Sunday, 24 November 2013

Infinity EK: "No...unless round is funny."

NOTE: The information is based on a sample captured on 2013-11-22

Thanks to @Set_Abominae for sharing 'intel' on this sample. The analysis was done using the data gathered during Fiddler 'live' capture.

Update 2014-01-27:

This exploit kit got an official name - Infinity.

Infinity Exploit kit logo


Update 2013-11-25:

@PhysicalDrive0 giving this EK a fancy name in this blog post.

"Smokey, this is not 'Nam. This is bowling. There are rules."

Compromise attempt starts with visiting a website injected with malicious '<iframe>'.

<iframe> injected into one of the pages on compromised website

As a side note, the website in this particular sample had been compromised twice. The same page that redirects the browser to some unknown EK also has 'CookieBomb' script injected in it.

part of 'CookieBomb' script

part of deobfuscated 'CookieBomb' script

URL the 'CookieBomb' is leading to was dead at the time the 'live' capture took place. More on 'CookieBomb' threat can be found on MMD website.

Back to Unknown EK now, the following URL pattern was observed - pastebin.com.

'Unknown EK' URL pattern

Seeing 'cnt.php' redirect script, more likely, indicates that the website was compromised through CVE-2013-1862. Hendrick Adrian(MMD) covered this subject in great details in one of his blog posts.

The EK landing page is as simple as it can only be.

Unknown EK landing page - request for JNLP

JNLP file will launch JavaFX application.

Unknown EK JNLP file

Note a number of HTTP GET requests after JavaFX application JAR is downloaded. These are result of 'Class-Path' header having references to them in 'MANIFEST.MF' file.

Unknown EK MANIFEST.MF file content

Also note, there is no HTTP GET request in Fiddler log for the Initial Payload. This is due to the way it's being requested. During JavaFX application execution the control is passed to 'javaw.exe' tool along with the class file that requests and executes the Initial Payload. 'javaw.exe' tool is not 'proxy-aware' and will send the request directly to the malicious website which technically means if you're on the network behind a web proxy and no direct access to the Internet you're safe from this exploit kit.

"Back off, man. I'm a scientist!"

There is almost no obfuscation applied to the code - some of the string variable values are split and then concatenated.

string value obfuscation example

The JAR file is armed with an exploit code for CVE-2013-2460.

part of exploit code for 'CVE-2013-2460'(after deobfuscation)

Once execution privileges are elevated, a hidden .class file is decoded and loaded. During this process it'll be saved to Java Temp folder with 'NewClass.class' filename. The class file is encoded with 'base64'. It handles Initial Payload download and execution.

part of 'base64' encoded hidden .class file

The Initial Payload URL location is not stored in any of the parameters passed to JVM or variables within the code. Instead, it's generated using some tricks JavaFX has to offer.

JavaFX trick to get part of JNLP URI 

The code above will return JNLP file parent folder URI - in this case 'hxxp://vinnypedulla.com/5/201311/'. The second part of the path will be dynamically generated using current time stamp following this pattern 'HHmmss' - for example, '113458.mp3' . The routine in the screenshot below combines both parts and requests the initial payload.

part of the Initial Payload fetcher code

The initial payload filename will be created by adding the same 6 digits(time stamp) and '.exe' string together. The file will be stored in Java Temp folder. Before it's stored and executed, it's decoded using XOR with predefined key - 'binkey'.

"Summary"

This exploit kit sample is implemented as a JavaFX application. Some variables names suggest the creator of it is a Turkish speaker - names examples: 'fia', 'analiz', 'fout', 'bais'. Light complexity. Will fail if targeted machine is behind a web proxy and has no direct access to the Internet.

Summary Information
Name: Unknown
Date captured: 2013-11-22
Date analysed: 2013-11-23
Source/Credits: Intel source - @Set_Abominae.
Data source - live traffic capture with Fiddler.
Infection vectors detected: Java/JavaFX
Vulnerabilities targeted:

  • CVE-2013-2460
  • Landing page
    Transfer mode: plain text
    Obfuscation: No
    TDS: No
    JNLP: Yes
    JVM parameters: None
    Java infection vector
    Analysed with: Java 1.7.17
    Obfuscation: Simple string values obfuscation
    JAR hidden content: Hidden .class file - 'NewClass.class'
    Initial Payload delivery method: URL
    Initial Payload encryption/encoding: XOR. key - 'binkey'
    Initial Payload store location: Java Temp folder
    Initial Payload filename: Generated using current time - HHmmss
    Adobe infection vector
    Analysed with: NA
    Initial Payload delivery method: NA
    Initial Payload store location: NA
    Initial Payload filename: NA
    Automated analysis
    Exploit components:
    JAR - https://www.virustotal.com
    Delivered malware:
    EXE(MD5 b7b352ecb0ea8fc52c5a6a515b85c7e0)
    https://malwr.com/
    https://www.virustotal.com
    Additional Information

    EK creator is possibly a Turkish-speaker.