Drive-by download kit: Not so LuckySploit 

Over the past few months SophosLabs have been seeing a relatively new kit being used by attackers in drive-by downloads to infect victims with malware. The kit is known as LuckySploit, and in this blog I will take a brief look at it and what it currently is being used for.

It is a kit that enables attackers to construct malicious sites in order to hit victims with exploits and infect them with malware. Like many previous kits (Mpack, Firepack, Icepack, El Fiesta and the like), the pages it creates contain heavily obfuscated JavaScript in an attempt to evade detection and blocking. However, unlike previous kits, LuckySploit (or at least the recent version of it) also uses encryption.

Over the past few months numerous legitimate sites have been compromised with iframes whose purpose has been to load malicious content from various domains – mainly .cn – being controlled by criminals (also discussed by Danchev). Such compromised pages are being detected as Mal/Iframe-F.

In addition to compromised legitimate sites, I have also seen various “lure” sites that have been posted to trap victims (using celebrities, current news stories and the like to catch user traffic).

Throughout January and February, these sites were redirecting to exploit scripts (perhaps an earlier version of LuckySploit?) detected as Mal/ObfJS-BP, which were serving up exploited, mildly polymorphic PDFs (detected as Troj/PdfJS-Y).

More recently, we are seeing these sites redirecting to what appears to be the latest flavour of LuckySploit. The landing page consists of a heavily obfuscated script that is quickly recognizable. This page is blocked as Mal/ObfJS-BB (and historically as Mal/Baals also).

This script generates a passphrase and encrypts it, before sending it back to the server in another request. This ensures content sent from the server is encrypted in order to evade detection. (Not successfully though, these pages are detected as Mal/EncJS-A.) Ultimately, if exploitation is successful, the executable payload will be sent from the server (seen at the bottom of the figure below).

So what malware is being installed via LuckySploit driven attack sites? Unsurprisingly, financial motivation is driving these attacks. Previously it has been reported that LuckySploit is being used to infect victims with Zbot (the somewhat infamous banking malware also known as ‘Zeus’ that has been mentioned previously). Our findings certainly support this. But it is being used for more than just Zbot. The list below includes all the malware I have seen installed via LuckySploit attack sites over just the past few days:

Several of these items stealth themselves once installed making subsequent detection and cleanup trickier.

In summary, LuckySploit is just another kit enabling the bad guys to construct attacks with relative ease. And with the financial sting in the tail that these attacks typically hit you with, ensuring you deploy effective web security is as important as ever.