Thanks to @Set_Abominae for sharing 'intel' on this sample. The analysis was done using the data gathered during Fiddler 'live' capture.
Update 2014-01-27:
This exploit kit got an official name - Infinity.
Infinity Exploit kit logo
Update 2013-11-25:
@PhysicalDrive0 giving this EK a fancy name in this blog post.
"Smokey, this is not 'Nam. This is bowling. There are rules."
Compromise attempt starts with visiting a website injected with malicious '<iframe>'.
<iframe> injected into one of the pages on compromised website
As a side note, the website in this particular sample had been compromised twice. The same page that redirects the browser to some unknown EK also has 'CookieBomb' script injected in it.
part of 'CookieBomb' script
part of deobfuscated 'CookieBomb' script
URL the 'CookieBomb' is leading to was dead at the time the 'live' capture took place. More on 'CookieBomb' threat can be found on MMD website.
Back to Unknown EK now, the following URL pattern was observed - pastebin.com.
'Unknown EK' URL pattern
Seeing 'cnt.php' redirect script, more likely, indicates that the website was compromised through CVE-2013-1862. Hendrick Adrian(MMD) covered this subject in great details in one of his blog posts.
The EK landing page is as simple as it can only be.
Unknown EK landing page - request for JNLP
JNLP file will launch JavaFX application.
Unknown EK JNLP file
Note a number of HTTP GET requests after JavaFX application JAR is downloaded. These are result of 'Class-Path' header having references to them in 'MANIFEST.MF' file.
Unknown EK MANIFEST.MF file content
Also note, there is no HTTP GET request in Fiddler log for the Initial Payload. This is due to the way it's being requested. During JavaFX application execution the control is passed to 'javaw.exe' tool along with the class file that requests and executes the Initial Payload. 'javaw.exe' tool is not 'proxy-aware' and will send the request directly to the malicious website which technically means if you're on the network behind a web proxy and no direct access to the Internet you're safe from this exploit kit.
"Back off, man. I'm a scientist!"
There is almost no obfuscation applied to the code - some of the string variable values are split and then concatenated.
string value obfuscation example
The JAR file is armed with an exploit code for CVE-2013-2460.
part of exploit code for 'CVE-2013-2460'(after deobfuscation)
Once execution privileges are elevated, a hidden .class file is decoded and loaded. During this process it'll be saved to Java Temp folder with 'NewClass.class' filename. The class file is encoded with 'base64'. It handles Initial Payload download and execution.
part of 'base64' encoded hidden .class file
The Initial Payload URL location is not stored in any of the parameters passed to JVM or variables within the code. Instead, it's generated using some tricks JavaFX has to offer.
JavaFX trick to get part of JNLP URI
The code above will return JNLP file parent folder URI - in this case 'hxxp://vinnypedulla.com/5/201311/'. The second part of the path will be dynamically generated using current time stamp following this pattern 'HHmmss' - for example, '113458.mp3' . The routine in the screenshot below combines both parts and requests the initial payload.
part of the Initial Payload fetcher code
The initial payload filename will be created by adding the same 6 digits(time stamp) and '.exe' string together. The file will be stored in Java Temp folder. Before it's stored and executed, it's decoded using XOR with predefined key - 'binkey'.
"Summary"
This exploit kit sample is implemented as a JavaFX application. Some variables names suggest the creator of it is a Turkish speaker - names examples: 'fia', 'analiz', 'fout', 'bais'. Light complexity. Will fail if targeted machine is behind a web proxy and has no direct access to the Internet.
| Summary Information | |
| Name: | Unknown |
| Date captured: | 2013-11-22 |
| Date analysed: | 2013-11-23 |
| Source/Credits: | Intel source - @Set_Abominae. Data source - live traffic capture with Fiddler. |
| Infection vectors detected: | Java/JavaFX |
| Vulnerabilities targeted: | |
| Landing page | |
| Transfer mode: | plain text |
| Obfuscation: | No |
| TDS: | No |
| JNLP: | Yes |
| JVM parameters: | None |
| Java infection vector | |
| Analysed with: | Java 1.7.17 |
| Obfuscation: | Simple string values obfuscation |
| JAR hidden content: | Hidden .class file - 'NewClass.class' |
| Initial Payload delivery method: | URL |
| Initial Payload encryption/encoding: | XOR. key - 'binkey' |
| Initial Payload store location: | Java Temp folder |
| Initial Payload filename: | Generated using current time - HHmmss |
| Adobe infection vector | |
| Analysed with: | NA |
| Initial Payload delivery method: | NA |
| Initial Payload store location: | NA |
| Initial Payload filename: | NA |
| Automated analysis | |
| Exploit components: | JAR - https://www.virustotal.com |
| Delivered malware: | EXE(MD5 b7b352ecb0ea8fc52c5a6a515b85c7e0) https://malwr.com/ https://www.virustotal.com |
| Additional Information | |
| EK creator is possibly a Turkish-speaker. |
No comments:
Post a Comment