Wednesday, September 17, 2014

46.182.31[.]204 - Hosting RIG EK


Earlier this month, we published a blog about RIG EK's activity. On 9/9/2014 we also published a scrapbook blog about a RIG EK live infection impacting IP 46.182.31[.]247. Subsequently, we have found multiple RIG EK domains associated with IP 46.182.31[.]204, which belong to the same subnet. In this post, we would like to share the IP's and domains observed on 46.182.31[.]204.


Domains
asod.bandgwindows[.]com
azpapo.artefact-it[.]com
dgiuq.artbuscourse[.]com
potwut.arnoldandpearn[.]com
sido.ashleychancellor[.]com
sudia.ashleychancellor[.]com
uioai.artisan-rose[.]com
wtnweu.bandgwindows[.]com


URLs
asod.bandgwindows.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ODI2Mjk4MzRjYTUzZDM5ZGFjMzg4MWYwMTlmMWYzYmQ
azpapo.artefact-it.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|MDg3MGIxOTA4NTJhZTJjODVhZDcyYTU4NzczYzRmMDI
azpapo.artefact-it.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|MWM2YWFjYmQ4ZjIzMDg5NTFhYzQxODA2NWFjMzIwYzM
dgiuq.artbuscourse.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NmViYzg1NTdhN2E5NDhlN2YyZmIwMjNiZjQ0ZmQzZjA
potwut.arnoldandpearn.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|OWEwM2I0ZWYxNjljMTgzMjg3MDE4NTY1MmQwZGJlNDU
sido.ashleychancellor.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|YzdiN2Y0YzVlMzMwNzYxM2EyZGU0Y2QwNDkwOWI4MmQ
sudia.ashleychancellor.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|Zjk0ZTQxM2U2MjUxOWQ1ZTI0MzkyODc1ZjM4ZjU4ZTQ
uioai.artisan-rose.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|Y2I2YTAzYzRiZGI3Yjg1M2ZhNTgwMThlMjFhODU4MGQ
wtnweu.bandgwindows.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|ODI2Mjk4MzRjYTUzZDM5ZGFjMzg4MWYwMTlmMWYzYmQ

Common URL pattern:
/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg

No surprises! Once again, this IP is hosted in Russia.

Geo Location of IP - 46.182.31[.]204

We advise blocking subnet 46.182.31.XX.  


Thursday, September 11, 2014

RIG EK live infection.

Recently RIG exploit kit is found to be very active in the wild. During data-mining we are seeing lots of infection has been spread by this well-known EK. With time flowing the RIG's infection routine has become much more sophisticated,following is the brief outline of the flash exploit cycle we have seen recently.

Compromised Domain  

www[.]crazycashclub[.]com

Redirection Chain :

www[.]crazycashclub[.]com
alllacqueredump[.]com/some[.]phtml
alllacqueredump[.]com/some[.]phtml?gonext=true&r=

EK domain[46.182.31.247]:

Landing page URL:
wey[.]anojirox[.]com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NTdiMzRjMDI2NjkxNDg3MjQyZTRhNTkxYmFiZjRhYjY

RIG EK Landing page
Flash Exploit download:
wey[.]anojirox[.]com/index[.]php?req=swf&num=978&PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|NTdiMzRjMDI2NjkxNDg3MjQyZTRhNTkxYmFiZjRhYjY   

Flash Exploit Download


File Name: index.swf
MD5 : cd369e91ff61a2c1c493a686dd17f777
Size: 4276 bytes
Detection Ratio : 5 / 55

Reference:
http://research.zscaler.com/2014/09/rig-ek-outbreak-continues.html

Wednesday, May 28, 2014

Recent Angler EK Malicious Redirects

Recently we have seen rise in Angler exploit kit. Compromised websites are injected with JS or iFrame code to redirect it to malicious redirectors, which in turn makes a final redirection to the exploit kit page.The new malicious redirector URL's have the pattern '/script.html?0.'. Latest blog post on 'malware-traffic-analysis.net', shows a example of Angler EK being loaded into victim's browser though the malicious redirection. 

