Updated 2013-08-19: Number of changes to reflect the findings covered in Part 2.
Zuponcic is relatively rare malware delivery kit. The name was given after the website(zuponcic.com) the kit was detected on back in November 2012. Earliest mentioning of it on Emerging Sigs mailing list. I first encountered it in July 2012 hosted on 'za.ucypher.com' The kit has been slightly updated since.
NOTE: Information is based on a sample captured on 2013-06-10.
"In thrust we trust."
The journey starts with a couple of redirects before arriving at the website hosting the landing page and the malicious JAR file.
1st level redirect
After clicking on one of the links delivered by Google Search when looking for 'mansfield township nj', the browser was taken to 'www.mansfieldtwp-nj.com'.
First redirect goes to a server hosting TDS(Traffic Distribution System) - 'vestica.defeatliberalmedia.com'. TDS is given a number of parameters and one of them is the website name the browser arrived from - 'www.mansfieldtwp-nj.com'. TDS more likely maintains a list of domain names allowed to use the service - protection mechanism in some way.
2nd level redirect
Referrer is still Google even though the browser was redirected to TDS host from 'www.mansfieldtwp-nj.com'
Once TDS is satisfied with all of the parameters given and possibly other conditions(cookie, sessionID, etc), the browser is redirected to a website hosting the landing page and the malicious JAR file.
The browser arrived at the landing page and is still having Google as a referrer with the original search request details in the URL.
June 2013 sample has the following URL pattern:
The URL pattern for a sample seen in July 2012:
There are no GET requests for '.mt' and '/js/java.js' files in June 2013 sample, but the landing page still has commented out code related to them.
Even though the code is commented out the '.mt' file URL has 'live' domain name in it - 'on the fly' generated I guess.
"Home! Sweet Home!"
Landing page requests the JAR file without performing any checks - <body> tag with 'onLoad' action calls a function that requests the file. There is only one '.class' file in the JAR - 'FlashPlayer.class' and it's 'doctored' with a bytecode obfuscation tool. JAR file is signed with 'Kurz Instruments, Inc.' certificate issued by 'GlobalSign' CA.
- has quite unique URL pattern
- utilizes TDS to help prevent direct download of the exploit kit components
- uses Java as a malware delivery method
- JAR is signed with a valid certificate
- attempts to trick user to download and execute the Initial Payload if no Java detected
P.S. If you have any additional information on this exploit kit please share. Contact details can be found under Blogger profile.