Thursday, November 6, 2014

American Express Phishing Campaign


Phishing is a well known attack vector, often used by cyber criminals to steal sensitive information like authentication credentials, credit cards, personal information, etc. As the Thanksgiving and holiday shopping season approaches, we are anticipating a sharp rise in cyber scams and phishing campaigns.

We wanted to share a recent phishing campaign targeting American Express users in this post. Below are the domains and IP addresses involved in this campaign:

hxxp://agericam-exprezs[.]com : 91.185.215[.]137
hxxp://amepigan-extuezs[.]com : 146.0.72[.]188

Screenshots below show an American Express site, which has been mirrored on the mentioned domains:



It will accept any credentials and further redirect the user to another fraudulent page asking for sensitive information like their Social Security Number (SSN), Date of Birth, etc. as seen below:


After phishing for user credentials and personal information, the cyber criminal then asks for the credit card details on the following page:



       
The phishing site sends all the stolen information to a remote server at 94.23.250[.]137 and redirects the user to the original American Express site.


It is extremely important for the users to carefully examine the URL in their browser as well as SSL certificate information in order to avert such phishing attempts.

RIG Exploit Kit Live Infection


We are seeing another wave of RIG Exploit Kit (EK) compromised sites and wanted to quickly share a sample compromised site we observed along with the infection chain:
  • www.novaproduction[.]fr/show.php

















The compromised site redirects a user to the RIG EK landing site:  
  • www.clause.senior-sherpa[.]net.
The exploit payload being delivered by this RIG EK landing site is targeting the MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow vulnerability in Internet Explorer (IE) 10. Though the content is obfuscated, it is not difficult to identify the vulnerability being exploited as seen below.


The code initially checks for IE by creating an ActiveXObject of type Microsoft.XMLDOM and loading an XML string with it. It then determines whether 32 or 64 bit IE is present by checking for a specific error code "-2147023083". Following a successful check, further deobfuscation of the next exploit payload chunk gives us a full perspective.

We also observed the download of a Silverlight file containing CVE-2013-0074 exploit.
VirusTotal: 10/53

Several RIG EK attacks have been observed in the past from IP address 46.182.30.250. It is repeatedly used by the RIG EK controllers for hosting their EK payloads. It is highly recommended that  communications to this IP address are blocked.

Wednesday, September 17, 2014

46.182.31[.]204 - Hosting RIG EK


Earlier this month, we published a blog about RIG EK's activity. On 9/9/2014 we also published a scrapbook blog about a RIG EK live infection impacting IP 46.182.31[.]247. Subsequently, we have found multiple RIG EK domains associated with IP 46.182.31[.]204, which belong to the same subnet. In this post, we would like to share the IP's and domains observed on 46.182.31[.]204.


Domains
asod.bandgwindows[.]com
azpapo.artefact-it[.]com
dgiuq.artbuscourse[.]com
potwut.arnoldandpearn[.]com
sido.ashleychancellor[.]com
sudia.ashleychancellor[.]com
uioai.artisan-rose[.]com
wtnweu.bandgwindows[.]com


URLs
asod.bandgwindows.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ODI2Mjk4MzRjYTUzZDM5ZGFjMzg4MWYwMTlmMWYzYmQ
azpapo.artefact-it.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|MDg3MGIxOTA4NTJhZTJjODVhZDcyYTU4NzczYzRmMDI
azpapo.artefact-it.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|MWM2YWFjYmQ4ZjIzMDg5NTFhYzQxODA2NWFjMzIwYzM
dgiuq.artbuscourse.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NmViYzg1NTdhN2E5NDhlN2YyZmIwMjNiZjQ0ZmQzZjA
potwut.arnoldandpearn.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|OWEwM2I0ZWYxNjljMTgzMjg3MDE4NTY1MmQwZGJlNDU
sido.ashleychancellor.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|YzdiN2Y0YzVlMzMwNzYxM2EyZGU0Y2QwNDkwOWI4MmQ
sudia.ashleychancellor.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|Zjk0ZTQxM2U2MjUxOWQ1ZTI0MzkyODc1ZjM4ZjU4ZTQ
uioai.artisan-rose.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|Y2I2YTAzYzRiZGI3Yjg1M2ZhNTgwMThlMjFhODU4MGQ
wtnweu.bandgwindows.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ODI2Mjk4MzRjYTUzZDM5ZGFjMzg4MWYwMTlmMWYzYmQ

Common URL pattern:
/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg

No surprises! Once again, this IP is hosted in Russia.

