Deobfuscating Magnitude Exploit Kit

Per a couple of reader's request, I'll be covering how to deobfuscate Magnitude using the latest version of Converter. For those of you who don't already know the history of Magnitude EK, you can catch up by checking out the following articles from two fine security researchers:

Magnitude EK : Pop Pop
Official PHP Website Hacked, Spreads Malware Infection

From a source of mine, here's what the panel looks like and a suggestion that a better name for this kit should be "Death Touch EK". How appropriate for unpatched computers!

The exploits used by Magnitude/Death Touch EK are:

  • CVE-2013-2551 (IE VML)
  • CVE-2012-0507 (Java Atomic)
  • CVE-2013-2471 (Java Raster)
  • CVE-2011-3402 (EOT86/EOT64)

Here's the latest iteration of the Magnitude EK landing page which has changed since a few weeks ago:

The script splits the values using the "%" character and converts the decimal values to text before xor'ing it. You can simply write out the value of the variable "awt". This is what you should do if you're using Revelo:

This is the result. As you can see, several exploits are thrown at the computer.

Eventually, the computer will be infected with ransomware if any of the exploits were successful.

Let's focus on the Java applet which has very little coverage on VirusTotal.

MD5: 31526a1411a85a3e8b9e7a614b4ba065
VT: 1 / 47

What you see above is the main string deobfuscator routine which is deXOR'ing with the value of 0x14. Strings from the "v.class" file look like this and are sent to the routine to be deobfuscated.

public static String jgrw = wiutc.n("~ubu:uc`:}yusq:Pu`uVarrqf");
public static String hdhkww = wiutc.n("~ubu:uc`:}yusq:Pu`uVarrqfVm`q");
public static String xrkzfj = wiutc.n("~ubu:uc`:D{}z`");
public static String rqp = wiutc.n("~ubu:uc`:}yusq:Fug`qf");
public static String mcitjzb = wiutc.n("~ubu:uc`:Uxd|uW{yd{g}`q");
public static String w = wiutc.n("~ubu:uc`:}yusq:Yax`}D}lqxDuwqpGuydxqY{pqx");
public static String dwnmvoh = wiutc.n("~ubu:gqwaf}`m:Df{`qw`}{zP{yu}z");

You can use Converter's Key Search/Convert feature and paste in the string, set the values as you see in red and you can get the plain text value when you click on the "Convert" button at the bottom. Looks like this applet is exploiting CVE-2013-2471.

In the same "v.class" file is a large blob of weird-looking characters. The variable is passed to two functions. The first is the same routine as the above. The second function converts the result from base64 to binary.

To deobfuscate this blob of text, paste it into Converter then choose Format > Mixed Octal to Hex. You will get a bunch of hex code back.

Click on "Copy Output to Input" to get the hex code to the top. Then click on Key Search/Convert and choose the following options. Make sure you choose the "hex" input this time. What you should get is Base64 characters.

Copy the result back to Converter's main screen then click on the "Base64 to Hex" button. The "CAFEBABE" string is the magic for Java class files.

Click on the "Copy Output to Input" then click on File > Export Binary File and write it out to a file called "file.class".

Now you can open the file up with JD-GUI or whatever you use. You can see that it will try to disable the SecurityManager and another function converts the payload using XOR 0x29.

Last month the applet was using a different method to obfuscate its strings. I'm not sure why they changed it since it was more sophisticated. Let's have a look at that one.

MD5: 31526a1411a85a3e8b9e7a614b4ba065
VT: 4 / 47

The above routine deobfuscated the following strings:

public static String kpwieg = v.mw("JNKNnNp5n.~NcFnEN5NU!jjF3UT5F");
public static String omfoucd = v.mw("JNKNnNp5n#9.t5");
public static String ndzgu = v.mw("JNKNnNp5n.~NcFn&NX5F3");
public static String ugyu = v.mw("JNKNnNp5n*AS,Nw9~S9X.5F");
public static String mzjot = v.mw("JNKNnNp5n.~NcFnw9A93197FA");
public static String ekc = v.mw("JNKNnNp5n.~NcFn1!A5.#.$FA#N+/F7uN~SAF197FA");
public static String nqu = v.mw("JNKNnANtcni=JF+5");

The function "mw" would load the first obfuscated character, look it up in a string and find its position number then add 32 to the final decimal result. We can do the same using Converter.

Here's the deobfuscation key from the "v.class" file. We need to unescape this and keep the result handy.

%I\\vz;0(8WbeD?nlfos:q_<|R4'BYPL`}*UwEh Z>^@d\"1Qi#G&u-CraV{)6MOyH[N=+7Fjc,.J/A~t9Sx3X5!Kp$T2km]g

Now select an obfuscated string (unescape it first if necessary), paste it to Converter, then click on Tools > Secret Decoder Ring. Choose the following options and paste the deobfuscation key so it looks like this:

Click on the "Decode" button and you should get a string of decimal values:

We're not done yet. Copy the result and go to File > Key Search/Convert. Now choose the following settings and click on the "Convert" button.

This applet also has a large blob of obfuscated text.

You basically have repeat the same steps above but with some additional steps:

  • Paste blob into Converter
  • Convert "Mixed Octal to Hex", "Hex Format - %", then "Hex to Text" (cleans it up then converts back to text)
  • Use Secret Decoder Ring
  • Use Key Search/Convert to add 32 to the value

You should then have base64 characters left like so. If you noticed, you will have some colon characters in your result but these are not part of the standard base64 alphabet. Based on the Java code, we need to replace them with the letter "L".

The final step is to convert this from "Base64 to Hex" and export it to a binary file. If all goes well you will be able to open the binary file as "rwnc.class". By the way, this file looks the same as the one we got with the current version of Magnitude.

I hope this walk-through was helpful to you!

Posted on: 11/11/2013