EK Redirect – Silverlight rewrite

Noticed some interesting traffic following the below:

hxxp://sunduk.biz/forum/docs/login.php
hxxp://qobac.cobor.in/g76df4d/rtp.xap?0.4495108588209197
hxxp://qobac.cobor.in/g76df4d/rtu.swf?0.4495108588209197
hxxp://qobac.cobor.in/g76df4d/rtu.php?0.4495108588209197

hxxp://qobac.cobor.in/pofrj4l/2 > Fiesta Gate

When observing the landing there is no rtu.php file present > http://pastebin.com/n6dYSHY4

The xap (silverlight) file is downloaded, when you pop it into a tool like ILspy, it’s quite clear what is happening.

dumb

The rtu.php file simply redirects to fiesta…

¯\_(ツ)_/¯

FakeAV is still alive…

Like it’s 2010 i guess. This is just a simple FakeAV being delivered from ads on sites like telegraph.co.uk and dailymotion.com. No exploit, just relying on the user to click yes to download and then run it.

omg

All activity I have seen appears to be for a few IP addresses and domains utilize the .nl TLD.

212.83.155.45, 212.83.155.46, and 212.83.155.47(a range highly utilized by Neutrino lately)

As far as i can tell this campaign appears to have become active around Jan 23rd 2014 and is currently ongoing.

Chain:

1) Come from google to site that displays the advertisement
1) Advertisement loads, redirs you
2) http://wed322d2.windowsdefence-rv .nl/index.php?key=[32 char hex] < Main page
3) http://wed322d2.windowsdefence-rv .nl/message.png (classic antivirus popup) < Scary image
4) http://wed322d2.windowsdefence-rv .nl/index.php?key=[32 char hex]&key2=download < EXE

Post-Compromise Traffic:

http://93.115.86.197/?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7=kyxnujmwnn

Cool splash screen

Finding Himan EK

@Kafeine has a great overview of HiMan EK.

Here are some places it’s been recently.

217.23.1.129
217.23.1.164
37.200.65.95
46.182.27.35
46.182.27.68
46.182.27.114
46.182.27.118
46.182.27.140
46.182.27.162
46.182.27.179
46.182.27.218
46.182.27.234

Read more »

Finding Angler EK

Angler EK Exploits

HTTP Method = GET
Regex URI = ^http:\/\/[^/]+\/0[a-z0-9]{13}$

Angler EK Payloads

HTTP Method = GET
Regex URI = ^http:\/\/[^/]+\/1[a-z0-9]{13}$

Examples of AnglerEK on Urlquery.net

Date / IP Address

(12/01 – 12/02) 144.76.132.248
(11/29 – 12/02) 69.60.111.222
(11/28 – 11/30) 144.76.132.243
(11/27 – 11/30) 50.7.187.34
(11/27) 144.76.132.244
(11/25 – 11/28) 78.47.161.139
(11/25 – 11/27) 74.3.164.9
(11/24 – 11/26) 23.250.9.18
(11/24) 78.47.161.138
(11/23 – 11/26) 74.3.161.33
(11/23 – 11/25) 74.3.161.32
(11/23 – 11/27) 74.3.164.12
(11/23 – 11/25) 74.3.164.7
(11/23) 74.3.161.34
(11/23) 173.199.114.115
(11/22 – 11/26) 64.191.27.66
(11/22 – 11/26) 74.3.164.11
(11/22 – 11/25) 78.47.161.141
(11/22 – 11/23) 74.3.164.4
(11/21) 23.229.69.18
(11/21) 78.47.161.134
(11/21 – 11/25) 64.251.13.154
(11/20 – 11/22) 91.231.85.104
(11/18 – 11/23) 195.189.246.118
(11/17 – 11/18) 5.39.47.12
(11/17 – 11/21) 62.109.10.80
(11/17) 195.211.153.7
(11/15 – 11/20) 192.3.206.26
(11/15) 78.47.235.252
(11/15) 23.229.69.50
(11/15 – 11/22) 64.187.226.237
(11/12) 50.7.187.34
(11/11 – 11/14) 173.208.177.18
(11/13) 192.96.206.78
(11/13) 195.211.154.12
(11/06 – 11/13) 88.198.204.218
(11/09 – 11/14) 91.231.85.19
(11/06 – 11/08) 184.82.116.134
(11/06 – 11/07) 67.211.207.222
(10/30 – 11/01) 93.170.137.9
(10/27 – 10/31) 64.187.225.253
(10/27 – 10/30) 144.76.161.251
(10/18 – 10/24) 93.115.93.54
(10/19 – 10/20) 144.76.161.247
(10/18 – 10/21) 184.82.27.108
(10/18) 82.192.71.115
(10/14 – 10/15) 64.187.225.239

