MalwareSigs

As noticed by @Set_Abominae and @kafeine, redkit has made a slight modification to it’s URI.

New Redkit EK pattern: both jar and jnlp now use /[a-z0-9]{4}.<ext>. Payload still use /[0-9]{2}.html

— Set Abominae (@Set_Abominae) May 10, 2013

Redkit : small change in URI pattern :[a-z0-9]{4} for jnlp and jar too ( cc @malwaresigs ) twitter.com/kafeine/status…

— kafeine (@kafeine) May 10, 2013

Looks to now be four characters in the html, jar and jnlp. EXE remains 2 digits.

Redkit JNLP

HTTP Method = GET
HTTP URI ends with *.jnlp
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jnlp$

RedKit JAR

HTTP Method = GET
HTTP URI ends with *.jar
Content-type = application/java-archive
Regex HTTP URI ^http:\/\/[a-z0-9A-Z-.]+\/[a-z0-9A-Z]{4}\.jar$

*Is this change related to the Sophos article? Hmm… *

Looks like Multiple variants of BEK have integrated the use of JNLP files as well.

@secobscurity has a very nice writeup of how JNLP bypasses the security warning that was introduced with JRE 7u11.

Paste of jnlp landing.

d.wholink.pw/raise/words-printers.php?jnlp=b3bd7b747e,07116a753d (text/html)
d.wholink.pw/raise/words-printers.php?rtg=cnavm&qznsq=ttczm (application/java-archive)

BEK JNLP File

HTTP Method = GET
HTTP URI contains *.php?jnlp=*
User-Agent = JNLP*
Regex HTTP URI for \.php\?jnlp=[a-f0-9]{10}(,[a-f0-9]{10})?$

See more examples of BEK JNLP files on UrlQuery.net

Popads seems to be using a .jnlp file to make it’s actions seem more legitimate to the end user.

Paste of .jnlp file

What’s a JNLP file?

When loaded, this gives a nice little animated popover…while the malicious stuff is happening in the background. This is used to bypass the security warning that was introduced in JRE7u11.

There may be a misconfig on this as it created a very large number of instances of java.

Popads post updated with this “jnlp” info.

Ref: http://security-obscurity.blogspot.no/2013/04/the-latest-java-exploit-with-security.html

SofosFO is being sneaky in a cool and interesting way.

Example Chain:

http://incurable.fulfillingrgdohavingdhiv.biz/chanting_shallow.php > Landing/PD
http://incurable.fulfillingrgdohavingdhiv.biz/6oqgDDwQ4GmiEDQmqqir4DZpD/9d20ZKQ7QeQe/loads.php5 > Calls JAR
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/353810494/misspelled.pdf > Mal PDF
http://incurable.fulfillingrgdohavingdhiv.biz/ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500 > EXE from PDF
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/example.jar > Mal JAR
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/0256000045/1369364 > EXE from JAR

Looks like usual SofosFO activity till we look at the packets…

EXE from JAR

GET /qboqgDDwQwGmiEDQmqqir4DZmm/0256000045/1369364 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_10
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: application/java-archive
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: inline; filename=”triumphs.jar”

This is an encoded exe, with a modified content type and filename. Also notice the user agent.

Signature:

HTTP Method = GET
User-Agent = *Java/1.*
Content-Type = application/java-archive
Regex HTTP URI for \/[0-9]{8,11}\/[0-9]{6,8}$

EXE from PDF

GET /ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500 HTTP/1.1
User-Agent: http://incurable.fulfillingrgdohavingdhiv.biz/ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500
Host: incurable.fulfillingrgdohavingdhiv.biz

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: application/pdf
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: inline; filename=”nozzles.jar”

This is also an encoded executable from the Adobe exploit. Notice the user agent, content type, and inline filename.

Signature:

HTTP Method = GET
User-Agent = http://*
Content-Type = application/pdf
Regex HTTP URI for \/[0-9]{8,11}\/[0-9]{6,8}$

Dropping large (800k+) RogueAV files currently.

Have been seeing these a lot recently in conjunction with recent events…

HTTP Method = GET
HTTP URI ends with */news.html OR */boston.html OR */texas.html
Regex HTTP Request for ^http:\/\/(\d\d?\d?\.){3}\d\d?\d?\/(news|texas|boston)\.html$

See examples of this on UrlQuery.net

Some things that have been useful in catching Sakura lately.

Landing – hq5jj.grantsfork12schools.net:88/forum/he.php
PDF – hq5jj.grantsfork12schools.net:88/forum/late_between.php (application/pdf)
JAR – hq5jj.grantsfork12schools.net:88/forum/late_between.php (application/x-java-archive)
EXE – hq5jj.grantsfork12schools.net:88/forum/8632.htm (application/octet-stream) – likey from pdf

Landing

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/
Regex HTTP URI for 8|9)[0-9]\/(forum|articles|page)\/[a-z]+\.php$

PDF

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/
Content type = application/pdf
Regex HTTP URI for 8|9)[0-9]\/(forum|articles|page)\/[a-z]+\.php$

JAR

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/
Content type = application/x-java-archive
Regex HTTP URI for 8|9)[0-9]\/(forum|articles|page)\/[a-z]+\.php$

EXE

HTTP Request Method = GET
HTTP URI contains /forum/ OR /articles/ OR /page/
Content type = application/octet-stream
Regex HTTP URI for 8|9)[0-9]\/(forum|articles|page)\/

See more examples of Sakura Exploit Kit on URLquery.net

Have been seeing CEK being used without /world/ or /news/ or /read/…etc.

EXE Payload

HTTP Method = GET
User-agent = *Java/1.*
Content-type = application/x-msdownload
Regex HTTP URI for “\.txt\?[a-z]=[0-9]+$”

Slight change…also noticed by @Set_Abominae > http://pastebin.com/SFypQ0Q1

Neutrino JAR

HTTP Method = GET
Content-Type = application/java-archive
Regex HTTP URI for \/[A-Za-z0-9]{50,}(==?)?$

Neutrino EXE

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/[A-Za-z0-9]{50,}(==?)?$

Will have some FPs like globo.com, avast.com, etc.

1) hiynet. is-a-geek.net/ads/ > Landing
2) oracle.com-Critical-Security-Update-JRE_1.7.u17-Windows-Install-Request-From.hiynet .is-a-geek.net/ads/9hlkii92.file > JAR (application/x-java-archive)
3) hiynet. is-a-geek.net/ads/lp9459f5.php?a=41&bulkily=3d747&i=44903301&bo=40232&priors=n&x=%2F&trismic=V& > XOR’d EXE (application/octet-stream)

Only change here is the jar file. Previous post on g01pack has been updated.