Category Archives: Exploit Kit Signatures

EK Redirect – Silverlight rewrite

Noticed some interesting traffic following the below:

hxxp://sunduk.biz/forum/docs/login.php
hxxp://qobac.cobor.in/g76df4d/rtp.xap?0.4495108588209197
hxxp://qobac.cobor.in/g76df4d/rtu.swf?0.4495108588209197
hxxp://qobac.cobor.in/g76df4d/rtu.php?0.4495108588209197

hxxp://qobac.cobor.in/pofrj4l/2 > Fiesta Gate

When observing the landing there is no rtu.php file present > http://pastebin.com/n6dYSHY4

The xap (silverlight) file is downloaded, when you pop it into a tool like ILspy, it’s quite clear what is happening.

dumb

The rtu.php file simply redirects to fiesta…

¯\_(ツ)_/¯

FakeAV is still alive…

Like it’s 2010 i guess. This is just a simple FakeAV being delivered from ads on sites like telegraph.co.uk and dailymotion.com. No exploit, just relying on the user to click yes to download and then run it.

omg

All activity I have seen appears to be for a few IP addresses and domains utilize the .nl TLD.

212.83.155.45, 212.83.155.46, and 212.83.155.47(a range highly utilized by Neutrino lately)

As far as i can tell this campaign appears to have become active around Jan 23rd 2014 and is currently ongoing.

Chain:

1) Come from google to site that displays the advertisement
1) Advertisement loads, redirs you
2) http://wed322d2.windowsdefence-rv .nl/index.php?key=[32 char hex] < Main page 3) http://wed322d2.windowsdefence-rv .nl/message.png (classic antivirus popup) < Scary image 4) http://wed322d2.windowsdefence-rv .nl/index.php?key=[32 char hex]&key2=download < EXE Post-Compromise Traffic: http://93.115.86.197/?0=13&1=1&2=15&3=i&4=7600&5=0&6=1111&7=kyxnujmwnn

Cool splash screen

Finding Himan EK

@Kafeine has a great overview of HiMan EK.

Here are some places it’s been recently.

217.23.1.129
217.23.1.164
37.200.65.95
46.182.27.35
46.182.27.68
46.182.27.114
46.182.27.118
46.182.27.140
46.182.27.162
46.182.27.179
46.182.27.218
46.182.27.234

Read more »

Finding Angler EK

Angler EK Exploits

HTTP Method = GET
Regex URI = ^http:\/\/[^/]+\/0[a-z0-9]{13}$

Angler EK Payloads

HTTP Method = GET
Regex URI = ^http:\/\/[^/]+\/1[a-z0-9]{13}$

Examples of AnglerEK on Urlquery.net

Date / IP Address

(12/01 – 12/02) 144.76.132.248
(11/29 – 12/02) 69.60.111.222
(11/28 – 11/30) 144.76.132.243
(11/27 – 11/30) 50.7.187.34
(11/27) 144.76.132.244
(11/25 – 11/28) 78.47.161.139
(11/25 – 11/27) 74.3.164.9
(11/24 – 11/26) 23.250.9.18
(11/24) 78.47.161.138
(11/23 – 11/26) 74.3.161.33
(11/23 – 11/25) 74.3.161.32
(11/23 – 11/27) 74.3.164.12
(11/23 – 11/25) 74.3.164.7
(11/23) 74.3.161.34
(11/23) 173.199.114.115
(11/22 – 11/26) 64.191.27.66
(11/22 – 11/26) 74.3.164.11
(11/22 – 11/25) 78.47.161.141
(11/22 – 11/23) 74.3.164.4
(11/21) 23.229.69.18
(11/21) 78.47.161.134
(11/21 – 11/25) 64.251.13.154
(11/20 – 11/22) 91.231.85.104
(11/18 – 11/23) 195.189.246.118
(11/17 – 11/18) 5.39.47.12
(11/17 – 11/21) 62.109.10.80
(11/17) 195.211.153.7
(11/15 – 11/20) 192.3.206.26
(11/15) 78.47.235.252
(11/15) 23.229.69.50
(11/15 – 11/22) 64.187.226.237
(11/12) 50.7.187.34
(11/11 – 11/14) 173.208.177.18
(11/13) 192.96.206.78
(11/13) 195.211.154.12
(11/06 – 11/13) 88.198.204.218
(11/09 – 11/14) 91.231.85.19
(11/06 – 11/08) 184.82.116.134
(11/06 – 11/07) 67.211.207.222
(10/30 – 11/01) 93.170.137.9
(10/27 – 10/31) 64.187.225.253
(10/27 – 10/30) 144.76.161.251
(10/18 – 10/24) 93.115.93.54
(10/19 – 10/20) 144.76.161.247
(10/18 – 10/21) 184.82.27.108
(10/18) 82.192.71.115
(10/14 – 10/15) 64.187.225.239

