G01pack Exploit Kit Variant

Don’t know if this is an update, or a different campaign, or whatnot…but it’s different than it used to be.

Tricky to acquire. Almost exclusive to malvertising.

DynDns Domains being used:

*.dyndns.org
*.dyndns.info
*.dyndns-at-home.com
*.dyndns.tv
*.dyndns-web.com
*.dyndns.biz
*.dyndns-ip.com
*.homeip.net
*.homelinux.com
*.mine.nu
*.blogsite.org
*.homedns.org
*.homeftp.net
*.blogdns.com
*.webhop.org
*.is-lost.org
*.is-a-musician.com
*.is-a-hunter.com
*.is-a-designer.com
*.is-into-anime.com
*.homeunix.com
*.saves-the-wales.com
*.does-it.net
*.is-an-accountant.com
*.selfip.info
*.dnsdojo.net
*.is-a-geek.com
*.doesntexist.com
*.dynalias.com
*.servegame.org

– i’m sure there are more *.is-* domains…can look for more with regex on domain > “\.is(\-[a-z]+){1,}\.[a-z]+”

Regex for identifying fields:

\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners
|view|ads|delivery|paints|audit|css|accounts|internet|tweet|posts)\/

GATES

http://eiscalla.saves-the-whales.com/news/
http://fordnosize.is-an-accountant.com/finance/
http://noinoldun.does-it.net/news/
http://kzzjump.homedns.org/look/

MALJAR

http://talkydao.is-an-accountant.com/finance/s98w4.gif
http://mefb2bri.is-a-hunter.com/finance/syypj.gif
http://uscodedb.is-a-musician.com/finance/ja2pi.gif
http://sizecownwhen.dnsdojo.net/ads/t8wcpk.jpg
http://oracle.com-Critical-Security-Update-JRE_1.7.u17-Windows-Install-Request-From.hiynet .is-a-geek.net/ads/9hlkii92.file
http://sun.com-oracle-security-fix-jdk_1.7.u17-win32-install-request-from-bcwhensi.is-a-soxfan .org/ads/ag9ntac6nc35.applet

HTTP Request Method = GET
Content-type = application/java-archive
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.(gif|jpg|file|applet)$

MALJAR Variant

http://sizecownwhen.dnsdojo.net/ads/llctsudjeyhtsf.png
http://mefb2bri.is-a-hunter.com/ads/5p92jsuhencus8.png
http://uscodedb.is-a-musician.com/ads/28kdujeuhsgyeh.png

HTTP Request Method = GET
HTTP Content-type = text/html*
HTTP URI ends with .png
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.png$

MALJAR Variant 2

http://java.com-oracle-update-runtime.7u23-win32.install-prefix.netsizekocode.is-a-geek.net/ads/h7n6i3w.control

HTTP Request Method = GET
HTTP Content-type = application/java-archive
HTTP URI ends with .control
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.control$

EXEs

http://lewhenfold. is-a-designer.com/finance/2qsyk.php?lint=39705&template=%2F&site=33676207&login=50&

HTTP Request Method = GET
Content-type = application/octet-stream
Regex HTTP URI for “\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners|view|
ads|delivery|paints|audit|css|accounts|internet|tweet|posts)\/[a-z0-9]{5,14}\.php”

See more examples of g01Pack Exploit Kit on UrlQuery.net

— Notes

This activity seems to be focused in the 31.193.195.0/24 subnet.

@c_APT_ure reported that g01pack is also active within the past few days at 216.246.98.88-90, and posted a paste of current domains.

Reference: http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/18443

Thanks to @Set_Abominae for helping to keep this updated!

Comments are closed.