Malicious redirection:
Fiddler session for 'www[.]coventryboysclub[.]com'
Fiddler session for 'www[.]coventryboysclub[.]com'

Malicious JavaScript injected in compromised website:
Malicious JavaScript injected compromised website
Above malicious JavaScript code results into malicious redirection.

Data mining into our logs on URLs containing patterns '/script.html?0.' resulted into following malicious Angler EK redirectors.

Malicious Angler EK redirectors:
17530ded[.eu]/script.html?0.13876973787067392
1ce93eab[.eu]/script.html?0.30079703810562597
1ce93eab[.eu]/script.html?0.5477884006263802
1ce93eab[.eu]/script.html?0.6488428461203992
1ce93eab[.eu]/script.html?0.7534362460971151
1ce93eab[.eu]/script.html?0.7674786154127338
1ce93eab[.eu]/script.html?0.7932614087042251
1ce93eab[.eu]/script.html?0.9669280422046333
448a2efd[.eu]/script.html?0.0715755006824948
448a2efd[.eu]/script.html?0.0720967955057204
448a2efd[.eu]/script.html?0.12396148345095875
448a2efd[.eu]/script.html?0.13752752957795783
448a2efd[.eu]/script.html?0.18893366786652915
448a2efd[.eu]/script.html?0.20055626430884171
448a2efd[.eu]/script.html?0.39297801338546823
448a2efd[.eu]/script.html?0.559672783549431
448a2efd[.eu]/script.html?0.6315227990825216
448a2efd[.eu]/script.html?0.7142925010479783
448a2efd[.eu]/script.html?0.8961863257529772
4f301dbb[.eu]/script.html?0.01165945767279103
4f301dbb[.eu]/script.html?0.014521439900151145
4f301dbb[.eu]/script.html?0.02909044735133648
4f301dbb[.eu]/script.html?0.03621192215809843
4f301dbb[.eu]/script.html?0.06040500026673318
4f301dbb[.eu]/script.html?0.06620727899416734
4f301dbb[.eu]/script.html?0.07592342863790691
4f301dbb[.eu]/script.html?0.1056965972170999
4f301dbb[.eu]/script.html?0.17805376858450472
4f301dbb[.eu]/script.html?0.19134165719151497
4f301dbb[.eu]/script.html?0.2468458686489612
4f301dbb[.eu]/script.html?0.24732987699098885
4f301dbb[.eu]/script.html?0.2543650954030454
4f301dbb[.eu]/script.html?0.2642859390177215
4f301dbb[.eu]/script.html?0.2660833156109414
4f301dbb[.eu]/script.html?0.2754311924800277
4f301dbb[.eu]/script.html?0.27670867019332945
4f301dbb[.eu]/script.html?0.29127717796637753
4f301dbb[.eu]/script.html?0.3498865964383262
4f301dbb[.eu]/script.html?0.4132859113160521
4f301dbb[.eu]/script.html?0.4316767655261651
4f301dbb[.eu]/script.html?0.46010713503146305
4f301dbb[.eu]/script.html?0.47877446282655
4f301dbb[.eu]/script.html?0.4854609586764127
4f301dbb[.eu]/script.html?0.5035464715788367
4f301dbb[.eu]/script.html?0.519372357023097
4f301dbb[.eu]/script.html?0.5978336764965206
4f301dbb[.eu]/script.html?0.6030608513009923
4f301dbb[.eu]/script.html?0.6646832349838363
4f301dbb[.eu]/script.html?0.6854731151236686
4f301dbb[.eu]/script.html?0.6923399699988695
4f301dbb[.eu]/script.html?0.7101008273554276
4f301dbb[.eu]/script.html?0.7129303039578447
4f301dbb[.eu]/script.html?0.7612267575668117
4f301dbb[.eu]/script.html?0.7838674073533333
4f301dbb[.eu]/script.html?0.8025677101686597
4f301dbb[.eu]/script.html?0.8119433565801674
4f301dbb[.eu]/script.html?0.8321910223375173
4f301dbb[.eu]/script.html?0.8715455498891258
a45559ce[.eu]/script.html?0.027045608394174858
a45559ce[.eu]/script.html?0.16082289349287748
a45559ce[.eu]/script.html?0.7227968745864928
a45559ce[.eu]/script.html?0.8441381920129061
a45559ce[.eu]/script.html?0.954297112329845
f78c7ade[.eu]/script.html?0.09228469401218814
f78c7ade[.eu]/script.html?0.10404549677160007
f78c7ade[.eu]/script.html?0.11600669038614808
f78c7ade[.eu]/script.html?0.11630317475646734
f78c7ade[.eu]/script.html?0.2312467397204906
f78c7ade[.eu]/script.html?0.23150813408511922
f78c7ade[.eu]/script.html?0.39454319607259774
f78c7ade[.eu]/script.html?0.3989205304533243
f78c7ade[.eu]/script.html?0.44393448705808724
f78c7ade[.eu]/script.html?0.47427442020760046
f78c7ade[.eu]/script.html?0.5127957880031317
f78c7ade[.eu]/script.html?0.5951547447563215
f78c7ade[.eu]/script.html?0.5978974807076156
f78c7ade[.eu]/script.html?0.6755693661434181
f78c7ade[.eu]/script.html?0.7641308439307548
f78c7ade[.eu]/script.html?0.7996848016221056
f78c7ade[.eu]/script.html?0.9036962888203561
f78c7ade[.eu]/script.html?0.9408518108599162
 


