Search Results for: g01

Slight changes in g01pack

1) hiynet. is-a-geek.net/ads/ > Landing
2) oracle.com-Critical-Security-Update-JRE_1.7.u17-Windows-Install-Request-From.hiynet .is-a-geek.net/ads/9hlkii92.file > JAR (application/x-java-archive)
3) hiynet. is-a-geek.net/ads/lp9459f5.php?a=41&bulkily=3d747&i=44903301&bo=40232&priors=n&x=%2F&trismic=V& > XOR’d EXE (application/octet-stream)

Only change here is the jar file. Previous post on g01pack has been updated.

G01pack Exploit Kit Variant

Don’t know if this is an update, or a different campaign, or whatnot…but it’s different than it used to be.

Tricky to acquire. Almost exclusive to malvertising.

DynDns Domains being used:

*.dyndns.org
*.dyndns.info
*.dyndns-at-home.com
*.dyndns.tv
*.dyndns-web.com
*.dyndns.biz
*.dyndns-ip.com
*.homeip.net
*.homelinux.com
*.mine.nu
*.blogsite.org
*.homedns.org
*.homeftp.net
*.blogdns.com
*.webhop.org
*.is-lost.org
*.is-a-musician.com
*.is-a-hunter.com
*.is-a-designer.com
*.is-into-anime.com
*.homeunix.com
*.saves-the-wales.com
*.does-it.net
*.is-an-accountant.com
*.selfip.info
*.dnsdojo.net
*.is-a-geek.com
*.doesntexist.com
*.dynalias.com
*.servegame.org

– i’m sure there are more *.is-* domains…can look for more with regex on domain > “\.is(\-[a-z]+){1,}\.[a-z]+”

Regex for identifying fields:

\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners
|view|ads|delivery|paints|audit|css|accounts|internet|tweet|posts)\/

GATES

http://eiscalla.saves-the-whales.com/news/
http://fordnosize.is-an-accountant.com/finance/
http://noinoldun.does-it.net/news/
http://kzzjump.homedns.org/look/

MALJAR

http://talkydao.is-an-accountant.com/finance/s98w4.gif
http://mefb2bri.is-a-hunter.com/finance/syypj.gif
http://uscodedb.is-a-musician.com/finance/ja2pi.gif
http://sizecownwhen.dnsdojo.net/ads/t8wcpk.jpg
http://oracle.com-Critical-Security-Update-JRE_1.7.u17-Windows-Install-Request-From.hiynet .is-a-geek.net/ads/9hlkii92.file
http://sun.com-oracle-security-fix-jdk_1.7.u17-win32-install-request-from-bcwhensi.is-a-soxfan .org/ads/ag9ntac6nc35.applet

HTTP Request Method = GET
Content-type = application/java-archive
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.(gif|jpg|file|applet)$

MALJAR Variant

http://sizecownwhen.dnsdojo.net/ads/llctsudjeyhtsf.png
http://mefb2bri.is-a-hunter.com/ads/5p92jsuhencus8.png
http://uscodedb.is-a-musician.com/ads/28kdujeuhsgyeh.png

HTTP Request Method = GET
HTTP Content-type = text/html*
HTTP URI ends with .png
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.png$

MALJAR Variant 2

http://java.com-oracle-update-runtime.7u23-win32.install-prefix.netsizekocode.is-a-geek.net/ads/h7n6i3w.control

HTTP Request Method = GET
HTTP Content-type = application/java-archive
HTTP URI ends with .control
User-agent contains *Java/1.*
Regex HTTP URI for \/[a-z0-9]{4,14}\.control$

EXEs

http://lewhenfold. is-a-designer.com/finance/2qsyk.php?lint=39705&template=%2F&site=33676207&login=50&

HTTP Request Method = GET
Content-type = application/octet-stream
Regex HTTP URI for “\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners|view|
ads|delivery|paints|audit|css|accounts|internet|tweet|posts)\/[a-z0-9]{5,14}\.php”

See more examples of g01Pack Exploit Kit on UrlQuery.net

— Notes

This activity seems to be focused in the 31.193.195.0/24 subnet.

@c_APT_ure reported that g01pack is also active within the past few days at 216.246.98.88-90, and posted a paste of current domains.

Reference: http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/18443

Thanks to @Set_Abominae for helping to keep this updated!

Speedtest.net serving malvertising to g01pack Exploit Kit

You can see paste of main page here. Malicious code begins at line 166.

Cleaned up JS code is here.

This also highlights some changes in the g01pack exploit chain, will post more about it after researching more.

Exploit Chain:

http://www.speedtest.net
http://lewhenfold.is-a-designer.com/finance/
http://lewhenfold.is-a-designer.com/finance/sw4qr.gif (application/java-archive)
http://lewhenfold.is-a-designer.com/finance/rlwra.gif (application/java-archive)
http://lewhenfold.is-a-designer.com/finance/qyjkj.php
http://lewhenfold.is-a-designer.com/finance/2qsyk.php?lint=39705&template=%2F&site=33676207&login=50& (Encoded EXE > 0x7e) > application/octet-stream

g01Pack Exploit Kit

There is an updated post of this exploit kit.

Tricky to acquire. Almost exclusive to malvertising.

DynDns Domains being used:

*.dyndns.org
*.dyndns.info
*.dyndns-at-home.com
*.dyndns.tv
*.dyndns-web.com
*.dyndns.biz
*.dyndns-ip.com
*.homeip.net
*.homelinux.com
*.mine.nu
*.blogsite.org
*.homedns.org
*.homeftp.net
*.blogdns.com
*.webhop.org
*.is-lost.org
*.is-a-musician.com
*.is-a-hunter.com
*.is-into-anime.com
*.homeunix.com
*.saves-the-wales.com
*.does-it.net
*.is-an-accountant.com
*.selfip.info

– i’m sure there are more *.is-* domains…can look for more with regex on domain > “\.is(\-[a-z]+){1,}\.[a-z]+”

Regex for identifying fields:

\/(forum|mix|songs|ports|news|comments|top|funds|feeds|finance|usage|profile|points|look|banners|view)\/

Examples:

GATES

http://butgocodefour.dyndns.org/mix/
http://fivevsevenkey.dyndns.org/mix/
http://sevennfourpark.dyndns.info/forum/
http://qwtoovecho.dyndns.org/mix/
http://foxreajunk.dyndns.info/forum/

MALJAR

http://uonetwodo.dyndns.info/forum/1m1yfygo20iz9lgfola9w9lmjg.jar
http://dryzeroparktoo.dyndns.org/mix/1wl101m55fzf9zg5oii5ozaw11.jar
http://foxreajunk.dyndns.info/forum/1wl101m55fzf9zg5oii5ozaw11m9ogla.jar
http://uonetwodo.dyndns.info/forum/2jmmmmyfgm9i01jyfiyig1fawal9ayfl.jar

EXEs

http://goninefoxseven.dyndns.info/forum/ma0alimf5a0awzjljiiwj2gi9y.php?fid=java_ara&quote=%2F&size=32864079&
http://foxreajunk.dyndns.info/forum/5wawwmaf0g0fo1ljyioo1jiy1zyowwgy.php?quote=%2F&size=33210331&fid=java_ara&
http://uonetwodo.dyndns.info/forum/ma0alimf5a0awzjljiiwj2gi9y.php?size=32893475&fid=java_ara&quote=%2F&

See more examples of g01Pack Exploit Kit on UrlQuery.net