2014-01-01 - BIZCN GATE ACTOR FIESTA EK USES CVE-2013-2551 EXPLOIT

PCAP AND MALWARE:

 

UPDATE:

 

NOTES:

Here's some background on this particular infection:  In reviewing snort-based events from work, I've seen a few hits on the following rule, and all were caused by domains hosted on 190.123.47.198:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection"; flow:established,to_server; urilen:27<>33; content:".js?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{7,11}\.js\?[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2017453; rev:3;)

Since early October 2013, I've noted several different domains on 190.123.47.198 that have caused these events.  They were all referred from forum pages on various web sites.  Here are the domains I've seen and their original referers:

So far, the domains appear to be paired together.  For example, www.excelforum.com always goes to valeriesn.com and not any of the other domains on 190.123.47.198.

If you're curious to the the latest activity from these domains, search for the IP on urlquery.net

Information on IP Address: 190.123.47.198
IP Location: Panama - Panamaserver.com
ASN: AS52284, Panamaserver.com (registered Oct 13, 2010)
As of 2014-01-01, at least 69 websites use this address. (examples: allincinfoforstyle.com, beautystyleshere.com, bestletskomp.com, and blackskyllshit.com)

This evening, I was testing one of the associated forum pages and saw CVE-2013-2551 used to infect a vulnerable host.

 

THE FIESTA EXPLOIT KIT AND CVE-2013-2551

The Fiesta EK checks the browser and plugins, determines which exploits apply, and serves all of them.  0x3a shows this in a blog post about the MSIE exploit CVE-2013-2551.  Malware Don't Need Coffee has a post about various exploit kits delivering CVE-2013-2551:

Both blog posts are good sources to learn more about the Fiesta EK.  For today's traffic, let's examine the Fiesta EK traffic to my infected host...

 

SNORT EVENTS

The only notable Sguil event seen on Security Onion for this traffic was the following EmergingThreats signature originally released in April 2013:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2016784; rev:2;)

 

INFECTION CHAIN OF EVENTS

Original referer - the compromised web site:

The handover domain:

The Fiesta EK domain:

 

TRAFFIC DETAILS

The original referer (compromised web site):

 

The redirect domain:

 

First request to the Fiesta exploit domain:

 

Second request to the Fiesta exploit domain:

 

First payload request, this one based on the MSIE CVE-2013-2551 exploit:

 

Second payload request with Java as the user agent.  In this one, the payload appears encrypted or obfuscated:

 

PRELIMINARY MALWARE ANALYSIS

EXE payload delivered by the MSIE CVE-2013-2551 exploit:

https://www.virustotal.com/en/file/398a46ba6ba238bdebb54151f8485c4fa3056e41678f522862da7d196eb5ba97/analysis/1388637839/

File name:  01388609364725.exe
File size:  80.1 KB ( 82040 bytes )
MD5 hash:  b7a2015904aa7562eb85847132d626da
Detection ratio:  13 / 48
First submitted:  2014-01-02 04:43:59 GMT
Malwr sandbox analysis:  https://malwr.com/analysis/NmI4NjNiNmQ0ODk4NDdkOTg2NmE0YzRhYjBlYzJlMTY/

Malware icon and details:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.