NOTE: The information is based on a sample captured on 2014-06-06
Thanks to @Set_Abominae for sharing this sample.
Update 2014-06-10: @kafeine shared his experience with this exploit kit. Covers the history of the name, how it was first detected and what other exploits it has in its arsenal.
Whenever there is any doubt, there is no doubt
It's a rather interesting name for an exploit kit. Trying to find any references to 'Cotton Castle' you end up with links pointing at an amazing looking location in Turkey - Pamukkale. I can't be sure if the exploit kit name tips you off on the country of the origin, but let's find out what it's made of to be sure we better understand this threat.
- presence of the word 'government' in the current session 'cookies'
- types of 'frames', 'XMLHttpRequest', 'mozSetImageElement'
- monitoring users interaction with the webpage - mouseovers, clicks and movements
This type of behaviour could be found with some of the news/ads reach websites where additional content is pulled based on user's webpage interaction and in this case might be exactly that, but we'll carry on assuming this activity is a malicious.
The webpage the browser is taken to is rather simple in terms of the content - 1 line of text that looks like a news headline.
Let's take a look at some WHOIS data for the domain hosting this page.
Doesn't appear to be well 'hidden' if it was registered with a malicious intention, once again, making me think that this could be just a case of a compromised news/ad feed. Anyway, let's focus on the '<iframe>' link that leads to another webpage.
The statement below is true.
The statement above is false.
The server replies with 203 HTTP status code when the landing page is requested. More likely, a rather unusual status code is being used by the server side of 'CottonCaste EK' for some internal processing or it could be specific to this particular sample only. String variables on the landing page are lightly obfuscated.
On top of that, the code is padded/fragmented by comment blocks.
As a first step, the code will launch an '<applet>' containing a Java application.
Next, the code will attempt to create a 'ShockwaveFlash' ActiveXObject and if successful will identify its version.
Version value returned will be broken down into individual number values and stored as an array. The array will be converted into a string by XORing each array element by a static key '343' and adding them together. The resulting string will be passed to a function that generates a GET request using a pre-defined URI and the passed ShockwaveFlash version value, plus, a bunch of other pre-defined parameters stored as HEX strings.
Just for a little bit of extra fun, we can find what version of Shockwave Flash Player was installed on the machine this particular sample of 'CottonCastle EK' was captured from. Here is the part of GET request corresponding to this sample - '/forum/tracker/3/ON/0dc93648889f84dcc7f0f70c25fbe9c6/349.341.456.342/'. If we take each individual numeric value from '/349.341.456.342/' and XOR it by '343' we get the version of Shockwave Flash Player - '10.2.159.1'.
This particular GET request received HTTP 409 response. I assume that the server side of 'CottonCastle EK' responds with HTTP 409 Status code when it decides not to serve the exploit component or something went wrong sending it.
So, the Java application will be requested and executed first. The request is implemented using JNLP file.
Surprisingly, JNLP file has no 'Security Warning Window' bypass attributes and interestingly enough other attributes are properly named. According to the naming, this Java application is called 'jBitTorrent Client' that provides 'Java implementation of the bittorrent protocol' and will run on '<j2se version="1.6+" />'. The execution starts with 'com.s' class file. Let's take a look at the JAR file content.
The two class files 's.class' and 't.class' contain a 'wrapper' code. In a nutshell, the code decrypts and loads some of the JAR file components. The '.dat' files included in the JAR file serve different purpose:
- 'd.dat' - Windows PE executable
- 'j.dat' - operating system reconnaissance, payload download and execution
- 'p.dat' - JVM parameters collector, execution path selector
- 'u.dat' - exploit code for CVE-2013-0422 (JmxMBeanServer)
The Java code is fairly obfuscated. String values are also encrypted with RC4(using the same decryption key) and stored in HEX representation. 'java.lang.reflect.Method' features are used a lot.
The execution flow is the following:
- 'wrapper' initialization
- 'wrapper' decrypts 'u.dat' file and passes it to 'javax.script.ScriptEngineManager'
- 'wrapper' decrypts 'p.dat' and loads it as a class file
- 'p.dat' class file gathers passed to JVM parameters, decrypts 'j.dat' file and passes it to 'javax.script.ScriptEngineManager'
- VB script checks for presence of AV, downloads an executable file, decrypts, stores and executes it
List of operations performed by VB script:
- query list of all running processes
- check results of the query against a pre-defined list of processes
- callback to a pre-defined URL in the event of blacklisted processes detected
- build filename and filepath for malware payload
- download, decode and execute the malware payload
- callback to a pre-defined URL reporting a success deployment
- AVG Scanning Core Module - Server Part
- AVG Watchdog Service
- Ad-Aware Antivirus Service
- Avast! Service
- Avira Scheduler
- BitDefender Agent
- BullGuard Behavioural Detection
- CA eTrust Antivirus
- Comodo Agent Service
- Dr. Web
- ESET Service
- F-Secure Host Process
- G DATA Personal Firewall
- Ikarus Security Software
- Jetico Personal Firewall
- K7TotalSecurity Service Manager
- Kaspersky Lab
- McAfee Service Host
- Microsoft Security Client User Interface
- Norman Privacy Tools
- Norton 360
- Norton AV
- Norton Internet Security
- Omniquad firewall or Dynamic Security Agent or AGuardDogSuite
- Outpost Firewall
- PC Tools Security Service
- PC Tools ThreatFire Service
- Panda Software Controler
- Rising Antivirus
- Solo Antivirus
- Solo Scheduler
- Sophos Administrator Service
- Sophos Anti-Virus
- Trend Micro Anti-Malware Solution Platform
- TrustPort Antivirus Management Agent
- ZoneAlarm ForceField
Additional information on this EK can be found here - http://malware.dontneedcoffee.com/2014/06/cottoncastle.html
|Name:||CottonCastle Exploit Kit|
|Source/Credits:||Data source - @Set_Abominae.
Intel source - @kafeine
|Infection vectors detected:||Java / Shockwave Flash Player / Internet Explorer|
|TDS:||Multi redirect chain|
|Java infection vector|
|Captured with:||Java 1.7.05|
|Obfuscation:||RC4 encrypted string values, Java Reflections, Minification|
|JAR extra content:||Number of RC4 encrypted files with '.dat' file extension|
|Initial Payload delivery method:||URL|
|Initial Payload encryption/encoding:||XOR. key - 'e2400a24ac76b37cb0adff1dfd022e08'|
|Initial Payload store location:||System Temp folder|
|Initial Payload filename:||Static. 'Windows-Patch-KB874923-x86.exe' or 'Windows-KB874923-x86.exe'|
|Browser infection vector|
|Analysed with:||Internet Explorer 7|
|Initial Payload delivery method:||URL|
|Initial Payload store location:||NA|
|Initial Payload filename:||NA|
JAR - https://www.virustotal.com/ (no detection)
EXE(MD5 b619fce7efde0453c06f68565a8bdbb6) https://malwr.com/ https://www.virustotal.com
|Java malicious component is implemented with the use of different evasion techniques. Execution is controlled and depends on the values of different system/OS parameters.|