Search Results for: BEK

Detecting BEK via URI Parameters

This might only be interesting to me, but recently BEK has shifted from encoding like this:

.php?Pf=6435663034&Ne=33613638373066373138&N=30&vi=a&KB=A

To something nasty like this:

.php?r7!7K3620M97Xk=wd8e89wbw7&-89a2*_-8h*=8a8bwb8cwwwe8b8ew9w8&Ua3_--8O5u=ww&-5a*1!91=37A42!8!1*I&7!O7PE*N=4Rd*!9mb4

That looks somewhat like a nightmare, but what hasn’t changed is the number of parameters in the URI.

Old EXE URI…

1. Pf=
2. 6435663034&Ne=
3. 33613638373066373138&N=
4. 30&vi=
5. a&KB=
6. A

New EXE URI…

1. r7!7K3620M97Xk=
2. wd8e89wbw7&-89a2*_-8h*=
3. 8a8bwb8cwwwe8b8ew9w8&Ua3_–8O5u=
4. ww&-5a*1!91=
5. 37A42!8!1*I&7!O7PE*N=
6. 4Rd*!9mb4

In looking at this further, it appears that landings have 0 params, JARs have 3 params, PDFs have 5 params, and EXEs have 6 params.

Examples of Variants: (Scroll down on the urlquery link and expand the red JS execution)

/ngen/controlling/ BEK – http://urlquery.net/report.php?id=5463246
/closest/ BEK – http://urlquery.net/report.php?id=5885689

BEK JAR *Most Reliable*

HTTP Method = GET
HTTP URI = *.php?*
User-Agent = *Java/1.*
Content-type = application/x-java-archive
Regex HTTP URI = \.php\?([^=]+=){2}[^=]+$

BEK EXE *May FP*

HTTP Method = GET
User-Agent = *Java/1.*
Regex HTTP URI = \.php\?([^=]+=){5}[^=]+$
Regex HTTP URI != \/[a-z]+\.php (optional to cut down fp’s)

BEK 2.1.0 URI Pattern Changes

New URI patterns in the latest BEK 2.1.0…

@Kafeine has written about it here > http://malware.dontneedcoffee.com/2013/06/blackhole-exploit-kit-goes-210-shows.html

BEK2 JNLP

HTTP Method = GET
HTTP URI contains *.php?jnlp=*
User-Agent = JNLP*
Regex HTTP URI for \.php\?jnlp=[a-f0-9]{10}

See examples of BEK2 JNLP on UrlQuery.net

BEK2 JAR

Pretty much the same as before…

HTTP Method = GET
HTTP Content Type = application/java-archive
Regex HTTP URI for \.php\?[a-zA-Z]+=[a-zA-Z]+&[a-zA-Z]+=[a-zA-Z]+$

BEK2 SWF

…haven’t seen often enough yet to make a reliable regex…

BEK 2.1.0 EXE

These are still using the same classic filenames – about.exe, calc.exe, info.exe, readme.exe

HTTP Method = GET
HTTP User Agent contains *Java/1.*
HTTP Request Method = application/x-msdownload
Regex HTTP URI for \.php\?[A-Za-z]f=[0-9]{10}&[A-Za-z]e=[0-9]{20}&[A-Z]=[0-9]{2}

BEK Utilizing JNLP files

Looks like Multiple variants of BEK have integrated the use of JNLP files as well.

@secobscurity has a very nice writeup of how JNLP bypasses the security warning that was introduced with JRE 7u11.

Paste of jnlp landing.

d.wholink.pw/raise/words-printers.php?jnlp=b3bd7b747e,07116a753d (text/html)
d.wholink.pw/raise/words-printers.php?rtg=cnavm&qznsq=ttczm (application/java-archive)

BEK JNLP File

HTTP Method = GET
HTTP URI contains *.php?jnlp=*
User-Agent = JNLP*
Regex HTTP URI for \.php\?jnlp=[a-f0-9]{10}(,[a-f0-9]{10})?$

See more examples of BEK JNLP files on UrlQuery.net

Black Dragon BEK2 Variant

This BEK2 variant seems to use some static gate strings, each of which directs to a different payload.

/black_dragon.php
/98y7y432ufh49gj23sldkkqowpsskfnv.php
/98yf8913fjipgjialhg8239jgighnjh4i6k5o.php
/209tuj2dsljdglsgjwrigslgkjskga.php
/984y3fh8u3hfu3jcihei.php

It appears to use the /closest/ tag, but has used /only/ in the past. Everything else is standard BEK2 so it’s likely picked up by existing rules and sigs.