Unique malicious redirector domains:
17530ded[.eu]
1ce93eab[.eu] 
448a2efd[.eu]
4f301dbb[.eu]
a45559ce[.eu]
f78c7ade[.eu] 


Snort signature: 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ANGLER EK Malicious Redirector"; flow:established,to_server; content:"/script.html?0."; http_uri; nocase; classtype:trojan-activity; reference:''; sid:XXXXX; rev:XX;) 

Compromised websites:
www[.]armourstore[.]co[.]uk/
www[.]coventryboysclub[.]com/
www[.]digitalbarriers[.]com/
www[.]ilpatrimonioartistico[.]it/category/luoghi-dinteresse/archeologia/siti-archeologici/
www[.]ilpatrimonioartistico[.]it/category/luoghi-dinteresse/borghi-medievali/
www[.]ilpatrimonioartistico[.]it/category/luoghi-dinteresse/castelli-e-palazzi/palazzi-storici/
www[.]ilpatrimonioartistico[.]it/il-gioco-dazzardo-nellantichita-pt-1/
www[.]ilpatrimonioartistico[.]it/il-gioco-dazzardo-nellantichita-pt-2/
www[.]ilpatrimonioartistico[.]it/le-antiche-case-di-piacere-i-lupanari/
www[.]infos-immobilier[.]fr/2014/05/le-scandale-des-tarifs-de-syndics-fait-polemique[.]html
www[.]itsonlyrocknrolllondon[.]co[.]uk/
www[.]nycent[.]com/
www[.]sne[.]pt/site/index[.]php?option=com_content&view=article&id=3&Itemid=10
e-mudanzas[.]com/
sabotagetimes[.]com/funny/the-best-of-whyimvotingukip-on-twitter/
sabotagetimes[.]com/life/adolf-hitler-and-the-third-reich-the-top-10-conspiracy-theories/
sabotagetimes[.]com/life/david-starkeys-career-ending-rant-was-mad-bad-and-dangerous-to-show/
sabotagetimes[.]com/life/the-day-i-had-a-gun-pointed-at-my-head-in-a-gift-shop
sabotagetimes[.]com/life/the-scariest-true-story-youll-ever-read/
sabotagetimes[.]com/music/layne-staley-the-self-destructive-genius-of-the-alice-in-chains-frontman/
sabotagetimes[.]com/reportage/embarrassing-bodies-another-wonky-week/
sabotagetimes[.]com/reportage/ms-pacman-four-other-female-video-characters-id-love-to-pixelate/
sabotagetimes[.]com/reportage/my-big-fat-gypsy-wedding-2012-week-three-spray-tans-fat-nans/
sabotagetimes[.]com/reportage/the-10-best-breaking-bad-quotes/softag[.]pt/blog/wordpress/34-criar-e-editar-conteudo-com-wordpress


