NOTE: The information is based on a sample captured on 2013-09-05
"Heigh-ho, Heigh-ho"
URL pattern is rather 'messy', but at the same time unique.
HTTP requests observed
The Landing Page is as simple as it can only be. No fancy JavaScripts, no obfuscation, no data encoding. It targets Java and Adobe products by bombarding a potential victim machine with all it's got - doesn't do any version checks. Here is the list of vulnerabilities it tries to exploit:
- CVE-2010-0188 (Adobe Reader and Acrobat before 8.2.1 and before 9.3.1)
- CVE-2010-1297 (Adobe Flash Player before 9.0.277.0 and before 10.1.53.64; Adobe AIR before 2.0.2.12610; and Adobe Reader and Acrobat before 9.3.3, and before 8.2.3)
- CVE-2010-2884 (Adobe Flash Player 10.1.82.76 and earlier and Adobe Reader and Acrobat before 9.4 and before 8.2.5)
- CVE-2008-2992 (Adobe Acrobat and Reader 8.1.2 and earlier)
- CVE-2013-2465 (Java 7 through to update 21, Java 6 update 45 and earlier)
Adobe infection vector starts with assembly of an array that holds the list of URLs pointing at the malicious PDF files.
Once the array is ready, the malicious PDFs are requested one by one using this function:
It's possible that multiple copies of the Initial Payload will be requested if Adobe product installed on a victim's PC is vulnerable to more than one exploit attempted. It's hard to tell though what exactly is going to happen in this scenario since the Initial Payload delivered through each Adobe exploit is stored with hardcoded name - 'update.exe' and in a predefined location - 'user Temp folder'.
Java infection vector starts with a request for malicious JAR file. No additional parameters (encoded URL, decoding key, etc,.) are passed to JVM.
The author is possibly a big fan of 'Toby The Tram Engine'(sorry, couldn't resist). Anyway, the JAR file is armed with an exploit for CVE-2013-2465.
Initial Payload is requested using hardcoded URL and stored in Java Temp folder with yet again hardcoded filename - 'g.exe'.
Once executed, it launches Internet browser and checks for Internet connectivity by 'calling home'
The browser will be redirected to 'Google', but additional payload will be requested on the background.
Neither Initial or additional payloads were transferred with any encoding/encryption applied. At the time of writing, all the 3 files had good coverage on VT(see summary for more details).
Summary
Another 'piece of ... art' work by someone who just learnt how to write 'Hello, World!'. I guess I should take a stab at naming it. 'Toby EK' sounds too simple and non-tech. 'Teletubbies EK' on the other hand reflects both the technical complexity of the exploit kit and the professional level of the author/authors. Well, anyway here is the summary for this particular sample.
filling up array with URLs
Once the array is ready, the malicious PDFs are requested one by one using this function:
requesting malicious PDFs
It's possible that multiple copies of the Initial Payload will be requested if Adobe product installed on a victim's PC is vulnerable to more than one exploit attempted. It's hard to tell though what exactly is going to happen in this scenario since the Initial Payload delivered through each Adobe exploit is stored with hardcoded name - 'update.exe' and in a predefined location - 'user Temp folder'.
part of shellcode extracted from malicious PDF file
Java infection vector starts with a request for malicious JAR file. No additional parameters (encoded URL, decoding key, etc,.) are passed to JVM.
requesting JAR file using <object>
The author is possibly a big fan of 'Toby The Tram Engine'(sorry, couldn't resist). Anyway, the JAR file is armed with an exploit for CVE-2013-2465.
part of CVE-2013-2465 exploit code
Initial Payload is requested using hardcoded URL and stored in Java Temp folder with yet again hardcoded filename - 'g.exe'.
The Initial Payload execution method is rather interesting - 'cmd.exe' is used.
Once executed, it launches Internet browser and checks for Internet connectivity by 'calling home'
The browser will be redirected to 'Google', but additional payload will be requested on the background.
additional payload request
this one turned out to be a BitCoin miner
Neither Initial or additional payloads were transferred with any encoding/encryption applied. At the time of writing, all the 3 files had good coverage on VT(see summary for more details).
Summary
Another 'piece of ... art' work by someone who just learnt how to write 'Hello, World!'. I guess I should take a stab at naming it. 'Toby EK' sounds too simple and non-tech. 'Teletubbies EK' on the other hand reflects both the technical complexity of the exploit kit and the professional level of the author/authors. Well, anyway here is the summary for this particular sample.
| General Information | |
| Name: | Unknown |
| Date captured: | 2013-09-05 |
| Date analysed: | 2013-09-07 |
| Source/Credits: | PCAP from @urlquery shared by @Set_Abominae |
| Infection vectors detected: | Java, Adobe |
| Vulnerabilities targeted: | CVE-2010-0188 CVE-2010-1297 CVE-2010-2884 CVE-2008-2992 CVE-2013-2465 |
| Landing page | |
| Transfer mode: | encoded / gzip |
| Obfuscation: | No |
| TDS: | No |
| JNLP: | No |
| JVM parameters: | None |
| Java infection vector | |
| Captured with: | Java 1.6.26 |
| Obfuscation: | None |
| JAR hidden content: | None |
| Initial Payload delivery method: | URL |
| Initial Payload encryption/encoding: | No |
| Initial Payload store location: | Java Temp folder |
| Initial Payload filename: | Hardcoded - 'g.exe' |
| Adobe infection vector | |
| Captured with: | Adobe Reader 8 |
| Initial Payload delivery method: | URL |
| Initial Payload store location: | User Temp folder |
| Initial Payload filename: | Hardcoded - 'update.exe' |
| Automated analysis | |
| Exploit components: | PDF1 - http://jsunpack.jeek.org/ PDF2 - http://jsunpack.jeek.org/ PDF3 - http://jsunpack.jeek.org/ PDF4 - http://jsunpack.jeek.org/ PDF5 - http://jsunpack.jeek.org/ |
| Delivered malware: | EXE1(MD5 0e9337ee028e3e4b0bffebd7d1e502d2) https://malwr.com/ https://www.virustotal.com EXE2(MD5 de660551fb0670c16ec5b344d63406dd) https://malwr.com/ https://www.virustotal.com EXE3(MD5 3256da849bc3c62a6a015cf077794df2) https://malwr.com/ https://www.virustotal.com |
| Additional Information | |
BitCoin miner is configured to use 'eu-stratum.btcguild.com' mining pool. |
No comments:
Post a Comment