Thursday, 30 May 2013

Sakura: Landing page changes - May 2013

The details are based on a sample seen on 2013-05-30. Credits to @Set_Abominae for sharing the sample.

URL pattern

GET requests are going over port 443, but are not using SSL. The pattern is almost the same as in previously seen sample with the exception to the initial payload GET request. It uses '.rar' file extension.

Encoded landing page

Landing page undergone some changes to hide the code that retrieves malicious JAR file and checks the version of Java installed. The 'hidden' code is stored within a <div> tag.

The following code 'unescapes' and decodes the character string.

The 'cipher' used to decode the string

Decoded landing page

Familiar code execution logic is revealed after the landing page is decoded. PluginDetect script is initialized to check for Java version and based on the findings a request to malicious JAR file is formed.

For Java 7 below 1.7.18 update, the malicious JAR will be requested using JNLP to bypass Java Security Warning window. For all other Java versions, the JAR will be requested directly.

Sakura & JNLP

Sakura went a bit further than some other EKs in employing JNLP by embedding it into an <applet> tag. Doing so allows to use Base64 encoding to 'hide' the content of the file.

Decoded JNLP file

More details on JNLP and 'performSSVValidation' flaw can be found here.

PDF no more

There is no PDF infection vector in this sample.

No comments:

Post a Comment