Flashpack /svoykrik/ Variant

Flashpack is still around. Has been seen recently being delivered with ads.

Observed IP Addresses:

198.98.121.245
108.171.205.105
46.254.21.128
50.2.53.150

GATE

HTTP Method = GET
HTTP URI contains */svoykrik/gate.php?id=*&callback=__JSONP__0
Regex HTTP for id=[0-9]{20,}

JAR

HTTP Method = GET
HTTP URI contains */svoykrik/jete/*
User Agent = *Java/1.*
Content-type = application/x-java-archive
Regex HTTP for \/[a-f0-9]{32}\.jar$

EXE

HTTP Method = GET
HTTP URI contains */svoykrik/*
User Agent = *Java/1.*
Regex HTTP for \.php\?cashe=[0-9]{20}$

Unknown EK

If anyone has more information on this, please hit me up on twitter.

Seems to have been active at least since April of this year. I have only seen it delivered with advertising. Have not seen it used with domains, only IPs.

Example Chain

http://72.51. 47.66 /lldb/npbh.php?t=98&dr=yHmZvIL8vXi%2BTiaZMyyXqZY%2BBoaqrPSBcmXEHi22vQI5gAqqOeUIz4kd%2BsMJ5Cx7L1mrKHSFXkrN27ScbolKKJJg4XvclYVVosGLj6MU5b1jtjrwh3tlq2DsLOQMyTseyOY5Q9XltuzxDNQa56NArok
http://72.51. 47.66 /lldb/zuhwcys.zip
http://72.51. 47.66 /lldb/SubepTjhhfChvm.class
http://72.51. 47.66 /lldb/SubepTjhhfChvm%24UtypYtqlgg.class
http://72.51. 47.66 /lldb/hqwzmjv.php?j=203

IPs Observed

207.198.127.193
216.151.221.204
216.152.135.29
216.157.98.124
216.157.99.240
216.157.99.241
216.157.99.242
216.157.99.243
216.157.99.71
216.157.99.72
216.157.99.73
216.157.99.1
64.34.127.178
66.135.36.55
69.174.251.126
72.51.36.1
72.51.36.210
72.51.44.21
72.51.44.25
72.51.44.40
72.51.44.41
72.51.44.42
72.51.44.63
72.51.44.72
72.51.47.121
72.51.47.153
72.51.47.154
72.51.47.66
72.51.47.69
76.74.152.33
76.74.152.34
76.74.152.98
76.74.153.247
76.74.153.248
76.74.154.147
76.74.154.176
76.74.155.223
76.74.155.225
76.74.155.226
76.74.155.227
76.74.157.90
76.74.166.8
76.74.236.151
76.74.236.152
76.74.236.153
76.74.237.156
76.74.237.157

View more examples of this traffic > http://pastie.org/pastes/8396549/text?key=fwh0zzyvwqs8huiso5qxw

Thanks to @keithsalmela for helping to keep this updated!

