2013-12-19 - NEUTRINO EXPLOIT KIT TRAFFIC

PCAP AND MALWARE:

 

NOTES:

Malware Don't Need Coffee posted information about the Neutrino exploit kit in March 2013 (link).  That was the first time I read about this EK.  EmergingThreats created a signature for Neutrino that same month, but most of the current signatures were released in November 2013 (link).

My first blog post back in June 2013 covered Neutrino.  Almost everything I've seen since then showed YouTube URLs as the original referers for Neutrino exploit traffic.  In those cases, a redirect to the Neutrino exploit could be traced to a 302 redirect or javascript from ad traffic generated by the Youtube page.

The Neutrino traffic I've seen this month is very similar to the example I posted back in June.  Recently, I infected a vulnerable Windows machine from a domain that used Neutrino, and we can review this exploit again.  Let's take a closer look...

SNORT EVENTS

I used Security Onion to monitor a vulnerable physical host running an unpatched version of Windows 7 SP 1 and Java 7 update 13.  The infection traffic generated the following events in Sguil:


Screen shot of Sguil events for this infection.

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

INFECTION CHAIN TRAFFIC

Compromised web site:

Redirection domain:

Neutrino exploit kit traffic:

 

INFECTION TRAFFIC DETAILS

The traffic I saw from a Neutrino event at work had an original referer of http://www.oceanicrealty.com/Vacation_Rental_Pages/75%20Wharf%20Road.htm so I checked that URL later on a vulnerable host.  That didn't generate any exploit traffic until I clicked on a link for vacation rentals.


Someone fixed the web site, so this is a reconstruction from the PCAP.

 

That link for vacation rentals provided a redirect to the second domain in the infection chain, as seen in the following screenshot of the traffic:

IP address: 74.86.13.168 port 80
domain name: www.oceanicrealty.com
HTTP request: GET /new_vacation_list.htm

Sguil events: None

Screenshot of traffic:

 

IP address: 94.137.122.252 port 80
domain name: t93jo0tumvjtke73neu1ixr.domestiquecleaning.com
HTTP request: GET /index.php?f=YXd5cG9nbz1zaXB6cCZ0aW1lPTEzMTIxOTAwNDc0NjMzNDU2MDYmc3JjPTMxNiZzdXJsPX
d3dy5vY2VhbmljcmVhbHR5LmNvbSZzcG9ydD04MCZrZXk9NTA2NzBGMTImc3VyaT0vbmV3X3ZhY2F0aW9uX2xpc3QuaHRt

Sguil event: ET CURRENT_EVENTS Cushion Redirection

Screenshot of traffic:

The string noted near the bottom (right after var str =) is base64, and it translates to the next URL in the infection chain.

 

The next URL generates traffic that looks similar to the first, and it provides another redirect using a base 64 string:

IP address: 94.137.122.252 port 80
domain name: t93jo0tumvjtke73neu1ixr53164e366ec7440dd42452677baa54d83.domestiquecleaning.com
HTTP request: GET /index2.php

Sguil events: none

Screenshot of traffic:

Below is a translation of the base64 strings.  The first string redirected my browser to adultfriendfinder.com.  The second base64 string is the first URL for the Neutrino exploit domain:

 

Here's the first URL for the Neutrino exploit domain:

IP address: 212.83.191.241 port 8000
domain name: du8siun.frapdays.com
HTTP request: GET /fgepikjfck?innyj=3410575

Sguil event: ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format Nov 1 2013

Screenshot of the traffic:

 

Here's the HTTP GET request for the Java exploit:

IP address: 212.83.191.241 port 8000
domain name: du8siun.frapdays.com
HTTP request: GET /rdcxhvgc?srznbgwatoh=losqjhx

Sguil events: ET CURRENT_EVENTS Possible Neutrino Java Exploit/Payload Download Nov 1 2013

Screenshot of traffic:

 

Here's the HTTP GET request for the malicious EXE:

IP address: 212.83.191.241 port 8000
domain name: du8siun.frapdays.com
HTTP request: GET /tgpiazr?snbpvk=losqjhx

Sguil events: None

Screenshot of traffic:

 

As shown in the screenshot above, the malicious EXE was XOR-ed with the ASCII string vk (both lower case letters), so it had to decoded.  Here's a before and after shot of the files in a hex editor:

 

PRELIMINARY MALWARE ANALYSIS

Java exploit from 212.83.191.241 port 8000 (du8siun.frapdays.com):

https://www.virustotal.com/en/file/52c1a5b74649bb8a50bc949edcfcbb4a0dee8c7d912750dfd66c31b09efa6347/analysis/1387516433/

File name:  2013-12-19-java-exploit.jar
File size:  19.7 KB ( 20136 bytes )
MD5 hash:  ca48dcb5d9e9e804981b223bf4366821
Detection ratio:  4 / 49
First submitted:  2013-12-16 10:27:28 GMT

Java archive contents:

Malicious EXE from 212.83.191.241 port 8000 (du8siun.frapdays.com):

https://www.virustotal.com/en/file/b06c45288a3aa764276a9a7579adf22f9eb48155b8fdc448711cc72370ef4293/analysis/1387516454/

File name:  2013-12-19-malware.exe
File size:  226.2 KB ( 231626 bytes )
MD5 hash:  e25e0888cde733d03a7850930009986b
Detection ratio:  6 / 49
First submitted:  2013-12-19 03:48:36 GMT
Malwr analysis:  https://malwr.com/analysis/YjQwNzY2ODlkYTRkNDY0NDkwNTJjMmU4MGQ4MzFmZTU/

Malware details as seen in a Windows folder:

The malware acts like a Trojan dropper.  I didn't notice any callback traffic; however, it dropped two files in the AppData\Local\Temp directory:

C:\Users\User-1\AppData\Local\Temp\nsw1DDE.tmp\System.dll
File size:  11.0 KB ( 11264 bytes )
MD5 hash:  c17103ae9072a06da581dec998343fc1
Virus Total says this is probably harmless:  https://www.virustotal.com/en/file/dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f/analysis/1387427909/
C:\Users\User-1\AppData\Local\Temp\nsh1DCE.tmp\dblponmr.dll
The above is copied to  C:\Users\User-1\AppData\Local\Gxhomedia\DWGImporter.dll
File size:  573.5 KB ( 587264 bytes )
MD5 hash:  701b6f32d529140e18b9d10298df2add
Virus Total check:  https://www.virustotal.com/en/file/1f6916a12d8294630d59ed71c971a6d7daf1609b6a95675f863cd14db415df4a/analysis/1387427816/
Malwr analysis:  https://malwr.com/analysis/Y2I5YjkwZWVhZTFhNDI4ZGExYzU4Mjc4ZjI0YjU2MTM/
NOTE:  DWGImporter.dll is a file name for a DWG Import Support Module in Autodesk Design Review.  I'm fairly certain this isn't an actual DWG import module.

Registry keys modified:

Key:  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value name:  Gxhomedia
Value data:  regsvr32.exe C:\Users\User-1\AppData\Local\Gxhomedia\DWGImporter.dll

Other notes:

I never could get the malware to run correctly on the vulnerable Windows computer in my home lab.  I ran the malware EXE through a sandbox analysis tool at work, and that sandbox analysis showed the following DNS queries:

The sandbox analysis I got from work doesn't show HTTP (or any other) callback traffic to those domains.  Furthermore, I wasn't able to generate any callback traffic by running the EXE on a physical host running an unpatched Windows 7 SP 1.

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.