I'm not sure if definition 'exploit kit' is actually applicable here. Yes, there is an exploit code copied from PSA(Packet Storm Advisory) for 'CVE-2013-2465', but I'd expect more code around it before calling it a 'kit' and I can't imagine there is a server side code exist. There is no any sort of environment validation: plugins and their version identification, initial payload encryption, data encoding, code obfuscation. Base64 encoding is used just once to 'hide' a single string. So, another 'interesting' work.
"Landing page"
URL pattern is short and simple.
The landing page is also short and simple.
The parameter name is the first hint to the possible origins of this Java exploit. 'kurban' translated from Turkish means 'victim'. The value held by this parameter is the Initial Payload location.
"JAR file"
JAR file is 'packed' with goodies. The execution begins with an attempt to exploit 'CVE-2013-2465' vulnerability.
part of PSA exploit code for CVE-2013-2465
Just before diving into screwing 'storeImageArray()' function, a single call for 'base64coder' is made to decode a single and the only encoded string.
The author was rushing because mum just called him/her for dinner and didn't bother cleaning up someone's 'base64coder' code that might have been copied from 'source-code.biz'. All encoding methods were left in even though are not used.
A few more hints pointing at the origins or one of the languages the author is speaking.
Google translated from Turkish: 'dosyayazdirici' - printing a file, 'baglantiaƧ' - open link, 'bayt' - byte. The screenshot above is a part of the code that fetches the initial payload via URL passed from the landing page. Once it's downloaded, it'll be stored in the default temporary-file directory with hardcoded filename - 'thefire.exe'.
The link to the initial payload was dead by the time the capture was performed. Judging by the filename - 'install_flash_player.exe', it could have been 'ZeroAccess'.
One rather odd thing is the name for the method performing the exploit - 'uganda'. Maybe the author's favourite country or maybe the target, who knows.
"Summary"
| General Information | |
| Name: | Unknown |
| Date captured: | 2013-10-02 |
| Date analysed: | 2013-10-04 |
| Source/Credits: | Live Fiddler capture |
| Infection vectors detected: | Java |
| Vulnerabilities targeted: | CVE-2013-2465 |
| Landing page | |
| Transfer mode: | plain text |
| Obfuscation: | No |
| TDS: | No |
| JNLP: | No |
| JVM parameters: | 1 |
| Java infection vector | |
| Captured with: | Direct download - Firefox/14.0.1 |
| Obfuscation: | None |
| JAR hidden content: | None |
| Initial Payload delivery method: | URL |
| Initial Payload encryption/encoding: | No |
| Initial Payload store location: | Default temporary-file directory |
| Initial Payload filename: | Hardcoded - 'thefire.exe' |
| Adobe infection vector | |
| Captured with: | Not implemented |
| Initial Payload delivery method: | |
| Initial Payload store location: | |
| Initial Payload filename: | |
| Automated analysis | |
| Exploit components: | Java JAR - virustotal.com |
| Delivered malware: | No sample available |
| Additional Information | |
Possibly originated from Turkey or the author speaks Turkish |
No comments:
Post a Comment