Geo Location of IP - 46.182.31[.]204

We advise blocking subnet 46.182.31.XX.  


Thursday, September 11, 2014

RIG EK live infection.

Recently RIG exploit kit is found to be very active in the wild. During data-mining we are seeing lots of infection has been spread by this well-known EK. With time flowing the RIG's infection routine has become much more sophisticated,following is the brief outline of the flash exploit cycle we have seen recently.

Compromised Domain  

www[.]crazycashclub[.]com

Redirection Chain :

www[.]crazycashclub[.]com
alllacqueredump[.]com/some[.]phtml
alllacqueredump[.]com/some[.]phtml?gonext=true&r=

EK domain[46.182.31.247]:

Landing page URL:
wey[.]anojirox[.]com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NTdiMzRjMDI2NjkxNDg3MjQyZTRhNTkxYmFiZjRhYjY

RIG EK Landing page
Flash Exploit download:
wey[.]anojirox[.]com/index[.]php?req=swf&num=978&PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NTdiMzRjMDI2NjkxNDg3MjQyZTRhNTkxYmFiZjRhYjY   

Flash Exploit Download


File Name: index.swf
MD5 : cd369e91ff61a2c1c493a686dd17f777
Size: 4276 bytes
Detection Ratio : 5 / 55

Reference:
http://research.zscaler.com/2014/09/rig-ek-outbreak-continues.html

Wednesday, May 28, 2014

Recent Angler EK Malicious Redirects

Recently we have seen rise in Angler exploit kit. Compromised websites are injected with JS or iFrame code to redirect it to malicious redirectors, which in turn makes a final redirection to the exploit kit page.The new malicious redirector URL's have the pattern '/script.html?0.'. Latest blog post on 'malware-traffic-analysis.net', shows a example of Angler EK being loaded into victim's browser though the malicious redirection. 

Malicious redirection:
Fiddler session for 'www[.]coventryboysclub[.]com'
Fiddler session for 'www[.]coventryboysclub[.]com'

Malicious JavaScript injected in compromised website:
Malicious JavaScript injected compromised website
Above malicious JavaScript code results into malicious redirection.

Data mining into our logs on URLs containing patterns '/script.html?0.' resulted into following malicious Angler EK redirectors.

