Friday, October 11, 2013

Sweet Orange Dropping some Sweet Botnet action

I recently saw a very thorough blog on a new flavor of the Sweet Orange Exploit Kit and thought I might throw in some additional research I found. So let's start with what we know!

There are several hacked Wordpress and Joomla sites that are clearly continuing without being picked up by those administering the sites. One such example is seen in the screen shot below:

The first line is a hidden iframe taking you to Sweet Orange EK.
I've seen numerous other sites listed as referralurls for this malicious activity based on a search of transactions carried out on the IP listed in the same class C as mentioned in prior research (

The idea here is that the attackers take control of a legitimate site, redirect the user to their EK via a hidden iFrame, assess their Java version, and strike accordingly.  All of this is highly reproducible in the lab.

The malicious iFrame leads to your very own Sweet Orange EK!

I won't go into too much detail about the actual .jar file inspection since it was done so thoroughly here.  I will say that it is checking for a Java version 1.7 or greater and that it is manipulating the system via CVE-2013-2460.  The end result is a dropped executable on the victim's machine.  This executable displays botnet activity by doing regularly scheduled POSTs back to a single IP in all instances ran.

I did some Behavioral Analysis on the executable dropped this way and found that it is contacting an IP (

POST activity made
All URLs queried by a sample
Victims of this attack can be expected to contact this same address every 9 minutes based on historical data of this threat in action in our lab.  It is able to achieve this by creating a file with administrative writes in the All Users directory in Windows.

The file name is randomly generated.
9 Minute intervals of phone home transactions
I hope this helps administrators or other researchers, who actively monitor for botnet activity related to this threat.

1 comment: