Friday, 7 June 2013

Unknown EK: "Knock, knock... Who's there?"

NOTE: Information is based on a sample shared by @Set_Abominae  on 2013-06-05.

"My name is Bond... James Bond..."

The exploit kit appeared to start surfacing on 2013-06-01. The following URL pattern has been seen with this sample:


'urlquery.net' detected 'Phoenix exploit kit post-compromise behavior' activity after a successful Java vulnerability exploit. Phoenix EK is way more complex though.

Sample reports:

http://urlquery.net/report.php?id=2895619
http://urlquery.net/report.php?id=2788425

Straight to the business exploit kit - no PluginDetect use, no PDF infection vector, no Java code obfuscation, no 'padding' code, no Initial Payload encoding/encryption. Most of the variables and methods are meaningfully named. Java exploits used are stored in separate JAR files that are named according to the CVE number they target. The creator of this kit seems to know Russian language - one of the class files in one of the JARs is named 'BlyahaMuha' which is a word specific to Russian language only(not translatable).

"Requesting permission to land"

The landing page simply consist of the <applet>s with a link to a malicious JAR file and a parameter holding encoded Initial Payload URL.

Sample of an <applet>:


The landing page is redirected to by an injected <iframe> from a page hosted on a compromised website.


"Programming language or Coffee?"

4 JAR files deliver exploits for the following Java vulnerabilities:
1 exploit code per 1 JAR file. The code is almost as if it was copied from Metasploit package with very little effort to modify.

The Initial Payload URL decoding code is following a quite simple algorithm.


'Unprotected' payload is delivered as an 'application/octet-stream' with filename 'update_8251.exe' (name varies).


Once downloaded: the Initial Payload will be stored in Java Temp folder with hardcoded filename - '~.exe'.


Once executed: the following POST request is sent


following a number of GET requests 


In this case, they all received 404 response.

The Initial Payload was 'Zbot/Fareit' with 24/47 coverage on VT.

"How much is the fish?..."

Rather 'interesting' exploit kit. Hopefully, it has a name and it's not another 'random_word+hole'.

Brief summary:
  • no protection/evasion employed throughout the exploit kit(landing page, Java, payload)
  • targets Java vulnerabilities only
  • no Java version check
  • Initial Payload URL encoding algorithms is quite simple
  • the payload is stored in Java Temp folder
  • the payload filename is hardcoded
  • the creator of the kit is more likely a Russian language speaker


Would like to hear from people who have any additional information on this exploit kit. Contact details can be found under Blogger profile.

0 comments:

Post a Comment