2013-11-29 - FIESTA EXPLOIT KIT

NOTICE:

ASSOCIATED FILES:

 

NOTES:

The EmergingThreats signature set was updated in October with a signature for the Fiesta Exploit Kit (EK) which I've recently seen some examples in network traffic, so let's examine this EK in more detail.

Invincea has a post from March 2013 about the Fiesta EK (link), and the 0x3a Blog has a post from September 2013 about this EK serving exploit CVE-2013-2551 (link).

Let's see what some recent infection traffic looks like...

 

MY FIRST UNSUCCESSFUL ATTEMPT

I've noticed excelforum[.]com kick off a few infection chains during the past month or two.  Last week, I saw 3 suspicious redirects from the site's forums.  All of the infection chains were unsuccessful, but one triggered a Fiesta EK signature.  A quick check on CLEAN MX shows excelforum[.]com has 21 hits on some sort of malicious code, mostly HTML.


Search results on Clean MX

I used a vulnerable Windows 7 computer being monitored by Security Onion to check a suspicious page on excelforum[.]com; however, I accidentally disabled the browser's Java plugin, so I only got as far as the initial landing page.  If the Java plugin was enabled, the computer would have been infected.  Unfortunately, the web server appears to be aware of repeated attempts to check web pages for malicious code.  I couldn't duplicate (and finish) the infection chain after I'd fixed my Java issue.  Fortunately, we still have a good example on how this traffic starts.

Here are the events generated in Security Onion:

Here is the traffic that generated the Snort-based events:

The first HTTP GET request is to the compromised web page on www.excelforum[.]com which has a scripted link to the next domain in the infection chain:



And here's what we find from the malicious domains afterward:

IP address: 190.123.47[.]198 port 80
domain name: valeriesn[.]com
HTTP request: GET /jdlspnyixf.js?7bc1a235196b0c53

Sguil event: ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection

Screenshot of traffic:

 

IP address: 94.242.216[.]6 port 80
domain name: zdrosty[.]in[.]ua
HTTP request: GET /v4hjg9y/?2

Sguil events:

Screenshot of traffic:


Similar to the Fiesta EK initial landing page shown in the 0x3a blog entry (link).

 

SUCCESSFUL INFECTION

In this case, I'd seen an alert on an unsuccessful Fiesta EK hit that originated from thehdroom.com on Thanksgiving day.  I checked CLEAN MX and confirmed this site has a history of malicious code reported on its web pages.

I had to go through a proxy to get at the site from a different IP, since my normal IP wasn't allowing me to generate any infection traffic.  I used tcpreplay to send traffic from the PCAP to Sguil, which is fairly easy (link).  This generated the following events in Sguil:

  • ET INFO DYNAMIC_DNS HTTP Request to a *.myftp[.]biz Domain
  • ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex
  • ET POLICY Vulnerable Java Version 1.7.x Detected
  • ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain
  • ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii
  • ET CURRENT_EVENTS Cool/BHEK Applet with Alpha-Numeric Encoded HTML entity
  • ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit
  • ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits
  • ET CURRENT_EVENTS NeoSploit Jar with three-letter class names
  • ET INFO JAVA - Java Archive Download By Vulnerable Client
  • ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm
  • ET TROJAN Generic - 8Char.JAR Naming Algorithm
  • ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN

POST INFECTION CALLBACK TRAFFIC

 

INFECTION TRAFFIC DETAILS

IP address: 76.12.227[.]166 port 80
domain name: www.thehdroom[.]com
HTTP request: GET /news/Watch-Raiders-vs-Cowboys-Thanksgiving-Day-NFL-Football-Online-Free-Stream-CBS-Live/13541

Sguil events: None

Screenshot of traffic:


Shown in the image above: malicious javascript injected before the HTML starts.