Pradeep

Wednesday, November 27, 2013

Health Care Sites Prime Targets for Scammers

A few weeks ago I wrote a blog about a spear-phishing campaign trying to capitalize on Americans desperate for information on the ever changing healthcare laws.  Today, I'll be reviewing another such attack.  The threat in question appears to not be downloading any malicious content at the time of publication, but I will detail that the compromised site is still hosting malicious obfuscated JavaScript in order to redirect victims to third party content before viewing the site.

The site in question is hxxp://www.healthawards.com/.

Below is a screenshot of the obfuscated JS (JavaScript), redirecting the user's traffic to another site.

The precise path in question is highlighted in Blue.
Once deobfuscated, we see that there is an injected hidden iFrame, which redirects the victim to a site previously registered out of the Ukraine.  This would typically spell disaster, but luckily for victims, right now the site is returning a 404 page not found error.  A quick look up on Google will yield some information on other attempts at this attack.

Note the hidden iFrame
The conclusion that we can come to is that health care is a hot topic.  Users should be practicing Better Browsing practices, especially when the topic they are researching is primary subject matter for Scammers!  Mind your clicks.

Friday, October 11, 2013

Sweet Orange Dropping some Sweet Botnet action

I recently saw a very thorough blog on a new flavor of the Sweet Orange Exploit Kit and thought I might throw in some additional research I found. So let's start with what we know!

There are several hacked Wordpress and Joomla sites that are clearly continuing without being picked up by those administering the sites. One such example is seen in the screen shot below:

The first line is a hidden iframe taking you to Sweet Orange EK.
I've seen numerous other sites listed as referralurls for this malicious activity based on a search of transactions carried out on the IP listed in the same class C as mentioned in prior research (95.163.121.17).

The idea here is that the attackers take control of a legitimate site, redirect the user to their EK via a hidden iFrame, assess their Java version, and strike accordingly.  All of this is highly reproducible in the lab.

The malicious iFrame leads to your very own Sweet Orange EK!

I won't go into too much detail about the actual .jar file inspection since it was done so thoroughly here.  I will say that it is checking for a Java version 1.7 or greater and that it is manipulating the system via CVE-2013-2460.  The end result is a dropped executable on the victim's machine.  This executable displays botnet activity by doing regularly scheduled POSTs back to a single IP in all instances ran.

I did some Behavioral Analysis on the executable dropped this way and found that it is contacting an IP (130.0.238.26).


POST activity made
All URLs queried by a sample
Victims of this attack can be expected to contact this same address every 9 minutes based on historical data of this threat in action in our lab.  It is able to achieve this by creating a file with administrative writes in the All Users directory in Windows.


The file name is randomly generated.
9 Minute intervals of phone home transactions
I hope this helps administrators or other researchers, who actively monitor for botnet activity related to this threat.

Friday, September 20, 2013

Blackhole Exploit Kit's(BEK) new variant !

BEK new variant spreading in the wild. The URL pattern observed this time is '/restores/path-matters.php'. While doing log analysis we found some live instances of BEK. 

URLs found:
hxxp://173.254.250.220/restores/path-matters.php  
hxxp://195.3.147.20/restores/path-matters.php

Redirection chain:
hxxp://173.254.250.220/if.php -> hxxp://173.254.250.220/restores/path-matters.php
"173.254.250.220/if.php" loads an iFrame into the browser. Which on execution loads the EK URL. 