TDL Variant (Backdoor.Pihar) Clickfraud Traffic

Use these to help find infected hosts on your network…

Clickfraud domains

4dj-and-zorro.com
a-dom24.net
achernar-ab.net
andersongibson.net
ankunding.biz
arcturus7a.info
batznolan.info
beierlehner.org
bepettones.net
betelgeuse-xl.com
block27.biz
blockcollins.biz
brandom-what.org
canopus23.com
capella15a.com
cronawalter.org
cummings-west3.net
deep-free.org
delta-club777.com
dereban16.net
dolchernalt.com
ebertlittle.com
emardkunze.info
ernestr45.com
feestkuhic.com
fernaldorte.net
framinicolas.net
gemord5.org
gleichner.name
gorzentas.org
greenholt.info
grenn-ggord.org
gulgowski.org
gusikowski.info
haxhoxhex.net
hudson-secnd.biz
jewe.biz
kemmerbrekke.net
kerlukerobel.com
labadie-xz.org
larson17.net
lebsacklakin.net
mann-grn.biz
marvinstark.org
medhurst.biz
moenhauck.biz
mosciskiprosacco.com
nerrtor-dep.net
oconner.biz
peaseof16.com
procyon-q4.info
rabbertiro.com
rander-east3.info
redest-om.net
reftorro6.com
rigel-al2.org
rigil-kentaurus5.biz
rongty6.net
runtemetz.info
rutherfordleannon.name
sawaynturner.name
schoen17.net
sirees42.org
sirius-beta7.net
sky-blue45.com
spencerhermann.com
stantasisrt.com
streichhills.net
stromanbraun.info
swaniawski.com
torphy.net
torportiz.info
tortoller5.net
vailendon.org
vega-beta2.net
wittingkiehn.name
yatzza7.net
zentost88.com
zibbringelds.net

Clickfraud “search engine” domains

yuppy-search.com
yabadabadu-search.com
web-searcher.net
searchtheplanet.net
mega-searcher.net
keyword-search.net
global-searcher.net
gblsearch.net
websearchones.com
searcherones.com
masssearchone.com

Possible Regexes for these include the below, but legitimate sites use them as well.

\/\?query=
\/\?q=

Involved IP Addresses

5.45.64.158
5.45.64.159
5.45.64.160
5.45.65.190
5.45.65.232
5.45.65.233
5.45.65.234
5.45.66.181
5.45.66.208
5.45.68.199
5.45.67.216
5.45.65.190
5.45.64.145
46.249.42.197
46.249.42.196
46.249.42.195
46.249.42.194
46.249.42.193
46.249.42.192
46.249.42.191
46.249.42.190
46.249.42.189
46.249.42.188
46.249.42.187
46.249.42.186
46.249.42.185
46.249.42.184
5.199.138.89
50.7.228.170
50.7.228.171
50.7.228.172
50.7.228.173
50.7.228.174

Often these are using a specific UA (not always):

Mozilla/5.0 (compatible; MSIE 1.0; Windows NT; 57473847)

Clickfraud Redirects

HTTP Method = GET
Content-Type = text/html
HTTP URI = \/(f|k|task)\/(6|24|25|26|27)(\/)?$

Examples:

rigil-kentaurus5.biz/k/27
nerrtor-dep.net/f/25
sirius-beta7.net/f/27
ebertlittle.com/task/25
rutherfordleannon.name/task/27/