 

IP address: 69.58.188[.]34 port 80
domain name: bitly[.]com
HTTP request: GET /18LsnYfs

Sguil events: None

Screenshot of traffic:


 

IP address: 108.59.8[.]153 port 80
domain name: bkkirikhor.myftp[.]biz
HTTP request: GET /7bab1hlghzhzngv29ssuxyvaazaz3t

Sguil event: ET INFO DYNAMIC_DNS HTTP Request to a *.myftp[.]biz Domain

Screenshot of traffic:


The return traffic is nearly identical to the Fiesta EK landing page from zdrosty[.]in[.]ua in the unsuccessful infection attempt.
This return traffic also matches the Fiesta EK initial landing page shown in the 0x3a blog entry (link).

 

IP address: 108.59.8[.]153 port 80
domain name: bkkirikhor.myftp[.]biz
HTTP request: GET /erqn6v0/?1af0feb75370c8f558040a0b525e5304025656085d5100070a5454095106565105

Sguil event: ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex

Screenshot of traffic:

 

IP address: 108.59.8[.]153 port 80
domain name: bkkirikhor.myftp[.]biz
HTTP request: GET /erqn6v0/?41bcda3dec8eeb305e5f0e58505a02570706525b5f5551540f04505a5302070200

Sguil events:

Screenshot of traffic:

 

IP address: 108.59.8[.]153 port 80
domain name: bkkirikhor.myftp[.]biz
HTTP request: GET /erqn6v0/?03b89e5fc6c2310c5f5c00030d5e045503045200025157560b0650010e06005653

Sguil events:

Screenshot of traffic:

 

IP address: 108.59.8[.]153 port 80
domain name: bkkirikhor.myftp[.]biz
HTTP request: GET /erqn6v0/?62a652e331926c16554a040d010954000505510e0e0607030d07530f0251515502;1;4
HTTP request: GET /erqn6v0/?3065d2db31926c165048530e500955510007060d5f0606520805040c5351500407;2;4

Sguil events: None

NOTE:  These are two GET requests for the EXE files, but they are obfuscated or encrypted.  It's not a simple XOR which I can easily decode, and I haven't had time to figure it out yet.

Screenshots of the traffic:



 

IP address: 74.86.20[.]50 port 80
domain name: twinkcam[.]net
HTTP request: GET /images/t.php?id=48

Sguil event: ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers

Screenshot of traffic:


Other callback traffic was noted, but this is the only one that triggered an event.

 

Part of the payload was a fake anti-virus program, which I've noted in the screenshot below:

 

PRELIMINARY MALWARE ANALYSIS

Java exploit from 108.59.8[.]153 port 80 (bkkirikhor.myftp[.]biz):

https://www.virustotal.com/gui/file/a9c7847abfcca8aace3a0c13f9c146206b9673024ec9134c847cd44ca3d55da3

File name:  java-exploit-from-myftp[.]biz.jar
File size:  6.7 KB ( 6,653 bytes )

First submitted: 2013-11-26 08:36:00 GMT

Java archive contents:



I checked the VM for malware that was still in the AppData\Local\Temp or AppData\Roaming folders.  I found 3 malicious executables.

First malicious binary found in the AppData\Local\Temp folder:

https://www.virustotal.com/gui/file/90ff38253c49c1fbf08d780560e0eb46cd1c292a690f67f9d0e14e563ca8a4d3

File name:  01385678093927.exe
File size:  81.2 KB ( 81,239 bytes )
First submitted:  2013-11-30 05:57:08 GMT

Second malicious binary found in the AppData\Roaming folder:

https://www.virustotal.com/gui/file/f052192737a509dae8fd8b1a86fd62a0bfaa245a9c7f99b8cb5361ef51ce5908

File name:  antiviplus.exe
File size:  828.9 KB ( 828,928 bytes )
First submitted:  2013-11-30 05:57:33 GMT

Third malicious binary found in the AppData\Local\Temp folder:

https://www.virustotal.com/gui/file/fd71eecea9792dae46785bdade50409d5bc45a4e85a907c159f70d64708c5ff1

File name:  lbngulfs.exe
File size:  45.1 KB ( 45,056 bytes )
First submitted:  2013-11-30 05:57:43 GMT

 

Click here to return to the main page.