Malicious Angler EK redirectors:
17530ded[.eu]/script.html?0.13876973787067392
1ce93eab[.eu]/script.html?0.30079703810562597
1ce93eab[.eu]/script.html?0.5477884006263802
1ce93eab[.eu]/script.html?0.6488428461203992
1ce93eab[.eu]/script.html?0.7534362460971151
1ce93eab[.eu]/script.html?0.7674786154127338
1ce93eab[.eu]/script.html?0.7932614087042251
1ce93eab[.eu]/script.html?0.9669280422046333
448a2efd[.eu]/script.html?0.0715755006824948
448a2efd[.eu]/script.html?0.0720967955057204
448a2efd[.eu]/script.html?0.12396148345095875
448a2efd[.eu]/script.html?0.13752752957795783
448a2efd[.eu]/script.html?0.18893366786652915
448a2efd[.eu]/script.html?0.20055626430884171
448a2efd[.eu]/script.html?0.39297801338546823
448a2efd[.eu]/script.html?0.559672783549431
448a2efd[.eu]/script.html?0.6315227990825216
448a2efd[.eu]/script.html?0.7142925010479783
448a2efd[.eu]/script.html?0.8961863257529772
4f301dbb[.eu]/script.html?0.01165945767279103
4f301dbb[.eu]/script.html?0.014521439900151145
4f301dbb[.eu]/script.html?0.02909044735133648
4f301dbb[.eu]/script.html?0.03621192215809843
4f301dbb[.eu]/script.html?0.06040500026673318
4f301dbb[.eu]/script.html?0.06620727899416734
4f301dbb[.eu]/script.html?0.07592342863790691
4f301dbb[.eu]/script.html?0.1056965972170999
4f301dbb[.eu]/script.html?0.17805376858450472
4f301dbb[.eu]/script.html?0.19134165719151497
4f301dbb[.eu]/script.html?0.2468458686489612
4f301dbb[.eu]/script.html?0.24732987699098885
4f301dbb[.eu]/script.html?0.2543650954030454
4f301dbb[.eu]/script.html?0.2642859390177215
4f301dbb[.eu]/script.html?0.2660833156109414
4f301dbb[.eu]/script.html?0.2754311924800277
4f301dbb[.eu]/script.html?0.27670867019332945
4f301dbb[.eu]/script.html?0.29127717796637753
4f301dbb[.eu]/script.html?0.3498865964383262
4f301dbb[.eu]/script.html?0.4132859113160521
4f301dbb[.eu]/script.html?0.4316767655261651
4f301dbb[.eu]/script.html?0.46010713503146305
4f301dbb[.eu]/script.html?0.47877446282655
4f301dbb[.eu]/script.html?0.4854609586764127
4f301dbb[.eu]/script.html?0.5035464715788367
4f301dbb[.eu]/script.html?0.519372357023097
4f301dbb[.eu]/script.html?0.5978336764965206
4f301dbb[.eu]/script.html?0.6030608513009923
4f301dbb[.eu]/script.html?0.6646832349838363
4f301dbb[.eu]/script.html?0.6854731151236686
4f301dbb[.eu]/script.html?0.6923399699988695
4f301dbb[.eu]/script.html?0.7101008273554276
4f301dbb[.eu]/script.html?0.7129303039578447
4f301dbb[.eu]/script.html?0.7612267575668117
4f301dbb[.eu]/script.html?0.7838674073533333
4f301dbb[.eu]/script.html?0.8025677101686597
4f301dbb[.eu]/script.html?0.8119433565801674
4f301dbb[.eu]/script.html?0.8321910223375173
4f301dbb[.eu]/script.html?0.8715455498891258
a45559ce[.eu]/script.html?0.027045608394174858
a45559ce[.eu]/script.html?0.16082289349287748
a45559ce[.eu]/script.html?0.7227968745864928
a45559ce[.eu]/script.html?0.8441381920129061
a45559ce[.eu]/script.html?0.954297112329845
f78c7ade[.eu]/script.html?0.09228469401218814
f78c7ade[.eu]/script.html?0.10404549677160007
f78c7ade[.eu]/script.html?0.11600669038614808
f78c7ade[.eu]/script.html?0.11630317475646734
f78c7ade[.eu]/script.html?0.2312467397204906
f78c7ade[.eu]/script.html?0.23150813408511922
f78c7ade[.eu]/script.html?0.39454319607259774
f78c7ade[.eu]/script.html?0.3989205304533243
f78c7ade[.eu]/script.html?0.44393448705808724
f78c7ade[.eu]/script.html?0.47427442020760046
f78c7ade[.eu]/script.html?0.5127957880031317
f78c7ade[.eu]/script.html?0.5951547447563215
f78c7ade[.eu]/script.html?0.5978974807076156
f78c7ade[.eu]/script.html?0.6755693661434181
f78c7ade[.eu]/script.html?0.7641308439307548
f78c7ade[.eu]/script.html?0.7996848016221056
f78c7ade[.eu]/script.html?0.9036962888203561
f78c7ade[.eu]/script.html?0.9408518108599162
 


Unique malicious redirector domains:
17530ded[.eu]
1ce93eab[.eu] 
448a2efd[.eu]
4f301dbb[.eu]
a45559ce[.eu]
f78c7ade[.eu] 


Snort signature: 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ANGLER EK Malicious Redirector"; flow:established,to_server; content:"/script.html?0."; http_uri; nocase; classtype:trojan-activity; reference:''; sid:XXXXX; rev:XX;) 