Detecting BEK via URI Parameters

This might only be interesting to me, but recently BEK has shifted from encoding like this:

.php?Pf=6435663034&Ne=33613638373066373138&N=30&vi=a&KB=A

To something nasty like this:

.php?r7!7K3620M97Xk=wd8e89wbw7&-89a2*_-8h*=8a8bwb8cwwwe8b8ew9w8&Ua3_--8O5u=ww&-5a*1!91=37A42!8!1*I&7!O7PE*N=4Rd*!9mb4

That looks somewhat like a nightmare, but what hasn’t changed is the number of parameters in the URI.

Old EXE URI…

1. Pf=
2. 6435663034&Ne=
3. 33613638373066373138&N=
4. 30&vi=
5. a&KB=
6. A

New EXE URI…

1. r7!7K3620M97Xk=
2. wd8e89wbw7&-89a2*_-8h*=
3. 8a8bwb8cwwwe8b8ew9w8&Ua3_–8O5u=
4. ww&-5a*1!91=
5. 37A42!8!1*I&7!O7PE*N=
6. 4Rd*!9mb4

In looking at this further, it appears that landings have 0 params, JARs have 3 params, PDFs have 5 params, and EXEs have 6 params.

Examples of Variants: (Scroll down on the urlquery link and expand the red JS execution)

/ngen/controlling/ BEK – http://urlquery.net/report.php?id=5463246
/closest/ BEK – http://urlquery.net/report.php?id=5885689

BEK JAR *Most Reliable*

HTTP Method = GET
HTTP URI = *.php?*
User-Agent = *Java/1.*
Content-type = application/x-java-archive
Regex HTTP URI = \.php\?([^=]+=){2}[^=]+$

BEK EXE *May FP*

HTTP Method = GET
User-Agent = *Java/1.*
Regex HTTP URI = \.php\?([^=]+=){5}[^=]+$
Regex HTTP URI != \/[a-z]+\.php (optional to cut down fp’s)

HTML Ransomware (Browlock)

F-Secure has good writeups w/ pics.

Domains

http://polizei. de.id418617766-7663 816001.h2558 .com/
http://polizia- penitenziaria.it.id 560639580-7614024630.h2558 .com/
http://fbi.gov. id503845846-4250343 921.e3485 .com/
http://europol. europe.eu.id4571150 76-3952336761.h2558 .com/
http://europol. europe.eu.france.id 939452574-6333297494.s1523 .com/
http://politie. nl.id710883125-2999 810328.v2783 .com/
http://afp.gov. au.id242687187-1661 635308.z3476 .com/
http://police.h u.id134465522-91392 26962.e6751 .com/
http://policia. es.id130353034-4831 771390.k5741 .com/
http://rcmp.gc. ca.id768819119-3487 405861.z3476 .com/
http://polizei. gv.at.id912354877-1 044451441.e2456 .com/
http://police.g ovt.nz.id657546456- 3999456674.e9635 .com/
http://polisen. se.id537054689-8785 274190.i6468 .com/
http://politi.n o.id549630431-46653 99949.e8679 .com
http://polfed-f edpol.be.id32168266 1-5528465056.z3476 .com/
http://policja. pl.id906759031-7211 363077.p8569 .com/
http://cyberpol ice.lt.id252161139- 4927948242 .q3754.com
http://cybercri meunit.gr.id2521611 39-4927948242.q3754 .com
http://astynomi a.gr.id252161139-49 27948242.q3754 .com
http://asp.gov. al.id252161139-4927 948242.q3754 .com
http://egm.gov. tr.id186914923-5094 277828.o4854 .com
http://fia.gov. pk.id252161139-4927 948242.q3754 .com/
http://poliisi. no.id252161139-4927 948242.q3754 .com/
http://nr3c.gov .pk.id252161139-492 7948242.q3754 .com/
http://npa.go.j p.id423342221-90402 40625.h6785 .com/
http://npb.gov. pk.id252161139-4927 948242.q3754 .com/
http://mchs.gov .ru.id252161139-492 7948242.q3754 .com/
http://logregla .is.id252161139-492 7948242.q3754 .com/
http://mvr.bg.i d252161139-49279482 42.q3754 .com/
http://politiar omana.ro.id25216113 9-4927948242.q3754 .com/
http://police.i s.id252161139-49279 48242.q3754 .com/
http://rusipa.r u.id252161139-49279 48242.q3754 .com/
http://police.g ov.mt.id252161139-4 927948242.q3754 .com/
http://policija .hr.id252161139-492 7948242.q3754 .com/
http://mvdrf.ru .id252161139-492794 8242.q3754 .com/

