Saturday, 15 June 2013

Unknown EK: "Here's Johnny!"

NOTE: Information is based on a sample captured on 2013-06-14

The exploit kit was delivered through a poisoned advertisement feed. The following pattern has been seen:


Other examples of the pattern and a some detection tips can be found on Malwaresigs.com

"...as seen on TV..."

Request for an ad delivered a JScript that simply assembles a string using a number of other predefined strings.


The result is another JScript that takes the browser to 'www.googlecodehosting.net' hosting the landing page.

part of the assembled JScript

The landing page has yet another JScript with two 'document.writeln' calls. The first one requests a malicious JAR file armed with 'CVE-2012-1723' and 'CVE-2013-1493'. The request is implemented with an <applet> where one of the parameters in it is the Initial Payload URL encoded with 'Base64'.


The second 'document.writeln' call requests a JNLP file. The file is embedded into an <applet> - this allows to encode the content of the file with 'Base64'.

part of 'Base64' encoded JNLP file

'version' attribute of 'j2se' element in the decoded JNLP file is set to '1.7+' - meaning the file will be executed with Java 7 only. The JAR file targeting Java 7 is armed with 'CVE-2013-2423' and will be requested through a slightly different URL. The Initial Payload URL is stored in plain text.

part of decoded JNLP file

"Package full of goodness"

This particular exploit kit sample had only the malicious JAR file delivered through the first 'document.writeln' call from the landing page. The file is fairly obfuscated. The two exploits it caries are separated into two different packages/folders within the JAR. 'CVE-2012-1723' is stored in 'site' package. 'CVE-2013-1493' is stored in 'site/color' package. The exploits do not share any methods - their code is completely separated. 'CVE-2012-1723' exploit code is executed first. Due to the code separation, the Initial Payload filename is created using two different methods.
  • payload delivered by 'CVE-2012-1723' is stored in Java Temp folder with hardcoded filename - '1.exe'
  • payload delivered by 'CVE-2013-1493' is stored in Java Temp folder with the filename generated using a random number between '0' and '10000' + '.exe'

There is no encryption or encoding used for protecting the Initial Payload file.

Some of the class files, methods and variable names used in the kit are either existing words in Russian or a close variation of ones. The creator of this exploit kit is more likely to know Russian language.

"Ivanoff, Petroff, Smirnoff.... Dotcacheff"

 Quick summary:
  • exploit kit URL pattern is relatively unique
  • was delivered through Malvertising
  • Java Script seems to be a preferred language for the redirect and landing pages
  • targets Java only
  • JNLP fie is protected with 'Base64'
  • armed with 'CVE-2012-1723', 'CVE-2013-1493' and 'CVE-2013-2423'
  • Initial Payload URL is stored in 'Base64' format
  • no encryption or encoding employed for Initial Payload delivery
  • Initial Payload filename depends on the exploit code executed
  • creator is more likely to know Russian language
The exploit kit is rather simple, but not as simple as the one seen on 2013-06-07. @MalwareSigs tagged this exploit kit with a catchy name - 'Dotcachef'. Sounds like a Russian surname. Good fit for it, ah. Just need another 'f' at the end to make it look totally cool.

Recommended read:

http://www.malwaresigs.com/2013/06/14/dotcachef/
http://www.basemont.com/new_exploit_kit_june_2013

Update 2013-08-23:

Malforsec's latest analysis on DotCacheF - http://malforsec.blogspot.com/2013/08/dotcachef-short-story.html


0 comments:

Post a Comment