Compromised websites:
www[.]armourstore[.]co[.]uk/
www[.]coventryboysclub[.]com/
www[.]digitalbarriers[.]com/
www[.]ilpatrimonioartistico[.]it/category/luoghi-dinteresse/archeologia/siti-archeologici/
www[.]ilpatrimonioartistico[.]it/category/luoghi-dinteresse/borghi-medievali/
www[.]ilpatrimonioartistico[.]it/category/luoghi-dinteresse/castelli-e-palazzi/palazzi-storici/
www[.]ilpatrimonioartistico[.]it/il-gioco-dazzardo-nellantichita-pt-1/
www[.]ilpatrimonioartistico[.]it/il-gioco-dazzardo-nellantichita-pt-2/
www[.]ilpatrimonioartistico[.]it/le-antiche-case-di-piacere-i-lupanari/
www[.]infos-immobilier[.]fr/2014/05/le-scandale-des-tarifs-de-syndics-fait-polemique[.]html
www[.]itsonlyrocknrolllondon[.]co[.]uk/
www[.]nycent[.]com/
www[.]sne[.]pt/site/index[.]php?option=com_content&view=article&id=3&Itemid=10
e-mudanzas[.]com/
sabotagetimes[.]com/funny/the-best-of-whyimvotingukip-on-twitter/
sabotagetimes[.]com/life/adolf-hitler-and-the-third-reich-the-top-10-conspiracy-theories/
sabotagetimes[.]com/life/david-starkeys-career-ending-rant-was-mad-bad-and-dangerous-to-show/
sabotagetimes[.]com/life/the-day-i-had-a-gun-pointed-at-my-head-in-a-gift-shop
sabotagetimes[.]com/life/the-scariest-true-story-youll-ever-read/
sabotagetimes[.]com/music/layne-staley-the-self-destructive-genius-of-the-alice-in-chains-frontman/
sabotagetimes[.]com/reportage/embarrassing-bodies-another-wonky-week/
sabotagetimes[.]com/reportage/ms-pacman-four-other-female-video-characters-id-love-to-pixelate/
sabotagetimes[.]com/reportage/my-big-fat-gypsy-wedding-2012-week-three-spray-tans-fat-nans/
sabotagetimes[.]com/reportage/the-10-best-breaking-bad-quotes/softag[.]pt/blog/wordpress/34-criar-e-editar-conteudo-com-wordpress


Pradeep

Wednesday, November 27, 2013

Health Care Sites Prime Targets for Scammers

A few weeks ago I wrote a blog about a spear-phishing campaign trying to capitalize on Americans desperate for information on the ever changing healthcare laws.  Today, I'll be reviewing another such attack.  The threat in question appears to not be downloading any malicious content at the time of publication, but I will detail that the compromised site is still hosting malicious obfuscated JavaScript in order to redirect victims to third party content before viewing the site.

The site in question is hxxp://www.healthawards.com/.

Below is a screenshot of the obfuscated JS (JavaScript), redirecting the user's traffic to another site.

The precise path in question is highlighted in Blue.
Once deobfuscated, we see that there is an injected hidden iFrame, which redirects the victim to a site previously registered out of the Ukraine.  This would typically spell disaster, but luckily for victims, right now the site is returning a 404 page not found error.  A quick look up on Google will yield some information on other attempts at this attack.

Note the hidden iFrame
The conclusion that we can come to is that health care is a hot topic.  Users should be practicing Better Browsing practices, especially when the topic they are researching is primary subject matter for Scammers!  Mind your clicks.

Friday, October 11, 2013

Sweet Orange Dropping some Sweet Botnet action

I recently saw a very thorough blog on a new flavor of the Sweet Orange Exploit Kit and thought I might throw in some additional research I found. So let's start with what we know!

There are several hacked Wordpress and Joomla sites that are clearly continuing without being picked up by those administering the sites. One such example is seen in the screen shot below:

The first line is a hidden iframe taking you to Sweet Orange EK.
I've seen numerous other sites listed as referralurls for this malicious activity based on a search of transactions carried out on the IP listed in the same class C as mentioned in prior research (95.163.121.17).

The idea here is that the attackers take control of a legitimate site, redirect the user to their EK via a hidden iFrame, assess their Java version, and strike accordingly.  All of this is highly reproducible in the lab.

The malicious iFrame leads to your very own Sweet Orange EK!

I won't go into too much detail about the actual .jar file inspection since it was done so thoroughly here.  I will say that it is checking for a Java version 1.7 or greater and that it is manipulating the system via CVE-2013-2460.  The end result is a dropped executable on the victim's machine.  This executable displays botnet activity by doing regularly scheduled POSTs back to a single IP in all instances ran.

I did some Behavioral Analysis on the executable dropped this way and found that it is contacting an IP (130.0.238.26).


POST activity made
All URLs queried by a sample
Victims of this attack can be expected to contact this same address every 9 minutes based on historical data of this threat in action in our lab.  It is able to achieve this by creating a file with administrative writes in the All Users directory in Windows.


The file name is randomly generated.
9 Minute intervals of phone home transactions
I hope this helps administrators or other researchers, who actively monitor for botnet activity related to this threat.