Analysis:
iFrame Redirection to EK request,


EK Request,


On execution of above JavaScript, it exploits the JAVA vulnerability and download's malware on victim's machine.

Post EK execution,

VT Result:
JAR file : 8/48
EXE file:  32/48

For more info read following blogs
Blackhole exploit kit v2 on the rise 
Analysis of a Blackhole Exploit page
Expack continues exploiting Java vulnerability

Stay away from BEK, Stay safe!

Pradeep

Saturday, October 20, 2012

Poortego: Intelligence for the 99%

The past few weeks I've had the pleasure of attending and presenting at SecTor and RSA Europe.  The topic of my presentation was on a project that I have been working on in my "spare" time - I call the project "Poortego" an intelligence tool for the 99%.  The code and presentation materials can be accessed here:


Warning: this project is in its infancy and is still in a state of initial development versus being a polished tool.

The premise of the project is that there are few tools that fall into the niche of being a threat intelligence tool and many of them are quite expensive solutions (e.g., Palantir and Analyst Notebook) - one outlier is Maltego which is "affordable" but it does have its limitations (particularly if you are using the Community Edition).  Some limitations include, that it is closed-source, out-of-the box relies on the Paterva servers (an issue for those with sensitive data), limited export capability, and restrictions on inputs to transform operations (limited to a single entity).  Note: Maltego is an excellent / mature tool in the intelligence space - the limitations that I listed are not meant to be a slight against the tool or the company.

Poortego is a completely free and open-source project written entirely in Ruby, leverages ActiveRecords for flexible backend support, leverages Rex::UI for the command-line interface, and can run as a stand-alone application or as a Metasploit plugin.
Poortego uses its own backend and framework for storage and data manipulation - no reliance on other projects (e.g., Maltego or Metasploit).  Poortego supports the notion of data transforms and support for the importing and exporting of data into different formats.  The bulk of my development time thus far has been on the framework, so I have not spent a ton of time on transform and import / export plugins yet - only a few are present in the initial code base.  Poortego currently has Graphviz export support as its only visualization component.  I've recently gotten turned on to neo4j and am investigating its usage for storage and visualization of intelligence -- much more to come!

In order to illustrate the value of intelligence and Poortego's usage from both attacker and defender perspectives - I presented some demonstrations.

The first demonstration (defender) was from analysis of an incident impacting one of Zscaler's customers.  I observed some strange and unknown beaconing activity from a customer - there was not much information on the URL/domain, but I was able to tie the IP address of the server to other domains which were related to a malware sample in the open-source:


Furthermore, taking the information on the malware sample and related domains, I was able show that there was a relationship to a ThreatExpert report on 2008 targeted attacks against the Pentagon.


Note: all of the link graphs are Graphviz exports from Poortego.

The attacker-perspective demonstration that I presented was to stage an attack against the RSA Europe conference using nothing more than intelligence.  I wrote a transform for Poortego to retrieve, parse, and store presentation, speaker, moderator, panelist, and company relationships from the RSA EU Event Catalog.  Obviously one could further exploit the knowledge of the relationships and do social networking enumeration - but I wanted to do something less obvious.  The Event Catalog also included all of the presentations in PDF format - I wrote another Poortego transform to retrieve the PDF files and run ExifTool on the PDFs to extract out the author information and include an author relationship to the presentations.  It was interesting to see the number of presentations that had a different author than speaker -- there were two major outliers in this respect...

Unfortunately I was just informed that there were some complaints regarding this particular demo, in order to not fuel the fire, I'm redacting this section of the post.  There was no ill intent and all information used was OSINT.  It goes to show the sensitivity in the security industry the moment potential offensive tactics are shown.  

While I present a project / tool (Poortego) - I also stress that it is not the tools that create the intelligence but the analysts / people.  Tools can certainly help facilitate though!  Please reach out to me if you are interested in contributing to the project - there is still a lot of work to do to make this a well polished tool.