2013-12-27 - STYX EXPLOIT DELIVERS SIMDA MALWARE

PCAP AND MALWARE:

 

NOTES:

Here's a quick post for some malware traffic I captured on the evening of December 26th (27 Dec 2013 in GMT).  Someone was looking for pictures of Emma Watson on Google, and one of the search results generated some exploit traffic.  Fortunately, the user's computer wasn't infected.  I replicated the search in a vulnerable VM, saw a Styx exploit kit deliver a CVE 2013-2460 exploit, and witnessed a Simda malware infection.

The vulnerable VM was monitored by Security Onion with the default signature.  The VM was running a Windows 7 with IE 10 and Java 7 update 15.

 

SNORT EVENTS

INFECTION CHAIN OF EVENTS

ORIGINAL REFERER:

A SERIES OF REDIRECTS:

EXPLOIT DOMAIN TRAFFIC:

JAVA EXPLOIT:

PAYLOAD (MALICIOUS EXE FILE):

 

TRAFFIC HIGHLIGHTS

Here's the Styx exploit landing page:

 

Here's the Java exploit (JAR file), apparently based on CVE-2013-2460:

 

Here's the malicious EXE delivered by the Java exploit:

 

PRELIMINARY MALWARE ANALYSIS

Java exploit used in this Styx EK traffic:

https://www.virustotal.com/en/file/3cdd8c6019b54233b5ed20d063f9b60c1facc948e398b90dca9d103e43d83e19/analysis/1388613018/

File name:  lwAqsHmx.jar
File size:  7.8 KB ( 7997 bytes )
MD5 hash:  f696108ceef4f6e9783bb34b203a8a1a
Detection ratio:  12 / 47
First submitted:  2013-10-31 00:02:35 GMT

Java archive contents:

According to Virus Total, this is probably a CVE-2013-2460 Java exploit.

 

EXE payload delivered by the Java exploit:

https://www.virustotal.com/en/file/1d002272794d91c5c2d3a8c7610b030b379307d0499fbc88310125d1bd245024/analysis/1388612986/

File name:  pscgmwhrcyygkjjpneq.exe
File size:  1.7 MB ( 1790976 bytes )
MD5 hash:  9b08b7633c46decb861ca76e74390404
Detection ratio:  20 / 47
First submitted:  2013-12-27 03:51:13 GMT

Malwr analysis: https://malwr.com/analysis/OTc0ZGE5Y2ExZDkyNDYzYjhkOGE5YjAzZTU2ZDQ5NzE/

Malware icon and details:

The Virus Total results indicate this is a version of Simda, a backdoor Trojan
and/or password stealer.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.