Monday, 7 October 2013

Unknown EK: "I wanna be a billionaire so freaking bad..."

NOTE: Information is based on a sample captured on 2013-10-02

I'm not sure if definition 'exploit kit' is actually applicable here. Yes, there is an exploit code copied from PSA(Packet Storm Advisory) for 'CVE-2013-2465', but I'd expect more code around it before calling it a 'kit' and I can't imagine there is a server side code exist. There is no any sort of environment validation: plugins and their version identification, initial payload encryption, data encoding, code obfuscation. Base64 encoding is used just once to 'hide' a single string. So, another 'interesting' work.

"Landing page"

URL pattern is short and simple.

The landing page is also short and simple.

The parameter name is the first hint to the possible origins of this Java exploit. 'kurban' translated from Turkish means 'victim'. The value held by this parameter is the Initial Payload location.

"JAR file"

JAR file is 'packed' with goodies. The execution begins with an attempt to exploit 'CVE-2013-2465' vulnerability.

part of PSA exploit code for CVE-2013-2465

Just before diving into screwing 'storeImageArray()' function, a single call for 'base64coder' is made to decode a single and the only encoded string.

The author was rushing because mum just called him/her for dinner and didn't bother cleaning up someone's  'base64coder' code that might have been copied from ''. All encoding methods were left in even though are not used.

A few more hints pointing at the origins or one of the languages the author is speaking.

Google translated from Turkish: 'dosyayazdirici' - printing a file, 'baglantiaƧ' - open link, 'bayt' - byte. The screenshot above is a part of the code that fetches the initial payload via URL passed from the landing page. Once it's downloaded, it'll be stored in the default temporary-file directory with hardcoded filename - 'thefire.exe'.

The link to the initial payload was dead by the time the capture was performed. Judging by the filename - 'install_flash_player.exe', it could have been 'ZeroAccess'.

One rather odd thing is the name for the method performing the exploit - 'uganda'. Maybe the author's favourite country or maybe the target, who knows.


General Information
Name: Unknown
Date captured: 2013-10-02
Date analysed: 2013-10-04
Source/Credits: Live Fiddler capture

Infection vectors detected: Java
Vulnerabilities targeted:

Landing page
Transfer mode: plain text
Obfuscation: No
JVM parameters: 1

Java infection vector
Captured with: Direct download - Firefox/14.0.1
Obfuscation: None
JAR hidden content: None
Initial Payload delivery method: URL
Initial Payload encryption/encoding: No
Initial Payload store location: Default temporary-file directory
Initial Payload filename: Hardcoded - 'thefire.exe'

Adobe infection vector
Captured with: Not implemented
Initial Payload delivery method:
Initial Payload store location:
Initial Payload filename:

Automated analysis
Exploit components:
Java JAR -
Delivered malware:
No sample available

Additional Information

Possibly originated from Turkey or
the author speaks Turkish

No comments:

Post a Comment