Recent IPs

193.169.87.14
195.20.141.61
91.220.131.56
91.220.131.106
91.220.131.193
91.220.131.108

Regex

URI:
\/\?flow_id[0-9&=]+\/case_id=[0-9]+$

Domains:
\.id[0-9]{9}\-[0-9]{10}\.[a-z][0-9]{4}\.com$

Sakura EK on waw .pl domains

Have noticed Sakura active on waw.pl root domain.

As @kafeine notes, this is a TDS in front of a particular instance of Sakura.

Examples

adscarl.liabufa.waw. pl/?joke=9
a6johns.omegdia.waw .pl/?joke=9
a2publi.foscidir.waw. pl/?joke=9
99calva.lofnala.waw .pl/?foll=2
7bqjis.triptenlu.waw. pl/?foll=2

Tags seen include joke, poke, moon, foll, good, hera, key, etc.

IPs

50.7.177.254 (fdcservers nl)
50.7.177.253 (fdcservers nl)
50.7.178.13 (fdcservers nl)
85.17.122.119 (leaseweb nl)

Regex for TDS domains

^[a-z0-9]{6,7}\.[a-z]+\.waw\.pl$

Alternate Regex for TDS URI

\.waw\.pl\/\?[a-z]+=[0-9]+?$

30 days of Neutrino Domains/IPs

This is just a quick sum of Neutrino utilization on port 8000 in the past 30 days.

IPs Utilized:

178.175.140.197
62.113.243.251
46.37.184.57
46.37.167.131
37.139.20.190
37.139.13.5
178.32.72.132
94.249.196.115
37.139.2.46

Root dyndns domains utilized:

barrel-of-knowledge.info
blogdns.net
blogsite.org
dnsalias.com
dnsalias.net
dnsdojo.org
doesntexist.com
dynalias.com
dynalias.net
dyndns-at-work.com
dyndns-free.com
dyndns-mail.com
dyndns-office.com
dyndns-remote.com
dyndns-server.com
dyndns.biz
dyndns.info
dyndns.org
dyndns.ws
from-mn.com
from-mo.com
from-nh.com
from-sc.com
game-host.org
game-server.cc
go.dyndns.org
gotdns.com
gotdns.org
ham-radio-op.net
homedns.org
homelinux.com
homelinux.net
homelinux.org
homeunix.com
is-a-doctor.com
is-a-geek.com
is-a-geek.net
is-a-hard-worker.com
is-a-nurse.com
is-a-rockstar.com
is-a-soxfan.org
is-a-student.com
is-a-teacher.com
is-into-games.com
isa-geek.net
isa-hockeynut.com
likes-pie.com
merseine.nu
mine.nu
mypets.ws
office-on-the.net
selfip.biz
selfip.info
servegame.org
webhop.org

PDNS from Virustotal:

