Category Archives: Targeted Threats

CVE-2012-4792 Exploit Utilized in “Wateringhole” Style Attacks

Look for these strings in your proxy logs over the past few weeks. Infected hosts will likely begin C2ing to dynamic domains shortly after exploitation.

HTTP Request Method = GET
URI Strings:

*/xsainfo.jpg
*/today.swf
*/Grumgog.swf
*/DOITYOUR02.html
*/DOITYOUR01.txt
*/mt.html
*/javamt.html
*/AppletHigh.jar
*/AppletLow.jar
*/green.swf

Reference: http://eromang.zataz.com/2013/01/15/watering-hole-campaign-use-latest-java-and-ie-vulnerabilities/

Xtreme RAT

HTTP Request Method = GET
HTTP URI = *.functions
Regex HTTP URI for \/[0-9]+\.functions$

Examples:

mrhacking .no-ip.info:81/1234567890.functions
almofatch .no-in.info:81/1234567890.functions
netera .no-ip.org:920/123.functions
aln3imi00100 .zapto.org:81/123321.functions
hackk-hackk .no-ip.biz:81/440526.functions
cinamarcina .no-ip.biz:100/1234567890.functions
reveng1 .no-ip.biz:81/1234567890.functions
aymn161 .no-ip.org:81/1234567890.functions
amin1111 .no-ip.org:93/1234567890.functions
cagatay3162 .zapto.org:81/1234567890.functions
ers .zapto.org:93/1234567890.functions
amgad .no-ip.biz:8181/1234567890.functions
mrxm511 .no-ip.org:82/1234567890.functions
hac.zapto .org:1177/1234567890.functions
mahmodemos .no-ip.org:81/1234567890.functions
176.241.85 .6:1723/1234567890.functions
starnight2012 .tzo.net:53156/1234567890.functions
jv123 .no-ip.org:82/104566.functions
77.64.70 .82:22280/1234567890.functions
kirkukboy .no-ip.biz:9999/1234567890.functions
sosososo .no-ip.biz:288/1234567890.functions
hack4ps .no-ip.info:92/1234567890.functions
sa123re .no-ip.org:82/1234567890.functions
khalil02 .no-ip.biz:81/1234567890.functions
wail .no-ip.biz:81/1234567890.functions

See examples of Xtreme RAT on UrlQuery.net

Reference: (PDF) http://www.matasano.com/research/PEST-CONTROL.pdf