Introduction
Web exploit kits use compromised web pages to redirect traffic, scan for vulnerable browser versions, run the exploit code and install malware on the victim computer.
Bottle exploit kit is a web exploit kit that operates by delivering a malicious payload to the victim's computer. This exploit kit targets only Japanese users only.
Solution
Let's take a look at how FortiEDR detects and blocks the use of bottle exploit kit.
BottleEK redirects users to a landing page through malvertising website. it then runs the java script code to check if the user's environment is Japanese, the browser is Internet Explorer and the version is vulnerable. FortiEDR blocks the execution of ajax.min.js which runs the initial java script code.
In the event graph below, iexplore.exe spawns wscript.exe to run ajax.min.js that gets blocked by FortiEDR as “Suspicious script execution”.
If the java script file ajax.min.js is not blocked, it then checks for the browser version and user environment. if there is a match, it will redirect the user to the website /file/vbs.vbs which executes the exploit code. This website has also been identified as malicious, and FortiEDR has blocked the content.
This site, if not blocked by FortiEDR, installs and executes malware in the same way as other exploits do.
The threat hunting feature of FortiEDR v5 can also be used to detect browser exploits like this. Look for source process name as iexplore.exe and target process name as wscript.exe. The following query helps to identify this browser exploit and it can also be scheduled to run automatically to notify events that matches the query.
IOC:
hxxp://conforyou.ml/file/ajax.min.js
hxxp://conforyou.ml/file/vbs.vbs
hxxp://conforyou.ml/file/main.js
hxxp://conforyou.ml/file/style.css
hxxp://conforyou.ml/file/file/ajax.min.js
hxxp://conforyou.ml/file/file/main.js
hxxp://conforyou.ml/file/file/1.gif
hxxp://conforyou.ml/file/conn.php
hxxp://conforyou.ml/file/file/vbs.vbs
hxxp://conforyou.ml/file/file/swf.swf