Base64-like Clickfraud Requests

HTTP Method = GET
Content-Type = text/html
HTTP URI = \/[a-z]\/[a-zA-Z0-9%]{50,}(%3d){1,2}\/$

Examples:

http://torphy.net/c/eTBsMGdlbmVyYXRpbmd5MGwwVEhJU3RyYWZmaWN0aGlzaXNOT1R3aG%2fF0dGhlYWNUVUFMYmFzZTY0eTBsMFcwdWxkRGVjMEQzVDAF0dGhlYWNUVUFMYmFzZTY0eTBsMFcwdWxkRGVjMEQzVDA%3d%3d/

http://dolchernalt.com/d/RoaXNJTmhlcmVzb2FzdG9OT1Rna%2bXZlYXdheW FueXRoaW5ndG9USEVIMHN0c3RoYXRXM1JF%3d/

http://procyon-q4.info/d/aGV5bG9va3kwbDB0aGlzaXNKVVN%2bUYWJ1bmNob2ZiYXNlNjRtYXRjaGluZ3kwbDB0ZXh0aVBVVH%3d/

Flashpack /svoykrik/ Variant

Flashpack is still around. Has been seen recently being delivered with ads.

Observed IP Addresses:

198.98.121.245
108.171.205.105
46.254.21.128
50.2.53.150

GATE

HTTP Method = GET
HTTP URI contains */svoykrik/gate.php?id=*&callback=__JSONP__0
Regex HTTP for id=[0-9]{20,}

JAR

HTTP Method = GET
HTTP URI contains */svoykrik/jete/*
User Agent = *Java/1.*
Content-type = application/x-java-archive
Regex HTTP for \/[a-f0-9]{32}\.jar$

EXE

HTTP Method = GET
HTTP URI contains */svoykrik/*
User Agent = *Java/1.*
Regex HTTP for \.php\?cashe=[0-9]{20}$

Kuluoz Updated Distribution Links

*Update 22/11/2013*

Thanks to a tip from @StopMalwar we can see another variant, using some random characters.

Examples:

http://hanoumat.com/eylebpl.php?56vxfdV03Y//SXq3tnG6krkNWN6cTpKMqsKgM8yJW3M

http://ametgroup.com/kcvexvg.php?gQ8V3e62zMo4oB/npoXtgRb+ULuJzVpdTamGCBlvrYE=

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/([a-z]{7}|mirror)\.php\?[a-zA-Z0-9+/]{42,43}(=)?$

See Examples on UrlQuery.net

They also seem to be moving either very fast, or one shot only.

Since my previous posting, somewhere along the way Kuluoz distribution links changed format.

Attack vector is the same as far as i know. It’s a zip file, requiring the user to actually extract the zip and run the executable.

===================
===199.79.62.165===
===================

2013-05-24 06:59:22 http://calquan.com/img/get.php?get_info=ss00_323
2013-10-17 00:57:50 http://www.qabandigroup.com/get.php?invite=BW23JzJ92KvOgkce4NLidGC1MDDEXcRaDb7r77wYCJw

Examples:

http://rigas.name/item.php?message=Jyj6qil+nLBgj9MjzxCYSfbU3wGMwHN1dZccfDSWCcM=

http://wentworth.aero/app.php?message=85wJGcjFxbxLb7OArN/4Tx+tHIWnExbiJRKRasnOGDw=

http://pravopom.com/get.php?invite=g9VL3vhFBKWbvtQ3zNgpNmqaQuXRe3z/FiD8Fxm8hAY=

http://hnhc.org/main.php?label=Kzhjih0ExKbXbV97sII/dLcqBGaaCB7c3KAwdp9RVyY=

http://stamfordses.org/info.php?cargo=li5glNSESMJkAGkF5lP3sDhVYQF40mWI15JUqCpgpiA=

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/[a-z]+\.php\?[a-z]+=[a-zA-Z0-9+/]{42,43}(=)?$

OR

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/(app|main|info|get|place|item|voice|message|msg)\.php\?(message|label|id|cargo|inv|invite|vmid|wed)=

Thanks to @eplekompott and @ekse0x for helping to keep this updated!

