Monthly Archives: October 2013

Flashpack /svoykrik/ Variant

Flashpack is still around. Has been seen recently being delivered with ads.

Observed IP Addresses:

198.98.121.245
108.171.205.105
46.254.21.128
50.2.53.150

GATE

HTTP Method = GET
HTTP URI contains */svoykrik/gate.php?id=*&callback=__JSONP__0
Regex HTTP for id=[0-9]{20,}

JAR

HTTP Method = GET
HTTP URI contains */svoykrik/jete/*
User Agent = *Java/1.*
Content-type = application/x-java-archive
Regex HTTP for \/[a-f0-9]{32}\.jar$

EXE

HTTP Method = GET
HTTP URI contains */svoykrik/*
User Agent = *Java/1.*
Regex HTTP for \.php\?cashe=[0-9]{20}$

Kuluoz Updated Distribution Links

*Update 22/11/2013*

Thanks to a tip from @StopMalwar we can see another variant, using some random characters.

Examples:

http://hanoumat.com/eylebpl.php?56vxfdV03Y//SXq3tnG6krkNWN6cTpKMqsKgM8yJW3M
http://ametgroup.com/kcvexvg.php?gQ8V3e62zMo4oB/npoXtgRb+ULuJzVpdTamGCBlvrYE=

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/([a-z]{7}|mirror)\.php\?[a-zA-Z0-9+/]{42,43}(=)?$

See Examples on UrlQuery.net

They also seem to be moving either very fast, or one shot only.

Since my previous posting, somewhere along the way Kuluoz distribution links changed format.

Attack vector is the same as far as i know. It’s a zip file, requiring the user to actually extract the zip and run the executable.

===================
===199.79.62.165===
===================

2013-05-24 06:59:22 http://calquan.com/img/get.php?get_info=ss00_323
2013-10-17 00:57:50 http://www.qabandigroup.com/get.php?invite=BW23JzJ92KvOgkce4NLidGC1MDDEXcRaDb7r77wYCJw

Examples:

http://rigas.name/item.php?message=Jyj6qil+nLBgj9MjzxCYSfbU3wGMwHN1dZccfDSWCcM=
http://wentworth.aero/app.php?message=85wJGcjFxbxLb7OArN/4Tx+tHIWnExbiJRKRasnOGDw=
http://pravopom.com/get.php?invite=g9VL3vhFBKWbvtQ3zNgpNmqaQuXRe3z/FiD8Fxm8hAY=
http://hnhc.org/main.php?label=Kzhjih0ExKbXbV97sII/dLcqBGaaCB7c3KAwdp9RVyY=
http://stamfordses.org/info.php?cargo=li5glNSESMJkAGkF5lP3sDhVYQF40mWI15JUqCpgpiA=

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/[a-z]+\.php\?[a-z]+=[a-zA-Z0-9+/]{42,43}(=)?$

OR

HTTP Method = GET
Content-Type = application/octet-stream
Regex HTTP URI for \/(app|main|info|get|place|item|voice|message|msg)\.php\?(message|label|id|cargo|inv|invite|vmid|wed)=

Thanks to @eplekompott and @ekse0x for helping to keep this updated!

See more Examples on UrlQuery.net

Unknown EK

If anyone has more information on this, please hit me up on twitter.

Seems to have been active at least since April of this year. I have only seen it delivered with advertising. Have not seen it used with domains, only IPs.

Example Chain

http://72.51. 47.66 /lldb/npbh.php?t=98&dr=yHmZvIL8vXi%2BTiaZMyyXqZY%2BBoaqrPSBcmXEHi22vQI5gAqqOeUIz4kd%2BsMJ5Cx7L1mrKHSFXkrN27ScbolKKJJg4XvclYVVosGLj6MU5b1jtjrwh3tlq2DsLOQMyTseyOY5Q9XltuzxDNQa56NArok
http://72.51. 47.66 /lldb/zuhwcys.zip
http://72.51. 47.66 /lldb/SubepTjhhfChvm.class
http://72.51. 47.66 /lldb/SubepTjhhfChvm%24UtypYtqlgg.class
http://72.51. 47.66 /lldb/hqwzmjv.php?j=203

IPs Observed

207.198.127.193
216.151.221.204
216.152.135.29
216.157.98.124
216.157.99.240
216.157.99.241
216.157.99.242
216.157.99.243
216.157.99.71
216.157.99.72
216.157.99.73
216.157.99.1
64.34.127.178
66.135.36.55
69.174.251.126
72.51.36.1
72.51.36.210
72.51.44.21
72.51.44.25
72.51.44.40
72.51.44.41
72.51.44.42
72.51.44.63
72.51.44.72
72.51.47.121
72.51.47.153
72.51.47.154
72.51.47.66
72.51.47.69
76.74.152.33
76.74.152.34
76.74.152.98
76.74.153.247
76.74.153.248
76.74.154.147
76.74.154.176
76.74.155.223
76.74.155.225
76.74.155.226
76.74.155.227
76.74.157.90
76.74.166.8
76.74.236.151
76.74.236.152
76.74.236.153
76.74.237.156
76.74.237.157

View more examples of this traffic > http://pastie.org/pastes/8396549/text?key=fwh0zzyvwqs8huiso5qxw

Thanks to @keithsalmela for helping to keep this updated!