2013-12-26 - GOON EXPLOIT KIT TRAFFIC

ASSOCIATED FILE:

 

NOTES:

The Goon Exploit Kit (EK) was discovered by the Sourcefire Vulnerability Research Team (VRT) on November 21st 2013, and signatures appeared in the EmergingThreats signature set by November 25th.

Aside from the initial Sourcefire VRT blog entry, I haven't found any analysis of Goon EK traffic.  Fortunately, I ran across some traffic that triggered Goon EK events from the EmergingThreats signature set.  Now we can take a closer look at the traffic.

As always, I used Security Onion with the default signature set to monitor the traffic.  The infected host was a Windows 7 VM running IE 10 and Java 7 update 13.

Let's look at the traffic...

 

SNORT EVENTS

INFECTION CHAIN OF EVENTS

ASSOCIATED DOMAINS

INITIAL INFECTION CHAIN

The VM was infected on 26 Dec 2013, and all times below are CST.  The malware was delivered 20 seconds after viewing the compromised web page.  The callback traffic occurred 1 minute and 10 seconds after the malware was delivered.

As indicated below in the Wireshark HTTP object list, Z.jar is the Java exploit, and 150341.mp3 is the malware payload, which is actually an EXE file and not an MP3.

 

EXPLOIT TRAFFIC DETAILS

IP address: 120.138.17.201 port 80
domain name: thejoyfullife.co.nz  (the compromised web page)
HTTP request: GET /

Screenshot of traffic:

 

IP address: 91.197.230.10 port 80
domain name: itforsmallbusinesses.co.uk  (the Goon EK domain)
HTTP request: GET /object/ca/item/viewer.php?swap_lid=10AD3D0A4BB64F71DABE2B69E4

Screenshot of traffic:

 

IP address: 91.197.230.10 port 80
domain name: itforsmallbusinesses.co.uk
HTTP request: GET /updater/Z.xml

Sguil events:

Screenshot of traffic:

 

IP address: 91.197.230.10 port 80
domain name: itforsmallbusinesses.co.uk
HTTP request: GET /updater/Z.jar

Sguil events:

Screenshot of traffic:

 

IP address: 91.197.230.10 port 80
domain name: itforsmallbusinesses.co.uk
HTTP request: GET /updater/150341.mp3

Sguil event:

Screenshot of traffic:

I originally thought the EXE payload was a simple XOR with the ASCII string m3S4V because of TCP stream as it came over the network.  However, the binary wasn't encoded using a simple XOR of an ASCII string.  I tried the Perl script I normally use to decode these XOR-ed binaries, and it didn't work.  Fortunately, I retrieved a decoded copy of EXE payload from the AppData\Local\Temp directory.

 

POST-INFECTION TRAFFIC

The next HTTP GET request is a post-infection checkin.  It's related to the malware payload, not the exploit kit used to infect the computer.

IP address: 85.17.95.243 port 80
domain name: sqvpt.com  (the post-infection callback domain)
HTTP request: GET /bttc-usosbttcus-osbt-tcus_osbt_tcusosbttcusosbttcusosbttcusosbttcusospmrhvlvbwa-lfps-iaejqllfvm-uxct-nepmvvlhlpjosulh-bsjpwsaotwptscpyahbazsgx.php

Sguil event:

Screenshot of traffic:

What was the infection, you ask?


It's ransomware accusing you of disseminating pornography!  President Obama looks so disappointed.

 

PRELIMINARY MALWARE ANALYSIS

Java exploit used in this Goon EK traffic:

https://www.virustotal.com/en/file/07d632a4315bf7415b03348407b2ea89e014e0bdb9ecf5527d43b8c5a1938cf5/analysis/1388360055/

File name:  Z.jar
File size:  13.2 KB ( 13558 bytes )
MD5 hash:  41207b7fa339a93e2ac50ea5caebe61f
Detection ratio:  4 / 48
First submitted:  2013-12-29 06:45:06 GMT

Java archive contents:

This might be an exploit for CVE-2013-2460 based on Virus Total.

 

EXE payload delivered by the Java exploit:

https://www.virustotal.com/en/file/c6434882e55712d7810e692241d92f4e875495bc8d0e31362b358b719ef29a05/analysis/1388359830/

File name:  150341.mp3.decoded
File size:  19.2 KB ( 19690 bytes )
MD5 hash:  91aeff09e24915bd4a825100b3995349
Detection ratio:  11 / 48
First submitted:  2013-12-29 23:30:30 GMT

Malware icon and details:

 

FINAL NOTES

Once again, here is the associated file:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.