See more Examples on UrlQuery.net

Unknown EK

If anyone has more information on this, please hit me up on twitter.

Seems to have been active at least since April of this year. I have only seen it delivered with advertising. Have not seen it used with domains, only IPs.

Example Chain

http://72.51. 47.66 /lldb/npbh.php?t=98&dr=yHmZvIL8vXi%2BTiaZMyyXqZY%2BBoaqrPSBcmXEHi22vQI5gAqqOeUIz4kd%2BsMJ5Cx7L1mrKHSFXkrN27ScbolKKJJg4XvclYVVosGLj6MU5b1jtjrwh3tlq2DsLOQMyTseyOY5Q9XltuzxDNQa56NArok
http://72.51. 47.66 /lldb/zuhwcys.zip
http://72.51. 47.66 /lldb/SubepTjhhfChvm.class
http://72.51. 47.66 /lldb/SubepTjhhfChvm%24UtypYtqlgg.class
http://72.51. 47.66 /lldb/hqwzmjv.php?j=203

IPs Observed

207.198.127.193
216.151.221.204
216.152.135.29
216.157.98.124
216.157.99.240
216.157.99.241
216.157.99.242
216.157.99.243
216.157.99.71
216.157.99.72
216.157.99.73
216.157.99.1
64.34.127.178
66.135.36.55
69.174.251.126
72.51.36.1
72.51.36.210
72.51.44.21
72.51.44.25
72.51.44.40
72.51.44.41
72.51.44.42
72.51.44.63
72.51.44.72
72.51.47.121
72.51.47.153
72.51.47.154
72.51.47.66
72.51.47.69
76.74.152.33
76.74.152.34
76.74.152.98
76.74.153.247
76.74.153.248
76.74.154.147
76.74.154.176
76.74.155.223
76.74.155.225
76.74.155.226
76.74.155.227
76.74.157.90
76.74.166.8
76.74.236.151
76.74.236.152
76.74.236.153
76.74.237.156
76.74.237.157

View more examples of this traffic > http://pastie.org/pastes/8396549/text?key=fwh0zzyvwqs8huiso5qxw

Thanks to @keithsalmela for helping to keep this updated!

Turning Vendor Blog Posts Into Actionable Intelligence (re: Solarbot)

When i see blog posts like these, they make my day. Thanks ESET/Avast!

http://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/
https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/

The actionable data from them (IMO) is the below:

Filename = *www.facebook.com.exe

HTTP Method = POST
Content-type = application/x-www-form-urlencoded
Content-length < 100
HTTP URI (not domain) = \/[a-z]+\/$

We’re able to use great sites like Virustotal, UrlQuery, Malwr.com, CleanMX, Malc0de.com, and some simple googlefu to build more intelligence around the indicators that were given.

You can then turn around and use this in your environment to detect compromised machines.

dabakhost.be – 81.177.180.60

From VT

2013-08-28 04:15:56 http://dabakhost.be/solbrwq/
2013-08-09 22:40:17 http://dabakhost.be/Loader.exe

From UrlQuery

2013-08-09 04:29:35 http://dabakhost.be/Loader.exe [Russian Federation] 81.177.180.60

From CleanMX

http://privathosting.be/Solar.exe

terra-araucania.cl – 69.73.130.24

From VT

2013-08-28 12:16:00 http://terra-araucania.cl/
2013-08-28 03:57:10 http://terra-araucania.cl/solar/

xyz25.com – 92.243.18.120, 92.243.1.61

From VT

2013-08-16 13:17:33 http://xyz25.com/

From UrlQuery

2013-09-17 15:21:12 http://www.xyz25.com/mf2cqb60hvpg/j12515f1e3xelm6/Image_024-WWW.FACEBOOK.COM.exe
[France] 92.243.1.61

