SofosFO EXE Payload Evasion Techniques

SofosFO is being sneaky in a cool and interesting way.

Example Chain:

http://incurable.fulfillingrgdohavingdhiv.biz/chanting_shallow.php > Landing/PD
http://incurable.fulfillingrgdohavingdhiv.biz/6oqgDDwQ4GmiEDQmqqir4DZpD/9d20ZKQ7QeQe/loads.php5 > Calls JAR
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/353810494/misspelled.pdf > Mal PDF
http://incurable.fulfillingrgdohavingdhiv.biz/ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500 > EXE from PDF
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/example.jar > Mal JAR
http://incurable.fulfillingrgdohavingdhiv.biz/qboqgDDwQwGmiEDQmqqir4DZmm/0256000045/1369364 > EXE from JAR

Looks like usual SofosFO activity till we look at the packets…

EXE from JAR

GET /qboqgDDwQwGmiEDQmqqir4DZmm/0256000045/1369364 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_10
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: application/java-archive
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: inline; filename=”triumphs.jar”

This is an encoded exe, with a modified content type and filename. Also notice the user agent.

Signature:

HTTP Method = GET
User-Agent = *Java/1.*
Content-Type = application/java-archive
Regex HTTP URI for \/[0-9]{8,11}\/[0-9]{6,8}$

EXE from PDF

GET /ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500 HTTP/1.1
User-Agent: http://incurable.fulfillingrgdohavingdhiv.biz/ee9woqgDDwQwGmiEDQmqqir4DZmm/358416430/2445500
Host: incurable.fulfillingrgdohavingdhiv.biz

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: application/pdf
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: inline; filename=”nozzles.jar”

This is also an encoded executable from the Adobe exploit. Notice the user agent, content type, and inline filename.

Signature:

HTTP Method = GET
User-Agent = http://*
Content-Type = application/pdf
Regex HTTP URI for \/[0-9]{8,11}\/[0-9]{6,8}$

Dropping large (800k+) RogueAV files currently.

Comments are closed.