2013-07-14 fohespwhsxdeoevgupi.isa-geek.net
2013-07-15 evmyxyowcggqnnqub.gotdns.com
2013-07-27 ucxscsdordjwmjftomqxw.dnsdojo.org
2013-07-29 bfdxurkbhmksnqnfvurt.mine.nu
2013-07-29 cuvrbrygnunjuqcsu.dyndns-free.com
2013-07-29 huydsxfmbmdvdsekxcrs.dyndns-free.com
2013-07-29 jqurrdpjldv.mine.nu
2013-07-29 kemepjknmqlrgqeewmkeq.mine.nu
2013-07-29 lhybcjigicwiyucj.mine.nu
2013-07-29 lyixmpofgpko.mine.nu
2013-07-29 mmipspcgixgmc.mine.nu
2013-07-29 qbpvjjlrkmlfbtmty.mine.nu
2013-07-30 djikdstrjtnpixp.mine.nu
2013-07-30 dqxjtiuctrvhd.home.dyndns.org
2013-07-30 imxkurddgimms.mine.nu
2013-07-30 ipcxsgvgpbvhtlkpqbug.mine.nu
2013-07-30 itringjhlkol.mine.nu
2013-07-30 klxyfhxcmrnynoflofvf.home.dyndns.org
2013-07-30 lyofjykhvgomhnfnj.mine.nu
2013-07-30 oncpytncsfchbujgjno.mine.nu
2013-07-31 bxwqvjgbmqk.dyndns.info
2013-07-31 opvqxlpedljgfrlmx.dyndns.info
2013-08-02 loovimhryji.doesntexist.com
2013-08-02 slqvfsisiec.doesntexist.com
2013-08-03 chvfdfpcnnlsq.from-mo.com
2013-08-03 dpdcwybxyemvmbvtqx.game-server.cc
2013-08-03 idlehljfrtyreubvccpyv.dnsdojo.org
2013-08-04 yquyhcmxnqfcvtcmifio.blogdns.net
2013-08-05 epbwiktxkjqfhjdbmhc.dyndns.biz
2013-08-05 ffekmnfjpkwgfubbkdjle.dyndns-mail.com
2013-08-05 fhnvreuudrurwtvvysyt.dyndns.biz
2013-08-05 gxwwncvhctfvjgvihms.dyndns-mail.com
2013-08-05 herqlqxdywyofyfy.dyndns.biz
2013-08-06 cgejxoygmcmijnkft.is-a-geek.net
2013-08-06 crudulitynhdmvfs.homedns.org
2013-08-06 eduhcxsjtcwxod.dyndns-office.com
2013-08-06 gexfrfhebmws.homedns.org
2013-08-06 hvjcwgbljvd.dyndns-office.com
2013-08-06 ijrvgifrtpuiyjqyyv.dyndns-office.com
2013-08-07 dknendudbxibkucs.selfip.biz
2013-08-07 evohqrhpyib.selfip.biz
2013-08-07 icccbicuyogpdggkngmld.from-nh.com
2013-08-07 ijuyfvuetwmw.from-nh.com
2013-08-09 cuscusramd.com
2013-08-13 heeiyhqmrpmen.homeunix.com
2013-08-15 btovvdqbpuswlvtqdns.dynalias.com
2013-08-15 buuyutwvijnxtlwnicsr.dynalias.com
2013-08-15 cqbrtyemqcnlvmgq.dynalias.com
2013-08-15 dqhwsqrnrykki.dynalias.com
2013-08-15 dvfhsdisfpnnpofiv.dynalias.com
2013-08-15 emusioqsklknxdxfbxym.dynalias.com
2013-08-15 eyldiklxipeypwevmmhlg.dynalias.com
2013-08-15 fjljyopdxmsq.dynalias.com
2013-08-15 ginxixipxfg.dynalias.com
2013-08-15 sbrrneojcgycxy.dnsalias.net
2013-08-15 ymucnychdhfleq.dnsalias.net
2013-08-16 nchewvcysgctcql.barrel-of-knowledge.info
2013-08-17 efdtwohdpghivooom.homelinux.org
2013-08-17 inmetr.lorenzobenitez.net
2013-08-17 mdhfsvtuugt.homelinux.org
2013-08-17 ncuguymmxjblqn.dynalias.net
