Malware Traffic Analysis - Silverlight exploit delivers Graftor/Zbot varian

[ccesar]

2014-02-26 - ANGLER EK - SILVERLIGHT EXPLOIT DELIVERS GRAFTOR/ZBOT VARIANT

PCAP AND MALWARE

PCAP of the traffic: 2014-02-26-Angler-EK-traffic.pcap

ZIP file of the malware: 2014-02-26-Angler-EK-malware.zip

NOTES

This is a good summary of Angler EK using a Silverlight exploit as early as Nov 2013:

Cybercriminals target Silverlight browser plug-in users with new exploit kit | PCWorld

CHAIN OF EVENTS

ASSOCIATED DOMAINS

206.188.192.114 - kaplanbenefits.com - Used by malicious link from phishing email.

31.170.161.196 - Web hosting, domain names, VPS - 000webhost.com - First redirect (unsuccessful)

62.149.130.229 - Dea Comunicazione - siti web, software, grafica pubblicitaria - Second redirect (successful)

23.239.12.68 - northerningredients.com - Angler EK domain

INFECTION CHAIN OF EVENTS

02:56:38 UTC - 192.168.204.175:49380 - 206.188.192.114:80 - kaplanbenefits.com - GET /balanced/index.html

02:56:39 UTC - 192.168.204.175:49382 - 31.170.161.196:80 - Web hosting, domain names, VPS - 000webhost.com - GET /ruder/pinpoints.js

02:56:39 UTC - 192.168.204.175:49381 - 62.149.130.229:80 - Dea Comunicazione - siti web, software, grafica pubblicitaria - GET /distincter/retorted.js

02:56:39 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /own0woz7z3

02:56:40 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0Tt

02:56:43 UTC - 192.168.204.175:49387 - 23.239.12.68:80 - northerningredients.com - GET /KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj6

02:56:45 UTC - 192.168.204.175:49387 - 23.239.12.68:80 - northerningredients.com - GET /favicon.ico

02:56:51 UTC - 192.168.204.175:49386 - 23.239.12.68:80 - northerningredients.com - GET /EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFe

POST-INFECTION CALLBACK TRAFFIC

02:58:06 UTC - 192.168.204.175:49391 - 173.194.77.104:80 - Google - GET /

UDP traffic from 192.168.204.175 (the infected host) to several dozen IP addresses on various ports

PRELIMINARY MALWARE ANALYSIS

SILVERLIGHT EXPLOIT

File name: 2014-02-26-Angler-EK-silverlight-exploit.xap

File size: 53.0 KB ( 54292 bytes )

MD5 hash: 54437862cb93c253e97f7b653917384e

Detection ratio: 0 / 50

First submission: 2014-02-25 01:01:06 UTC

VirusTotal link: https://www.virustotal.com/en/file/9cd9503a50bc010aa247e2e6409e413d90a9a50fdd6ecd1f795f15e5b5951cce/analysis/

MALWARE PAYLOAD

File name: fegyko.exe

File size: 331.0 KB ( 338944 bytes )

MD5 hash: 0e1baf2546a3cd0544e333715d95ab3d

Detection ratio: 14 / 50

First submission: 2014-02-26 03:50:33 UTC

VirusTotal link: https://www.virustotal.com/en/file/72fc35a8f1b3f5a279e5d2843da304bd670f2885adbac5444110a935c01b62e6/analysis/

Malwr link: https://malwr.com/analysis/YTFhNWVlNDg3YmMxNGNlNGIyNGNhYjYyMWViOWY0Nzk/

This is the malware payload after it copied itself to a folder

named Xeoram in the AppData\Roaming\ directory.

SNORT EVENTS

SNORT EVENTS FOR THE ANGLER EK TRAFFIC (FROM SECURITY ONION)

2014-02-26 02:56:39 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET CURRENT_EVENTS Angler Landing Page Feb 24 2014

2014-02-26 02:56:40 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET SHELLCODE Possible Encoded %90 NOP SLED

2014-02-26 02:56:43 UTC - 23.239.12.68:80 -> 192.168.204.175:49387 - ET CURRENT_EVENTS Angler EK encrypted binary (2) Jan 17 2013

2014-02-26 02:56:52 UTC - 23.239.12.68:80 -> 192.168.204.175:49386 - ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013

HIGHLIGHTS FROM THE TRAFFIC

The infected web page - kaplanbenefits.com/balanced/index.html

Successful redirect - www.deacomunicazione.it/distincter/retorted.js

Angler EK delivers Silverlight exploit - northerningredients.com/cv54YKgz9At-cCTNZ0EYXC_pZdLDophzYvfVm5rJrBjd-0Tt

Angler EK delivers EXE payload, XOR-ed the the ASCII string: adb234nh

northerningredients.com/KAJtQvM2lHDmWTYj3eVuD6tbMy08Tz9aCh5NOndiktjP6vj6

Angler EK delivers the same EXE payload again, XOR-ed the the ASCII string: aldonjfg

northerningredients.com/EC6L7mwntxp1t-NHd_173-LrahqYJFGXAwhWObRWb_PyUAFe

NOTE: When I tried XOR-ing both versions of the file from the PCAP, they both had the same MD5 hash, but it was different than the hash for a file named fegkyo.exe in the AppData\Roaming\Xeoram folder. Fegkyo.exe is the exact same size as the files from the PCAP, and it's presumably a copy of the properly deobfuscated malware payload. When I sent the deobfucated files I extracted from the PCAP to Virus Total and Malwr, they were marked as corrupt.

FINAL NOTES

Once again, here are links for PCAP file of the traffic and ZIP file of the associated malware:

PCAP of the traffic: 2014-02-26-Angler-EK-traffic.pcap

ZIP file of the malware: 2014-02-26-Angler-EK-malware.zip

The ZIP file is password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.

Sursa: Malware-Traffic-Analysis.net - 2014-02-26

Continuare Malware-Traffic-Analysis.net - 2014-02-27

[sleed]

Interesant... AI inteles ceva de acolo?

[ccesar]

De inteles, in principiu am inteles ce se intampla, dar pentru chestiile de detaliu mai trebuie studiat. Oricum, exploit kiturile mi se par interesante ca si functionare dar e o curiozitate personala ca sa zic asa si nu prea am timp.