Example:

/closest/209tuj2dsljdglsgjwrigslgkjskga.php > GATE/PluginDetect
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?jazk=1l:33:1j:33:2j&esbr=35&htqgq=30:33:1m:1n:1h:33:30:1o:30:1h&leynl=1n:1d:1g:1d:1h:1d:1f > PDF
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?opliqayu=rbehzty&lntgr=dyvs > JAR
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?lbxpw=1l:33:1j:33:2w&ftq=30:33:1n:1m:1h:33:30:1o:30:2h&jcglbzm=1i&ykwdj=jhx&jgmzjsm=ijbnvlc > EXE from PDF
/closest/209tuj2dsljdglsgjwrigslgkjskga.php?lf=1l:33:1j:33:2w&le=10:33:1n:1m:1h:33:30:1o:20:1h&c=1f&kv=s&vd=t > EXE from JAR

See examples of Black Dragon BEK2 on UrlQuery.net

BEK2 Variant 4

GATE

HTTP Request Method = GET
HTTP URI contains */index.php?*
Regex HTTP URI for “^http:\/\/[a-f0-9]{16}\.[a-z0-9-.]+?\/index\.php\?[a-z]=[a-zA-Z0-9]{150,}(={1,2})?$”

Deob Stuff / Build iframe / Plugindetect

HTTP Request Method = GET
HTTP URI = */sort.php OR */info/last/index.php
Regex HTTP URI for “^http:\/\/[0-9a-f]{25,65}\.”

See examples of /info/last/index.php on UrlQuery.net
See examples of /sort.php on UrlQuery.net

JAR

HTTP Request Method = GET
HTTP URI contains */info/last/index.php*
Content-type = application/java-archive
Regex HTTP URI for “\.php\?[a-z]{3,8}=[a-z]{3,8}&[a-z]{3,8}=[a-z]{3,8}$”

OR

HTTP Request Method = GET
HTTP URI contains */info/finance/*.jar
Content-type = application/java-archive

PDF

HTTP Request Method = GET
HTTP URI contains */info/last/index.php*
Content-type = application/pdf
Regex HTTP URI for “([1-3][a-z0-9]):{9}[1-3][a-z0-9]”

EXE *Currently works for all BEK2 Variants that i’m aware of*

HTTP Request Method = GET
HTTP URI contains *.php?*
Content-type = application/x-msdownload
Regex HTTP URI for “([1-3][a-z0-9]):{9}[1-3][a-z0-9]”

EXIT/TIMEOUT REDIR

HTTP Request Method = GET
HTTP URI contains */exit.php*
Regex for “^http:\/\/[0-9a-f]{25,65}\.”

Example Chain:

hxxp://345bd0d9d7a281cf.akafi .net/index.php?o=anM9MSZrZ3l1dHJmZj1neXZkJnRpbWU9MTMwMTI5MTUyMy02NDc4ODcyNzYmc3JjPTI0JnN1cmw9d3d3LmxpbmhhcXVlbnRlLmNvbSZzcG9ydD04MCZrZXk9RTg2NDdFMDYmc3VyaT0vbGluaGFxdWVudGVibG9nLmpz > Gate / build urls
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/sort.php > Write iframe / deob urls in base 64
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php > Plugin Detect
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php?zqqwgarw=nib&sndecry=qqub > JAR
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php?njks=1l:33:1j:33:2w&ogb=3h&ebkh=1l:32:1j:2v:33:2v:1h:1h:1i:1n&rtg=1n:1d:1g:1d:1h:1d:1f > PDF
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/exit.php?x=24&t=onunload > Send victim elsewhere
hxxp://www.freemilfpassport.com/?t=113244,1,99,0 > Popover pr0n
hxxp://345bd0d9d7a281cf01602313012916218222534d01fa8728a24b65823a430cd.akafi .net/info/last/index.php?auivnl=1l:33:1j:33:2w&lak=1l:32:1j:2v:33:2v:1h:1h:1i:1n&udkdh=1i&xozzwtj=psf&pmemeyb=smemh > EXE (Java)

BEK2 :8080 Redirectors

These redirect to the BEK variant that uses :8080 from mass phishing.

HTTP Request Method = GET
Regex HTTP URI for “\.htm\?[A-Z0-9]{3,}=[A-Z0-9]{5,}$”

eg.

http://kazanhospital .ru/osc.htm?TZPJ6=D3DVRRBQ5OUJLV85WPG
http://danadala .ru:8080/forum/links/column.php

http://www.borgometeo .it/mail.htm?FO0IGS=8OP4BWSO
http://bunakaranka .ru:8080/forum/links/column.php

http://wt.ktus.ttct.edu .tw/sites/default/files/upload.htm?v203=3dr1g9rfkk
http://moneymakergrow .ru:8080/forum/links/column.php

http://www.gcpvail .com/modules/mail.htm?vp9y3=1ybzz81887575rrcki
http://bunakaranka.ru:8080/forum/links/column.php

See examples of BEK2 :8080 Redirectors on UrlQuery.net

“Shrift” BEK2 EOT Exploit

It looks like the EOT exploit has been incorporated into some Blackhole Exploit Kit Variants.

HTTP Request Method = GET
HTTP URI = */shrift.php

Examples:

http://secondtestinggo .com/ngen/shrift.php
http://refresher2013.com/ngen/shrift.php
http://winupdatingservice .org/ngen/shrift.php
http://sterringpolira .net/ngen/shrift.php
http://rodeoshowingglow .com/ngen/shrift.php
http://mondaynighttotheclub .net/ngen/shrift.php
http://freeitunescards .org/ngen/shrift.php
http://contextipdating .com/ngen/shrift.php
http://obamabloopers .net/ngen/shrift.php
http://waitwhileloading .com/ngen/shrift.php
http://wipinginsideasat .com/ngen/shrift.php
http://world-armageddon .org/ngen/shrift.php
http://thingingmon .com/ngen/shrift.php
http://newageconsultingservice .com/ngen/shrift.php
http://merchantsgerta .org/ngen/shrift.php
http://prachristmas .com/ngen/shrift.php
http://financialsuccesssa .net/ngen/shrift.php
http://taxsolutionsukay .com/ngen/shrift.php
http://svntestingsat .com/ngen/shrift.php
http://domanderstand .com/ngen/shrift.php

https://www.virustotal.com/file/196c3e10bc46e2b70ef5f9798e41ced89a3a81080310fa299147c18466587033/analysis/

See examples of BEK2 EOT Exploit on UrlQuery.com

BEK2 Executables

This will detect multiple BEK2 executables across multiple variants.

HTTP Request Method = GET
Content Type = “application/x-msdownload”
HTTP URI =*.php?*
Regex HTTP URI for “([1-3][a-z0-9]:){9}[1-3][a-z0-9]”

BEKv2 Gate Variant (q.php)

This variant is centered on large networks. These IP ranges have been malicious since at least September 2012 and should be blocked.

Currently affected networks:

129.121.0.0 – 129.121.255.255
149.47.0.0 – 149.47.63.255
65.75.160.0 – 65.75.175.255
64.247.176.0 – 64.247.191.255

HTTP Request Method = GET
Regex HTTP URI for “\/[a-f0-9]{16,32}\/q\.php”

hxxp://129.121. 126.40/3191945b9fd4baee19fe6d1a1f16341b/q.php
hxxp://129. 121.113.91/d3c25604f85a1ea4f1278802cd56ae67/q.php
hxxp://149.47.253. 180/5983387568aa76e343060cf644cef37a/q.php

See examples of BEKv2 q.php Gate Variant on UrlQuery.net

Reference: http://malware.dontneedcoffee.com/2012/09/ULockerAS36444BHEK.html

BEK 2 Payloads – Old

BEK2 used to use a 64 char hex field in it’s payloads. Not seen lately.

HTTP Request Method = GET
HTTP URI = *.php?*

Regex URI for “\/[a-z0-9-_]+?\.php\?[a-z]+?=[0-9a-f]{64}&[a-z]+?=[0-9a-f]+?&”

Examples:

hxxp://epistlepu.info/links/busy-tasks-lacking.php?sbzpklj=050b040b0633090a04040904093508350b34060b0306030b070436360b383606&xvlubip=0a0005000300040a0b&fcqqb=03000900020009&xvljbpt=03030006000602040004080
hxxp://hiofuries.info/links/busy-tasks-lacking.php?kycis=0909073437030237070609050735020208063437330605073708023836380235&ujmnbn=0b000500020002&taltiudw=02000200020002&suo=030300060006020400040807
hxxp://wacookery.info/links/busy-tasks-lacking.php?fsbsreh=363402043406330b0835063807033506070b3636053603070a34043404050b38&tzhnrg=3d&ngo=333605330b3407083405&krvaiarm=0a0005000200040a02
hxxp://yaocookery.info/links/came_broadcasting_taking-various.php?gjbrvk=3736070804350b0b05063707330b04343609383436353508330705020b090802&wplctb=363c&mwesp=zjzqro&ncegre=vlefxsgu