2013-08-19 cxrpvisjujpnl.homelinux.com
2013-08-19 dnocgbovhyt.homelinux.com
2013-08-19 fekmsvcyqysuuvfib.homelinux.com
2013-08-19 fuejneifgblstxommvh.homelinux.com
2013-08-19 klrjkhvtosxkspyg.barrel-of-knowledge.info
2013-08-19 qckerkeimucyljuo.homelinux.com
2013-08-19 qxpgeyvuwfcggo.homelinux.com
2013-08-19 sulueddcpxwuitdq.homelinux.com
2013-08-20 cjqpjhcpjfuchobnhr.dnsalias.com
2013-08-20 dqicecyvjtjpjiykrug.dnsalias.com
2013-08-20 drnfohqeolpydms.is-a-nurse.com
2013-08-20 fgedcdyrsegf.is-a-nurse.com
2013-08-20 fjkvhkjoljjnyqpesoyci.dnsalias.com
2013-08-20 tjskrndtdvq.homelinux.net
2013-08-21 eudokkqrbmljhfwuof.game-host.org
2013-08-21 fliytctmdbwypfbbxesxx.game-host.org
2013-08-21 teuewjlbdkowylouuoj.game-host.org
2013-08-24 fhdgicbhdvplyogeiqjj.dyndns.org
2013-08-24 kigqmdtobip.dyndns.org
2013-08-24 kxulhtoscru.dyndns.org
2013-08-25 bscxwytnylwpmg.homelinux.com
2013-08-25 fowsnxpeqlkfqb.homelinux.com
2013-08-25 hfcvvosrcdbwcubib.homelinux.com
2013-08-25 mhikmpnxbvqsvgofq.homelinux.com
2013-08-25 nslerbqfcmvvcpiglny.dynalias.com
2013-08-26 nxxesqogrmykpswvhvd.homelinux.com
2013-08-28 bkskrdrumuovejhdi.dyndns-at-work.com
2013-08-28 bmmhkoxpxjxugje.is-a-soxfan.org
2013-08-28 ebqcqwwnqdxugsidfie.is-a-soxfan.org
2013-08-28 eekbvlmjprrkmfkioxnf.is-a-soxfan.org
2013-08-28 fmcxfcvvvyhyfvkootc.is-a-soxfan.org
2013-08-28 frjbwbstkvbf.is-a-soxfan.org
2013-08-28 gpwmwmdbkyenkfkvrsl.is-a-soxfan.org
2013-08-28 guitxfefsmerbedsou.dyndns-at-work.com
2013-08-28 hpicefgmmjudoqkioomt.dyndns-at-work.com
2013-08-28 ihncgxdrgjkiwvlje.is-a-soxfan.org
2013-08-28 imvrmbgvfqrvjeguydkf.is-a-soxfan.org
2013-08-28 kmlrjwxurxw.is-a-soxfan.org
2013-08-28 knrvgbsevkdtx.is-a-soxfan.org
2013-08-28 luvpgefeqkwwyuk.is-a-soxfan.org
2013-08-28 lwfitrywqudkdgpl.is-a-soxfan.org
2013-08-28 mcwcjsmhvytpr.is-a-soxfan.org
2013-08-28 ocrlypitodq.dyndns-at-work.com
2013-08-28 pepqmdouhnioxivbms.dyndns-at-work.com
2013-08-28 pgxfmikqgve.dyndns-at-work.com
2013-08-28 rjkdwiugxuyuqbgb.dyndns-at-work.com
2013-08-29 ckohptxxrsrrggbv.is-a-geek.com
2013-08-29 fugmdxtqrphsqudljpnpo.dyndns.biz
2013-08-29 gvngnqmugpie.dyndns.biz
2013-08-29 hrxcnctoqjytmgbghg.dyndns.biz
2013-08-29 jgtbxmrersblueoyfybv.is-a-geek.com
2013-08-29 liyxebxqedytoudln.dyndns.biz
2013-08-29 lviwrnnbrjvhbiuteo.dyndns.biz
2013-08-29 mtpydkeclcpgcplq.dyndns.biz
2013-08-29 mwubtblyibnbi.dyndns.biz
2013-08-29 pbcoktomdgyjpxvbdqqo.dyndns.biz
2013-08-29 starttestnow.biz
2013-08-29 vstbogybquycfffrj.is-a-geek.com