Figure 12. CyaX_Sharp checks if ESET is installed


As of this writing, the Capesand exploit kit is being actively developed and is being used for compromising users even during its development stage. Although it is using known vulnerabilities, its creators ensure that the deployed samples have very low detection rates. In fact, our investigation also showed that it is checking for installed antimalware products. Moreover, the architecture is evolving in the direction of distributing the malicious landing pages via mirrored versions of legitimate websites under domain names similar to the originals’. In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms. We are continuously monitoring this exploit kit’s activity and will report any significant developments in the future.

Trend Micro Solutions

Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free™ Business Security detect and block the exploit kit and the malicious domains it connects to. Trend Micro™ Deep Security™ solution customers are protected by the following rules:

  • 1009067 – Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174)
  • 1009655 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)
  • 1008854 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2018-4878)
  • 1009405 – Adobe Flash Player Use After Free Vulnerability (CVE-2018-15982)
  • 1006868 – Microsoft Internet Explorer JScript9 Memory Corruption Vulnerability (CVE-2015-2419)

Indicators of Compromise

Indicator Attribution Trend Micro Predictive Machine Learning Detection Trend Micro Pattern Detection
blockchainblog[.]club Malvertisement domain
blockchainblogger[.]club Malvertisement domain
shophandbag[.]store Malvertisement domain
6288de662d6dd1a57e99cf8b9259eef467c461e378d431fc53243ecede155b38 CAPESAND exploit CVE-2015-2419 Trojan.JS.CVE20152419.AA
a8391b08478ba333bfc7f377d5ee7b0a697b638e9987a6db614c7f192b22a384 CAPESAND exploit CVE-2018-4878 Trojan.SWF.CVE20184878.THJCOAIA
79f2250d10ebf83352b7715c30b60cecea14c7edd94fb164afb9353f4f91b038 CAPESAND exploit CVE-2018-15982 Trojan.SWF.CVE201815982.THJCOAIA
1f1bb98b7e4e23913ff25b50d1ffd44e6ef447053188eca255d9bd0378602625 CAPESAND exploit CVE-2018-8174 Trojan.HTML.CVE20188174.AB
eb1be3f00e93a7dfcca563e564ab7d7319676161b56039f4968ceddf791d110a CAPESAND exploit CVE-2018-8120 Troj.Win32.TRX.XXPE50FFF032 Trojan.Win64.CVE20188120.D
8e4d24eeb56d50d11338a65aef1e6a88d7ccf6ca347419963dd201f38ae6bcea DarkRAT hash Troj.Win32.TRX.XXPE50FFF032 Backdoor.MSIL.DARKRAT.AA
559f23832f5b115fc6169ed7f9ac75518ec58b7f5d7206e9be4afc2ecfd7152f njRAT hash Troj.Win32.TRX.XXPE50FFF032 Backdoor.MSIL.NJRAT.AB
b00cc9a4292fc5cc4ae5371ea1615ec6e49ebaf061dc4eccde84a6f96d95747c njRAT hash Troj.Win32.TRX.XXPE50FFF032 Backdoor.MSIL.NJRAT.AA
http[:]//138[.]68[.]15[.]227/njcrypt.exe njRAT URL
http[:]//198[.]199[.]104[.]8/njcrypt.exe njRAT URL
http[:]//www[.]blockchainblogger[.]club/njcrypt.exe njRAT URL
138[.]68[.]15[.]227 DarkRAT C&C IP address
107[.]167[.]244[.]67 njRAT C&C IP address

The post New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro