URL pattern
GET requests are going over port 443, but are not using SSL. The pattern is almost the same as in previously seen sample with the exception to the initial payload GET request. It uses '.rar' file extension.
Encoded landing page
Landing page undergone some changes to hide the code that retrieves malicious JAR file and checks the version of Java installed. The 'hidden' code is stored within a <div> tag.
The following code 'unescapes' and decodes the character string.
The 'cipher' used to decode the string
Decoded landing page
Familiar code execution logic is revealed after the landing page is decoded. PluginDetect script is initialized to check for Java version and based on the findings a request to malicious JAR file is formed.
For Java 7 below 1.7.18 update, the malicious JAR will be requested using JNLP to bypass Java Security Warning window. For all other Java versions, the JAR will be requested directly.
Sakura & JNLP
Sakura went a bit further than some other EKs in employing JNLP by embedding it into an <applet> tag. Doing so allows to use Base64 encoding to 'hide' the content of the file.
Decoded JNLP file
More details on JNLP and 'performSSVValidation' flaw can be found here.
PDF no more
There is no PDF infection vector in this sample.
No comments:
Post a Comment