From Malwr.com

1. https://malwr.com/analysis/NjQ0N2YzNTMwMGNkNDJkMTg5ZGI5MjJiMTAyYmYyN2Q/
2. https://malwr.com/analysis/ZjUwZjZiOGJlZTk5NDgyNmE1MmFmM2JjNDAwZDBiODg/
3. https://malwr.com/analysis/MTlmMmQ0YjliNzM0NGQ5MmI4MGI4ZjkzMWVjYjUxNTI/

Some additional activity is seen in Report #2 that may or may not be related…

http://upload.tehran98.com/upme/uploads/91e26a25c62c3cd91.png – 144.76.94.237

GET /upme/uploads/91e26a25c62c3cd91.png HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: upload.tehran98.com
Connection: Keep-Alive

http://zxc.ao2r9k.com/l1I.php – 95.142.171.14

GET /l1I.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36
Host: zxc.ao2r9k.com
Cache-Control: no-cache

UA is different than in either of the writeups, showing us that the binary probably isn’t using a static UA.

yandafia.com – 85.25.208.82, 85.25.23.154, 93.190.141.106

From VT

2013-09-19 13:36:43 http://yandafia.com/456.exe
2013-08-31 14:23:37 http://yandafia.com/wp-admin/css/css/css/csx/
2013-07-29 15:00:54 http://yandafia.com/450.exe
2013-07-20 20:08:27 http://yandafia.com/order.php
2013-07-11 01:49:29 http://yandafia.com/

elzbthfntr.com – 37.139.3.132

From VT

2013-08-04 37.139.3.132

alfadente.com.br – 200.234.196.75

From VT

2013-09-26 14:27:10 http://alfadente.com.br/
2013-08-07 03:28:59 http://alfadente.com.br/Image.Skype.29.07.2013.exe
2013-08-04 03:35:25 http://alfadente.com.br/s.exe
2013-08-03 12:29:25 http://alfadente.com.br/i.exe

cmeef.info – 93.174.94.64, 178.238.237.110

From VT

2013-09-26 14:14:29 http://cmeef.info/e6ct/index.php
2013-09-05 15:16:41 http://cmeef.info/
2013-09-05 14:01:06 http://cmeef.info/e6ct/

From there you can build out more domains on the IPs and start building some IOCs for use in your network. Network Analysis is Iterative.

Detecting BEK via URI Parameters

This might only be interesting to me, but recently BEK has shifted from encoding like this:

.php?Pf=6435663034&Ne=33613638373066373138&N=30&vi=a&KB=A

To something nasty like this:

.php?r7!7K3620M97Xk=wd8e89wbw7&-89a2*_-8h*=8a8bwb8cwwwe8b8ew9w8&Ua3_--8O5u=ww&-5a*1!91=37A42!8!1*I&7!O7PE*N=4Rd*!9mb4

That looks somewhat like a nightmare, but what hasn’t changed is the number of parameters in the URI.

Old EXE URI…

1. Pf=
2. 6435663034&Ne=
3. 33613638373066373138&N=
4. 30&vi=
5. a&KB=
6. A

New EXE URI…

1. r7!7K3620M97Xk=
2. wd8e89wbw7&-89a2*_-8h*=
3. 8a8bwb8cwwwe8b8ew9w8&Ua3_–8O5u=
4. ww&-5a*1!91=
5. 37A42!8!1*I&7!O7PE*N=
6. 4Rd*!9mb4

In looking at this further, it appears that landings have 0 params, JARs have 3 params, PDFs have 5 params, and EXEs have 6 params.

Examples of Variants: (Scroll down on the urlquery link and expand the red JS execution)

/ngen/controlling/ BEK – http://urlquery.net/report.php?id=5463246
/closest/ BEK – http://urlquery.net/report.php?id=5885689

BEK JAR *Most Reliable*

HTTP Method = GET
HTTP URI = *.php?*
User-Agent = *Java/1.*
Content-type = application/x-java-archive
Regex HTTP URI = \.php\?([^=]+=){2}[^=]+$

BEK EXE *May FP*

HTTP Method = GET
User-Agent = *Java/1.*
Regex HTTP URI = \.php\?([^=]+=){5}[^=]+$
Regex HTTP URI != \/[a-z]+\.php (optional to cut down fp’s)