Sunday 8 September 2013

Unknown EK: "... It ain't no trick, To get rich quick, If ya dig dig dig ..."

Yet, another 'wannabe' exploit kit in the making. Thanks to @Set_Abominae for sharing this sample. The sample was discovered through @urlquery service.

NOTE: The information is based on a sample captured on 2013-09-05

"Heigh-ho, Heigh-ho"

URL pattern is rather 'messy', but at the same time unique.

HTTP requests observed

The Landing Page is as simple as it can only be. No fancy JavaScripts, no obfuscation, no data encoding. It targets Java and Adobe products by bombarding a potential victim machine with all it's got - doesn't do any version checks. Here is the list of vulnerabilities it tries to exploit:
  • CVE-2010-0188 (Adobe Reader and Acrobat before 8.2.1 and before 9.3.1)
  • CVE-2010-1297 (Adobe Flash Player before and before; Adobe AIR before; and Adobe Reader and Acrobat before 9.3.3, and before 8.2.3)
  • CVE-2010-2884 (Adobe Flash Player and earlier and Adobe Reader and Acrobat before 9.4 and before 8.2.5)
  • CVE-2008-2992 (Adobe Acrobat and Reader 8.1.2 and earlier)
  • CVE-2013-2465 (Java 7 through to update 21, Java 6 update 45 and earlier) 
Adobe infection vector starts with assembly of an array that holds the list of URLs pointing at the malicious PDF files.

filling up array with URLs

Once the array is ready, the malicious PDFs are requested one by one using this function:

requesting malicious PDFs

It's possible that multiple copies of the Initial Payload will be requested if Adobe product installed on a victim's PC is vulnerable to more than one exploit attempted. It's hard to tell though what exactly is going to happen in this scenario since the Initial Payload delivered through each Adobe exploit is stored with hardcoded name - 'update.exe' and in a predefined location - 'user Temp folder'.

part of shellcode extracted from malicious PDF file

Java infection vector starts with a request for malicious JAR file. No additional parameters (encoded URL, decoding key, etc,.) are passed to JVM.

requesting JAR file using <object>

The author is possibly a big fan of 'Toby The Tram Engine'(sorry, couldn't resist). Anyway, the JAR file is armed with an exploit for CVE-2013-2465.

part of CVE-2013-2465 exploit code

Initial Payload is requested using hardcoded URL and stored in Java Temp folder with yet again hardcoded filename - 'g.exe'.

The Initial Payload execution method is rather interesting - 'cmd.exe' is used.

Once executed, it launches Internet browser and checks for Internet connectivity by 'calling home'

The browser will be redirected to 'Google', but additional payload will be requested on the background.

additional payload request

this one turned out to be a BitCoin miner

Neither Initial or additional payloads were transferred with any encoding/encryption applied. At the time of writing, all the 3 files had good coverage on VT(see summary for more details).


Another 'piece of ... art' work by someone who just learnt how to write 'Hello, World!'. I guess I should take a stab at naming it. 'Toby EK' sounds too simple and non-tech. 'Teletubbies EK' on the other hand reflects both the technical complexity of the exploit kit and the professional level of the author/authors. Well, anyway here is the summary for this particular sample.

General Information
Name: Unknown
Date captured: 2013-09-05
Date analysed: 2013-09-07
Source/Credits: PCAP from @urlquery shared by @Set_Abominae

Infection vectors detected: Java, Adobe
Vulnerabilities targeted:

Landing page
Transfer mode: encoded / gzip
Obfuscation: No
JVM parameters: None

Java infection vector
Captured with: Java 1.6.26
Obfuscation: None
JAR hidden content: None
Initial Payload delivery method: URL
Initial Payload encryption/encoding: No
Initial Payload store location: Java Temp folder
Initial Payload filename: Hardcoded - 'g.exe'

Adobe infection vector
Captured with: Adobe Reader 8
Initial Payload delivery method: URL
Initial Payload store location: User Temp folder
Initial Payload filename: Hardcoded - 'update.exe'

Automated analysis
Exploit components:
PDF1 -
PDF2 -
PDF3 -
PDF4 -
PDF5 -
Delivered malware:
EXE1(MD5 0e9337ee028e3e4b0bffebd7d1e502d2)
EXE2(MD5 de660551fb0670c16ec5b344d63406dd)
EXE3(MD5 3256da849bc3c62a6a015cf077794df2)

Additional Information

BitCoin miner is configured to use
'' mining pool.

No comments:

Post a Comment