2013-12-23 - NEUTRINO EK CAUSES RANSOMWARE INFECTION

PCAP AND MALWARE:

 

NOTES:

It's been a while since I've hit any ransomware when purposely infecting a vulnerable host.  Up to this point, I hadn't run across any malware that accuses the victim of viewing child pornography.  That changed with the most recent infection from my lab environment:


The above image is from a computer infected by Reveton ransomware.  Any questionable content has been blacked out.

The infection traffic was different than what I usually see.  In this traffic, three exploit domains are involved, but only one was successful.  The infection was delivered by a Neutrino exploit kit (EK).  Let's take a look at the traffic...

 

SNORT EVENTS

I used Security Onion to monitor a vulnerable VM running an unpatched version of Windows 7 SP 1 with IE 8 and Java 6 update 25.  The infection traffic generated the following events in Sguil:

 

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

NOTE The exploit traffic from aa1387852202.restofthebesta.com matches the Whitehole exploit pattern seen in my blog entry on 09 Dec 2013 ( link ).  This traffic results in an infection tree where one exploit was successful, but the other one was not:


 

SEQUENCE OF EVENTS

Compromised website:

Initial HTTP GET request to the first exploit domain:

All other HTTP requests to the malicious domains:

Callback traffic noted from the PCAP after it was infected with the ransomware:

 

INFECTION CHAIN DETAILS

IP address: 72.9.156.112 port 80
domain name: brixton-beds.co.uk  (the infected web page)
HTTP request: GET /index.php

Sguil events: None

Screenshot of traffic:

 

IP address: 217.23.15.230 port 80
domain name: flirtlivejasmin.com   (the first malicious domain)
HTTP request: GET /temp/support/61erw6dfdsf/?cmpid=983299

Sguil events: None

Screenshot of traffic:

 

IP address: 217.23.15.230 port 80
domain name: flirtlivejasmin.com
HTTP requests:

Sguil events: ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure

NOTE: This is where the infection chain branches off into two new domains.  Screenshot of traffic:

 

The Whitehole exploit from aa1387852202.restofthebesta.com (and flirtlivejasmin.com) didn't work; however, the Neutrino exploit from thiteeso.borotomo.com did.  Here are the HTTP requests for the Neutrino exploit traffic:

 

The malicious executable was XOR-ed with the ASCII string mlvr (all lower case) when it came through after the 200 OK header:


I extracted the binary from the PCAP using Wireshark and deobfuscated it with a Perl script.

 

PRELIMINARY MALWARE ANALYSIS

Whitehole Java exploit:

https://www.virustotal.com/en/file/503b7243d86b7ae541672a080e0742c566e90acd95312f773f60968b2fa25552/analysis/1388023757/

File name:  7e.jar
File size:  7.9 KB ( 8069 bytes )
MD5 hash:  fe589df533a3ca97b3df888b01bae71c
Detection ratio:  14 / 49
First submitted:  2013-11-28 09:32:20 GMT

Java archive contents:

 

Neutrino Java exploit:

https://www.virustotal.com/en/file/3b18e94ae4226f56f7c6d289402521da604ce76172d19c23bc9b3ac188066893/analysis/1388023770/

File name:  2013-12-23-java-exploit.jar
File size:  19.2 KB ( 19690 bytes )
MD5 hash:  0a4a3fae79346d6f2313f4f73380b4d4
Detection ratio:  3 / 49
First submitted:  2013-12-23 15:42:34 GMT

Java archive contents:

 

Malware delivered by the Neutrino EK:

https://www.virustotal.com/en/file/df24d322146a8a10fc87f20ff08bb1fa8972ae28666f6bca558358f66f8ab691/analysis/1388023781/

File name:  2013-12-23-malware.exe
File size:  112.0 KB ( 114688 bytes )
MD5 hash:  f73c538c1558b1e02f52743534ca967e
Detection ratio:  13 / 48
First submitted:  2013-12-26 02:09:41 GMT
Malwr analysis:  https://malwr.com/analysis/ZTk0NTgzNGQxM2I5NGMwMWI2OTIxZDNkNzcyZGE3YjI/

Malware icon and details:

NOTE: The malwr.com analysis of the EXE doesn't show any callback traffic.  The PCAP shows callback traffic consisting of HTTP POST requests to 31.207.6.161 over port 80.  The third HTTP POST returned 347 KB of data (obfuscated or encrypted somehow) which was probably more malware.  In general, most of the HTTP POST requests looked like this:

Information for callback IP address:  31.207.6.161
IP location:  Czech Republic, Zlin - used by CEU Servers S.R.O.
NOTE:  CEU stands for Central European Servers, and this is a hosting provider (www.ceuservers.net)
Reverse IP:  1 website uses this address. (example: gambolporn.com)

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.